Software Bill of Materials in the Nuclear Industry
- Idaho National Laboratory
- Pacific Northwest National Laboratory
Nuclear power plants (NPP) have thousands of digital assets throughout their facility. Typically, NPPs have asset and configuration management programs that capture the make, model, and version of a component. This information, however, usually only includes first- or second-tier components and does not capture the complete enumeration of software components and their dependencies within operational technology (OT) equipment. As seen with recent cyberattacks, this level of detail is insufficient for identifying if and where an exploitable vulnerability exists within a facility. A software bill of materials (SBOM) provides this detailed enumeration. Further, integrating SBOMs with vulnerability data sources and vulnerability attestation reports can provide improved awareness leading to better cyber risk management and incident response. Preferably, SBOMs are provided by the supplier; however, when an NPP already owns a device, it is less likely they will have a supplier provided-SBOM. Fortunately, SBOMs can be generated on installed digital assets. This paper provides an introduction to the U.S. Department of Energy Office of Nuclear Energy paper titled “Towards Software Bill of Materials in the Nuclear Industry,” which describes the SBOM ecosystem and provides a suggested approach to methodically and seamlessly integrate an SBOM program in an NPP.
- Research Organization:
- Idaho National Laboratory (INL), Idaho Falls, ID (United States)
- Sponsoring Organization:
- 58
- DOE Contract Number:
- AC07-05ID14517
- OSTI ID:
- 2279155
- Report Number(s):
- INL/CON-23-70977-Rev000
- Country of Publication:
- United States
- Language:
- English
Similar Records
The Benefits of a Software Bill of Materials Program at Nuclear Facilities
Evaluating Methods of Software Bill of Materials Generation to Enhance Nuclear Power Plant Cybersecurity