Substation Bill of Materials: A Novel Approach to Managing Supply Chain Cyber-risks on IEC 61850 Digital Substations
Xabier Yurrebaso, Fernando Ibañez, Ángel Longueira-Romero
TL;DR
The paper addresses cyber-risk management for IEC 61850 digital substations by introducing Subs-BOM, a CycloneDX-based SBOM derived from SCD. The approach systematically captures IEDs, firmware, services, and dependencies to enable automated risk assessment across multiple substations. Validation with Dependency-Track demonstrates compatibility with CycloneDX tools and practical vulnerability mapping. The work supports automated asset management for DSOs and can extend to other power-domain assets.
Abstract
Smart grids have undergone a profound digitization process, integrating new data-driven control and supervision techniques, resulting in modern digital substations (DS). Attackers are more focused on attacking the supply chain of the DS, as they a comprise a multivendor environment. In this research work, we present the Substation Bill of Materials (Subs-BOM) schema, based on the CycloneDX specification, that is capable of modeling all the IEDs in a DS and their relationships from a cybersecurity perspective. The proposed Subs-BOM allows one to make informed decisions about cyber risks related to the supply chain, and enables managing multiple DS at the same time. This provides energy utilities with an accurate and complete inventory of the devices, the firmware they are running, and the services that are deployed into the DS. The Subs-BOM is generated using the Substation Configuration Description (SCD) file specified in the IEC 61850 standard as its main source of information. We validated the Subs-BOM schema against the Dependency-Track software by OWASP. This validation proved that the schema is correctly recognized by CycloneDX-compatible tools. Moreover, the Dependency-Track software could track existing vulnerabilities in the IEDs represented by the Subs-BOM.