Quarkslab was engaged to carry out a holistic security audit of LF Energy’s OperatorFabric project, a modular, extensible, industrial-strength platform for use in electricity, water, and other utility operations. The audit, which was facilitated by the Open Source Technology Improvement Fund (OSTIF), was carried out between April and May 2024, and intended to evaluate the project’s security posture and identify potential vulnerabilities. This is part of LF Energy’s commitment to making open source solutions for energy systems that are kept secure to ensure reliability of these systems.
The objectives of the audit included:
- Identify vulnerabilities within the scope using dynamic and static analysis.
- Assess and reduce the final risk level.
- Provide expert advice on the solution’s level of security, as well as possible improvements.
The process involved Quarkslab carrying out a whitebox audit of dynamic and static analysis on the OperatorFabric project. The audit found one critical security vulnerability in OperatorFabric, which could only be exploited by someone with privileged system access and has already been remedied by the project maintainers. The auditors did highlight that generally security is considered seriously by the OperatorFabric community, with the code being high quality and organized, with measures already in place to spot potential vulnerabilities.
The high level results were:
- 5 Findings with Security Impact
- 1 Critical
- 1 High
- 3 Low/Info
- Custom Threat Model
- Analysis of 17 dockers in OperatorFabric environment
The auditors also noted the high quality of the OperatorFabric code base, and were impressed by the security measures already put in place by the community.
More details can be found in the Security Audit Report, and on the OSTIF blog. The LF Energy and OpeartorFabric communities are grateful to OSTIF and Quarkslab for the assistance in carrying out this audit. Additional audits are in process for other LF Energy projects.