Use BFCM23 to get 30% off ISA products during the ISA Black Friday Week Sale!

SBOM Study Report: Managing ICS Software Risks to Oil & Gas Released by LOGIIC

  • February 22, 2022
  • Research Triangle Park, North Carolina

The Linking the Oil and Gas Industry to Improve Cybersecurity (LOGIIC) program have announced the release of a new study report entitled, “SBOM Study: Managing ICS Software Risks to Oil & Gas.”

In 2021, LOGIIC conducted a study to understand how a software bill of materials (SBOMs) and other vendor capabilities can be used to manage cybersecurity risks to industrial control systems (ICS) software that may be introduced from third-party components that are part of vendor solutions. This study was based on SBOM research conducted by LOGIIC. Reference material for the study included Executive Order 14028 (May 12,2021) that President Biden issued on Improving the Nation’s Cybersecurity. The order includes new requirements for software vendors selling software to the U.S. government. One of these requirements consists of providing a U.S. government purchaser a SBOM for each product either directly or by other means such as a website.

A SBOM is a formal record containing the details and supply chain relationships of various components used in building software. It is effectively a list of ingredients or a nested inventory. SBOMs enable better software security and supply chain risk management. It is critical for each industry sector to establish a common set of practices and market expectations that is viable and reflects the needs of the industry.

The study included discussions with Oil and Gas industrial control system vendors to understand and analyze the current state of SBOM development and utilization. The study also makes industry recommendations for SBOM development.

To read the report, please visit the LOGIIC homepage.

The Linking the Oil and Gas Industry to Improve Cybersecurity program (LOGIIC) is an ongoing collaboration of oil and natural gas companies and the U.S. Department of Homeland Security, Science and Technology Directorate. LOGIIC undertakes collaborative research and development projects to improve the level of cybersecurity in critical systems of interest to the oil and natural gas sector. The objective is to promote the interests of the sector while maintaining impartiality, the independence of the participants, and vendor neutrality.

The Automation Federation serves as the LOGIIC host organization and has entered into agreements with the LOGIIC member companies and all other LOGIIC project participants. Member companies contribute financially and technically, provide personnel who meet regularly to define projects of common interest, and provide staff to serve on the LOGIIC Executive Committee. Current members of LOGIIC include BP, Chevron, ConocoPhillips, Shell, Total, and other large oil and gas companies that operate significant global energy infrastructure. The U.S. Department of Homeland Security, Science and Technology Directorate has contracted with scientific research organization SRI International to provide scientific and technical guidance for LOGIIC.

The ISA Global Cybersecurity Alliance (ISAGCA) is a collaborative forum of member companies that aim to advance cybersecurity awareness, education, readiness, and knowledge sharing industry-wide, on a global scale. The alliance’s objectives include expanding the development and use of the ISA/IEC 62443 series of standards, knowledge-sharing in an open environment, providing best practice tools to help companies secure their infrastructure, creating education and certification programs, and advocating for cybersecurity awareness and sensible approaches with world governments and regulatory bodies.

About ISAGCA Members
The ISA Global Cybersecurity Alliance is made up of 50+ member companies, representing more than $1.5 trillion in aggregate revenue across more than 2,400 combined worldwide locations. Automation and cybersecurity provider members serve 31 different industries, underscoring the broad applicability of the ISA/IEC 62443 series of standards. Current members of ISAGCA include 1898 & Co. (Burns McDonnell), ACET Solutions, Baserock IT Solutions, Bureau Veritas, Carrier Global, Claroty, ConsoleWorks, Coontec, CyberOwl, CyPhy Defense, Deloitte, Digital Immunity, Dragos, Eaton, exida, Ford Motor Company, Fortinet, Fortress InfoSec, Heron Technology, Hexagon, Honeywell, Idaho National Laboratory, Idaho State University, ISASecure, Johns Manville, Johnson Controls, KPMG, LOGIIC, Mission Secure, MT4 senhasegura, Munio Security, Nozomi Networks, PETRONAS, Pfizer, Purdue University, Radiflow, Redacted, Red Trident, Rockwell Automation, Schneider Electric, Surge Engineering, TDI Technologies, Tenable, TI Safe, TXOne Networks, UL, Wallix, WisePlant, Xage Security, and Xylem. For more information about ISAGCA, visit