Open Source Summit 2023 Recap: SEAPATH: Enhancing Critical Infrastructure Security Through Open Source
At Open Source Summit Europe 2023, Eloi Bail and Mathieu Dupré from Savoir-faire Linux presented SEAPATH, an LF Energy project (video follows below). SEAPATH focuses on enhancing the security of critical infrastructure, especially in the energy sector, with a strong emphasis on software supply chain security. In this blog post, we’ll provide a concise summary of the key takeaways from their session.
– SEAPATH aims to address the security challenges of critical infrastructure.
– The project is spearheaded by Savoir-faire Linux, a Canadian and European company with a significant track record in industrial products, including those related to energy.
– Substations play a pivotal role in the electricity grid, facilitating the distribution and transportation of electricity.
– They are essential for managing grid operations and ensuring reliability, particularly during critical events like power outages.
Open Source Approach
– SEAPATH adopts an open source approach, leveraging existing open source software to build a robust solution.
– Virtualization is a key component, allowing for a multi-vendor approach and the integration of third-party solutions.
– While virtualization may have some performance and real-time constraints, it can meet the stringent requirements of protection systems crucial for cybersecurity.
– SEAPATH is not a solitary effort; it involves collaboration with various partners and organizations.
– Notable contributors include GE, Schneider Electric, and RTE, a major French electricity transmission system operator.
Two SEAPATH Flavors
– SEAPATH offers two distinct flavors based on Yocto and Debian. Users can customize their Linux distributions to meet specific cybersecurity and performance needs.
– Yocto focuses on customization and fine-tuning, making it suitable for critical infrastructure.
– Debian follows an IT philosophy, relying on pre-built packages for simplicity.
Testing and Security Assurance
– SEAPATH emphasizes security testing and assurance.
– It conducts extensive testing, including running tests on real hardware and checking for system security requirements.
– Ensuring security is crucial, given the sensitive nature of the energy sector and the potential for cyber threats.
– SEAPATH acknowledges the importance of addressing vulnerabilities promptly.
– It tracks security issues, monitors upstream fixes, and follows common vulnerability exposure (CVE) standards.
– An internal tool called CB Check Class assists in managing CVEs efficiently.
SBOM and Compliance
– SEAPATH recognizes the significance of Software Bill of Materials (SBOM) in compliance, especially in critical infrastructure.
– It aims to generate SBOMs, track vulnerabilities, and mitigate risks effectively.
– The project explores various standards, including SPDX and ISO, to ensure comprehensive SBOM coverage.
SEAPATH offers an innovative approach to enhancing the security of critical infrastructure, particularly in the energy sector. By leveraging open source, virtualization, and compliance standards like SBOM, SEAPATH aims to build a robust and secure solution for managing substations.