PNNL

Abstract

Protecting critical infrastructure from cyber attacks, natural disasters, and other disruptions is a priority of the U.S. Government. Critical infrastructure includes providing electricity to homes and businesses, supplying natural gas for heating, and producing renewable energy sources. A loss of these services, as seen in the Solarwinds supply chain attack in 2020 , Texas snowstorm of 2021, the Colonial Pipeline cyber incident of 2021, and the Washington power substation attacks in 2022 result in high costs to consumers, disruption of everyday life, and even death. To protect the infrastructure, we first have to know what equipment we are protecting. The complexity of distributed manufacturing and development coupled with the increasing prevalence of cyber and supply chain attacks necessitates a greater understanding of the hardware and software components that comprise equipment in critical infrastructure. When a vulnerability in a single software library can have disastrous consequences, it is vital to understand critical equipment and systems at a granular level. This need has led to increased energy around the development and incorporation of bill-of-materials (BOM) into existing asset management practices to aid in mitigating, and responding to future attacks \cite{noauthor_software_nodate}. While much of the current research is devoted to creating BOMs, it is equally important to develop methodologies for leveraging BOMs to answer questions, such as: How has my software changed? Are two pieces of equipment equivalent? Does this piece of equipment that just arrived match my historical information? In this work, we demonstrate how BOMs can be represented by graph structures. We then describe how these structures can be fed into a graph comparison algorithm to produce a novel interactive visualization that allows us to not only identify differences in BOMs, but show exactly where they are in the product.