The US Executive Order on Cybersecurity and the LF Energy Foundation
Written by: John Mertic, Director of Program Management at the Linux Foundation
Security of our global power grid is of utmost importance to the energy industry and for the function of our society as a whole. Recent events such as the Colonial Pipeline ransomware cyberattack and the SolarWinds attack have shown the importance of being able to secure both the infrastructure and the supply chain of the software powering the grid. Assurance that our open-source projects are built with the most advanced and transparent cyber-security processes and tools in mind is of utmost importance to LF Energy and the Linux Foundation as we globally move towards an increasingly digital and distributed power system.
The US White House recently released its Executive Order (EO) on Improving the Nation’s Cybersecurity (along with a press call) to counter “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”
Recently, the Linux Foundation published a blog that centered on how its communities enable the required security practices. For example, SPDX and OpenChain have been a center point for guidance and standards in open source software supply chain management for years.
LF Energy Foundation recognizes the adoption of open source in the energy sector requires attention to security practices and policies within the hosted project communities. In particular, here are the programs and practices in place which can help ecosystem members with fulfilling the requirements outlined in the EO.
Software Bill of Materials (SBOMs)
The EO focuses on the need for a Software Bill of Materials (SBOMs) along with other tasks that depend on SBOMs. SBOMs are a key tool in understanding where the code your organization originates from.
LF Energy hosted projects are able to produce SBOMs because they have aligned on the use of SPDX short-form license identifiers, which provide the ability to specify the license of a given source code file in a simple, efficient, portable, and consistent manner, which is both human and machine-readable. SPDX is in the process of being approved as ISO/IEC Draft International Standard (DIS) 5962, and SPDX 2.2 as used by LF Energy hosted projects already supports the current guidance from the National Telecommunications and Information Administration (NTIA) for minimum SBOM elements.
All of the LF Energy hosted projects have regular license code scans and SBOMs made publicly available from these scans.
Code Lineage and Provenance
Good code hygiene best starts at the source, understanding where the code contributed to the project originates. Being able to track each contribution and its author for a given project is not just a good exercise for intellectual property (IP) hygiene, but also is key to security management. Understanding the code lineage and provenance helps prevent malware and other unintended code from entering the source code repository from the start.
The Developer Certificate of Origin (DCO) is in use in all of our hosted project communities, which helps to ensure the lineage and providence of code contributions are well known and contributors assert their ability to contribute code to the project.
Dependency Management
Open source projects tend to depend on third-party libraries and tooling that are leveraged during the build and/or at runtime. Understanding the lineage of these components is crucial, and staying ahead of the security vulnerabilities within these components is critical for open source projects such as those hosted at the Open Mainframe Project.
LF Energy hosted projects such as PowSyBl and SOGNO leverage LFX Security as a tool for managing security vulnerabilities in their dependencies. Having security vulnerabilities management and resolution a transparent activity in our community builds trust with the downstream consumers of the hosted projects.
Maintaining best practices in security management
As a part of the project lifecycle, projects achieve a Core Infrastructure Initiative Best Practices Badge. This badge is a rigorous process for open source communities, requiring nearly all projects globally that have achieved a badge to make changes to their processes and procedures as part of achieving a badge. Grid eXchange Fabric (GXF) and OpenLEADR are two of our hosted projects that have achieved a passing badge, and many more of the hosted projects are working through the process of achieving a badge.
We take security seriously
As you can see, LF Energy takes security as seriously as the energy sector as a whole and sees security as fundamental in building the power grid of the future. Open source projects hosted at LF Energy benefit from this security infrastructure and more; check out the benefits of hosting your project at the LF Energy Foundation for more details.
