Ada Logics was engaged to carry out a holistic security audit of LF Energy’s SEAPATH project, which offers a reference design and industrial-grade open source real-time platform that can run virtualized automation and protection applications, primarily for power substations. The audit, which was facilitated by the Open Source Technology Improvement Fund (OSTIF), was carried out between April and June 2024, and intended to evaluate the project’s security posture and identify potential vulnerabilities. This is part of LF Energy’s commitment to making open source solutions for energy systems that are kept secure to ensure reliability of these systems.
The audit included the following exercises:
- Formalized a threat model for SEAPATH focusing on scope and SEAPATHs responsibility in that scope.
- Audited SEAPATH for existing security vulnerabilities that would allow an attacker to attack SEAPATH users.
- Reviewed SEAPATH’s security practices from a perspective of their sufficiency in making SEAPATH production-ready in the future.
- Reviewed SEAPATH’s choice of third-party open source dependencies and how SEAPATH manages it. This was performed primarily to assess the health, risk and maturity of the projects for SEAPATH’s use case. During the audit, notes were made of security practices of specific software projects that SEAPATH packages, and specific improvements were shared to demonstrate how these should be implemented in practice.
- Reviewed SEAPATH against the ISA/IEC-62443 security standards for areas of non-compliance in both documentation practices and technical capabilities.
This process found that the SEAPATH community has prioritized security highly, and invested in security hardening and implementation of best practices. It also identified several areas for improvement. High level results included:
- Formalized custom threat model
- 18 issues related to the SEAPATH threat model
- 8 Medium, 2 Low, 8 Informational
- 14 recommendations related to ISA/IEC-62443 compliance
- +4 new fuzzers for Pacemaker (a third party project in SEAPATH)
- Integrated Pacemaker onto OSS-Fuzz for ongoing testing
- Holistic audit of SEAPATH documentation, code, and function
- Supply-chain security assessment
Most of the identified vulnerabilities have already been addressed following the audit’s completion. To address the remaining issues, fuzz testing is being implemented for several third-party dependencies that are considered memory-unsafe, and updates to documentation and organizational structure are being made.
More details can be found in the Security Audit Report, and on the OSTIF blog. The LF Energy and SEAPATH communities are grateful to OSTIF and Ada Logics for the assistance in carrying out this audit. Additional audits are in process for other LF Energy projects.