Date: July 22, 2021
Time: 9-10am Pacific
Join the SunSpec & Sandia DER Cybersecurity Working Group for an educational webinar on DER Software Vulnerabilities.
About this event:
This event will feature three guest speakers offering unique presentations on software vulnerabilities for Distributed Energy Resource systems.
Presentation I: Software Bill of Materials – Transparency in the Software Supply Chain
Speaker: Allan Friedman, Director of Cybersecurity Initiatives, NTIA, US Department of Commerce
A key challenge in securing software is to understand the underlying components used in development, and deployed in our infrastructure. A software bill of materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. This presentation will give an overview of the concept, its implementation, and how it is being used in the energy sector today.
Presentation II: Longclaw – Firmware Analysis Framework
Speaker: Jovana Helms, Associate Program Leader for Civilian Cybersecurity
Firmware supply chain attacks are an appealing attack vector for adversaries as they can affect a large number of devices with lower effort compared to hardware supply chain attacks. While a Software Bill of Materials (SBOM) is the first step in understanding what is in the firmware, we must go beyond just enumeration and develop tools for automated analysis of firmware to get understanding of its quality and security. The Longclaw framework has been developed to address this gap and while it enables automated SBOM generation and validation, it also offers additional tools that can identify bugs, vulnerabilities and other undesired behavior in firmware.
Presentation III: Next Generation Firmware Analysis for Energy Systems
Speaker: Dr. Christopher Lamb, Principal Scientist, Energy Security, SNL
The Grid Modernization Laboratory Consortium (GMLC) has funded work to develop techniques to quickly evaluate the cybersecurity profile of firmware of energy grid devices, including but not limited to controllers, network equipment and inverters. Integrated into an automated analysis pipeline, findings from this analysis would be quickly disseminated to subscribers. Dr. Lamb will cover this projects current status and future goals in this talk.