Paper published at the 16th EEnergy conference ACM DOI

With the ongoing digitization of power grids, an increasing number of digital components are introduced into modern power grids. In this paper, we examine the IEEE 9-Bus system as a point of reference to highlight the process of moving from an electrical grid model to a cybersecurity model in order to identify relevant standards and protocols. We then leverage publicly accessible CVE data and a literature review to map discussed attack techniques for key protocols to the MITRE ATT&CK ICS Matrix and compare this information to identify similarities and differences between research findings and published vulnerabilities.

With the increasing complexity of modern software composition and an ever-growing software supply chain, where numerous resources are sourced from open-source projects, the need to keep track of these resources has arisen. Following the Log4j incident [29], the American Government passed Executive Order (EO) 14028, mandating a SBOM for all software products sold to federal government agencies. Similarly, the European Union passed the Cyber Resiliance Act (CRA), which requires an SBOM for all digital products in the European market. For these reasons, machine-readable SBOM formats have emerged in recent years, implemented by a wide variety of projects that produce and consume such SBOMs.

When discussing SBOMs, two prominent formats are widely recognized in the industry: SPDX (Software Package Data Exchange), backed by the Linux Foundation, and CycloneDx, supported by OWASP. Both schemas are compatible with various data types, such as XML, JSON, or YAML.

However, not all tools support both formats. Some tools can only generate, consume, or process one of the two. In some cases, they only support specific versions of these formats. As a result, there emerged a need to convert SBOMs between SPDX and CycloneDx.

While the schematics of an SPDX and a CycloneDX SBOM are defined by the standardization, the dependencies can look very different in the generated SBOM. The results depend on the phase of the software development lifecycle and how the generator that produces the SBOM supports all the functionalities.