Thursday, April 15, 2021

The PoC begins!


There’s a lot of news on the SBOM front today – especially the energy SBOM front. When I don’t feel like taking the time to organize a post (or I’m too tired, as I am tonight), I do it as a set of bullet points. Today’s post is one of those.

·        The fourth and last of the NTIA’s introductory webinars on SBOMs for the energy industry was held on Monday, and was once again quite successful. The video was just posted. While the three previous webinars have mostly featured people who aren’t part of the energy industry (but have a lot of knowledge and experience with SBOMs), this one consisted almost entirely of people from the industry.

·        The purpose of this webinar was unabashedly to get people in the energy industry excited (or at least curious) about the upcoming proof of concept for use of SBOMs in the industry. In fact, Dr. Allan Friedman concluded the webinar with what I’ve been calling an “altar call”, in which he asked members of the industry – both asset owners that use software (as if there’s any organization in the world that doesn’t use software in one form or another nowadays!) and the suppliers of that software – to (virtually) make the commitment to…what? Join the PoC?

·        No, Allan announced that the organizational meeting for the PoC (virtual, of course) will be held on Monday April 26 at 1PM Eastern Time; connection information will be available next week, and I’ll publish it in my blog then. If you would like to get on Allan’s mailing list, drop him an email at afriedman@ntia.gov. I don’t know whether he’ll send out an actual calendar invitation, but I’m sure something will go out with the connection information.

·        Who’s welcome at the meeting? Attendance is strictly limited to people who are in some way associated with the energy industry (if for no other reason than that they’re users of electric power) and have a working knowledge of English. I’m sorry, but we had to draw the line somewhere…

·        The speakers at the meeting all expressed their support for the PoC. They included:

1.      Tony Eddleman, Nebraska Public Power District and chairman of the NERC Supply Chain Working Group

2.      Jeff Sweet, AEP (Jeff spoke during the Q&A period, but spoke nevertheless!)

3.      Cheri Caddy of US Department of Energy CESER, who has been very involved in getting this PoC off the ground

4.      Cassie Crossley of Schneider Electric

5.      Bryan Owen of OSISoft

6.      Val Agnew, North American Transmission Forum

7.      Stephanie Toussaint of Edison Electric Institute

·        At the end of the meeting, Allan issued his altar call, and also introduced the two people he’s chosen to lead the PoC. They are Virginia Wright of Idaho National Labs and…hmm, can’t remember the name…oh yes, Tom Alrich of Tom Alrich LLC. He introduced the latter person as a “blogger”, but everyone knows you can’t make a living off of a blog, so I remain suspicious of the guy.

·        Now I’m going to talk a little about the PoC itself. While the schedule, agenda, rules, etc. will all be determined by the participants themselves (remember, NTIA isn’t in the business of telling people what to do. The Software Transparency Initiative is one of a number of “multistakeholder processes” sponsored by NTIA, in which the goal is to help members of an industry cooperatively figure out how best to implement or improve a new technology. What comes out the other end of the process is up to the participants, although Allan is quite good at helping the participants figure out what they perhaps meant all along), I am sure that the energy PoC will in general follow the path of the healthcare PoC, which started in 2018 and is still going strong (they’re actually in about their fifth iteration of the PoC, with each iteration getting more ambitious in terms of what’s included). So this is based on what I know of the healthcare PoC (which is a lot, since I’ve been attending their weekly meetings for months).

·        There will be two tracks of activity. The first track to get going – in fact, the meeting on the 26th can be considered the first meeting of that track – is the public track. That track will start with a series of informational meetings that will really start to get into the details of SBOMs, how they are produced and distributed, as well as some of the use cases (although new use cases seem to pop up all the time. SBOMs are very useful). The time and frequency of those meetings are still TBD (hopefully they’ll get decided on the 26th).

·        Anyone involved with the energy industry is welcome to attend these Track 1 meetings. In fact, these meetings may be much larger than even I thought they would be before today, because it turns out there may be a number of participants from the oil and gas industry as well. Of course, they’re “energy”, too, but frankly all of our recruitment efforts so far have focused on electric power. Since O&G shares many of the same technologies and suppliers with the power industry, it makes sense to join forces, especially in the educational track of the PoC. Welcome, O&G!

·        Track 2 will be the actual proof of concept. This will consist of a relatively small group of asset owners and suppliers (the healthcare PoC started off with about five large hospitals – or healthcare delivery organizations, as they call themselves - and five medical device makers, although their numbers have grown since 2018) that will agree on rules and formats; all will sign a mutually agreed-upon NDA. The suppliers in this group will test producing SBOMs (although lots of software suppliers produce them now) and the asset owners will test “consuming” them – especially using them for mitigating supply chain cybersecurity risk (of course, there are other use cases like licensing, since SBOMs can contain license information as well).

·        It is very likely that the Track 2 team will also decide to invite two other categories of participants to join: a) vendors of tools for configuration and/or vulnerability management (as well as some other categories), that would logically need to “ingest” SBOMs in order to be able to track and manage software component vulnerabilities; and b) vendors of services that “process” SBOMs to make the information easier to use for the asset owners. The decision will be up to the current participants in the PoC (Track 2), but I strongly support doing that, since I think these vendors are what will enable the widespread use of SBOMs.

·        But don’t get the idea that Track 1 is a dead-end track. While only the Track 2 people will see the SBOMs produced in the PoC, issue resolution, discussion of lessons learned, and production of the final report will all be done in Track 1. I’ve been attending the healthcare PoC’s track 1 meetings, and I can assure you that the final decisions on issues and lesson learned get made in Track 1, not Track 2.

The moral of this story is that you’re not being required to commit to do anything more now than come and learn about SBOMs. I can guarantee this isn’t something you can grab a quick course on at your local community college. The NTIA Software Transparency Initiative is leading the way toward SBOMs (although I’ll refrain from any metaphors comparing Allan Friedman to Moses at this point. I’ve already compared him to a minister); as I said in this post, this is an opportunity to become part of the solution.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment