Linux Foundation Launches Research, Training, and Tools to Advance Adoption of Software Bill of Materials

My latest podcast topic contains thoughts on open source. This announcement from The Linux Foundation merges open source with the latest concerns about cybersecurity with several product launches regarding the Software Bill of Materials (SBOM). The industry continues to take small steps toward security. When a community gathers to work on a solution, it’s a big help.

Home to the industry’s most supported open standard for exchanging information about what is in software – SPDX – the Linux Foundation brings its complete resources to bear to support private and public sector supply chain security 

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced new industry research, a new training course, and new software tools to accelerate the adoption of Software Bill of Materials (SBOMs). 

President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity referenced the importance of SBOMs in protecting and securing the software supply chain.

The de-facto industry standard, and most widely used approach today, is called Software Package Data Exchange (SPDX). SPDX evolved organically over the last ten years to suit the software industry, covering issues like license compliance, security, and more. The community consists of hundreds of people from hundreds of companies, and the standard itself is the most robust, mature, and adopted SBOM in the market today. 

“As the architects of today’s digital infrastructure, the open-source community is in a position to advance the understanding and adoption of SBOMs across the public and private sectors,” said Mike Dolan, Senior Vice President and General Manager Linux Foundation Projects. “The rise in cybersecurity threats is driving a necessity that the open-source community anticipated many years ago to standardize on how we share what is in our software. The time has never been more pressing to surface new data and offer additional resources that help increase understanding about how to generate and adopt SBOMs.” 

An SBOM is an account of the components contained in a piece of software. It can be used to ensure developers understand what software is being shared throughout the supply chain and in their projects or products and supports the systematic review of each component’s licenses to clarify what obligations apply to the distribution of the supplied software.

SBOM Readiness Survey

Linux Foundation Research is conducting the SBOM Readiness Survey. It will examine obstacles to adoption for SBOMs and future actions required to overcome them related to the security of software supply chains. The recent US Executive Order on Cybersecurity emphasizes SBOMs, and this survey will help identify industry gaps in SBOM application. Survey questions address tooling, security measures, and industries leading in producing and consuming SBOMs, among other topics. For more information about the survey and to participate, please visit {Hilary blog}. 

New Course: Generating a Software Bill of Materials

The Linux Foundation is also announcing a free, online training course, Generating a Software Bill of Materials (LFC192). This course provides foundational knowledge about the options and the tools available for generating SBOMs and how to use them to improve the ability to respond to cybersecurity needs. It is designed for directors, product managers, open-source program office staff, security professionals, and developers in organizations building software. Participants will walk away with the ability to identify the minimum elements for an SBOM, how they can be assembled, and an understanding of some of the open-source tooling available to support the generation and consumption of an SBOM.

New Tools: SBOM Generator

Also announced today is the availability of the SPDX SBOM generator, which uses a command-line interface (CLI) to generate SBOM information, including components, licenses, copyrights, and security references of your software using SPDX v2.2 specification and aligning with the current known minimum elements from NTIA. Currently, the CLI supports GoMod (go), Cargo (Rust), Composer (PHP), DotNet (.NET), Maven (Java), NPM (Node.js), Yarn (Node.js), PIP (Python), Pipenv (Python), and Gems (Ruby). It is easily embeddable in automated processes. It is easy to embed in automated processes such as continuous integration (CI) pipelines and is available for Windows, MacOS, and Linux.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open-source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration.

Financial Risks When Delaying PLM Upgrades

Senior management have always been reluctant to invest in technology and especially upgrades once a technology is in place. I have seen instances where management lays off the senior engineers who implemented something like Advanced Process Control or Manufacturing Execution Systems keeping a recent graduate engineer to maintain the system, if even that. Management sees only a large salary cost reduction. Rarely is maintaining momentum a virtue.

I have been in way too many of these discussions in my career. I’ve seen results one way or another. There have been the instances where they had to hire back the laid off engineer at higher consultant rates to get the system back up and running properly.

So, this report from CIMdata detailing research on PLM software upgrading was hardly surprising. Disturbing, perhaps, but not surprising.

Digital transformation is a popular topic, and CIMdata has written much about it. While many still wonder whether digital transformation is real or just the latest buzzword, many industrial companies are taking its promise very seriously.

While it is clear to all within the PLM community that PLM is foundational to a meaningful digitalization program (or digital transformation strategy), this truth is not always understood by senior leadership within companies. While CIMdata believes that the level of investment in digital transformation is appropriate, based on our research and experience we find that executive awareness of the dependency of digital transformation on PLM is lacking. This lack of understanding of its association to PLM-related investment, sustainability and impacts on business performance and benefits puts many digital transformation programs at risk of becoming yet another program of the month.

This research on obsolescence identified areas that increased the cost of technology refresh and found that heavy customization was at the top of the list. This aligns with CIMdata’s experience in the field and is why companies strive to be more out-of-the-box with their PLM implementations. CIMdata’s view is that customization can add significant value to a PLM implementation, but it needs to be either business or cost justified and deliver an appropriate return on investment over the long-term (i.e., even through subsequent solution upgrades).

A new study from CIMdata exposes the financial risk many organizations face when they take PLM upgrades for granted. According to the study, the cost of upgrades with legacy PLM vendors can average between $732,000 and $1.25 million. The study – which compares industry heavyweights such as Dassault, PTC, and Siemens – finds the Aras PLM platform is easiest to keep current. Aras users upgrade more frequently, over a shorter duration, and at less cost than other leaders in the space. 

What’s behind PLM obsolescence? According to CIMdata, “A sustainable PLM solution is one that can meet current and future business requirements with an acceptable return on investment (ROI) via incremental enhancements and upgrades.” But as clearly shown in the research, many companies using PLM software are not staying current. The five reasons are: 


1. Technically Impossible. Typically, after an arduous deployment and the necessary customization to meet the businesses current needs, the software is no longer capable of upgrading. 
2. No ROI. If you take a year to upgrade and it costs close to a million dollars, the cost and impact to the business is so outrageous it can’t be justified.

3. No Budget. Not having the budget is a real concern, but often the lack of budget is a mistake—a mis-prioritization of what’s important to your organization’s future growth, often combined with a high percentage of the overall budget being consumed by technical debt. 
4. Companies overinvest and therefore are committed. The only thing worse than spending large amounts of money on the wrong thing is doubling down and spending more, expecting a better experience. The pandemic has accelerated the need to change, to expect transformation with less risk, less cost, and greater ROI that will lead to greater business resiliency. Throwing good money after bad is no longer being tolerated—there is more of a focus on the bottom-line and doing more with less. 
5. Leadership Doesn’t Understand Dependency of Digital Transformation on PLM. If your PLM system hasn’t been upgraded in years and isn’t the foundation for continuous digital transformation efforts, there is an absolute lack of understanding of how PLM can transform a business.

Talking Digital Transformation with Rockwell Automation

I have not talked with anyone from Rockwell Automation for months. So, it was time to catch up with Keith Higgins who joined the company within the past couple of years as VP of Digital Transformation leading the software group. As we might expect, digital transformation technologies and products include the analytics portfolio, MES, and the coordination with PTC’s products including ThingWorx, Kepware, and Vuforia.

Since I was fresh from a conversation with another supplier about the Edge, I brought that up in the context of analytics and ThingWorx. Higgins began to explain the power of using the PLC as an edge device. Rockwell has not talked to me for years about the PLC, but I remember that for years it has added compute and networking capability into that platform. Time for me to get an update there, too. My wild guess is that no sufficiently enticing partnership could be hacked out with Dell Technologies or HPE using their Edge compute. And, they already had a powerful Edge device that just needed IT-level bolstering. This will be interesting to watch.

Higgins brought up a tire plant example where having production data in context at the edge with the ability to perform predictive analytics combined for a powerful management tool.

One theme that recurs in this discussion in general is the necessity for solid context for data. Higgins having brought that up regarding the tire plant example, continued to a discussion of a technology/product developed in partnership with Microsoft called SmartObjects. This is a rich data model that adds deep context to data. My feeble way of thinking of this would be something like a modern data model like MQTT and OPC UA on steroids (no disparagement of either of those technologies meant).

I’ve been thinking deeply about productivity lately, so I asked about it. Rockwell views its contribution to its customers’ productivity in three buckets:

  • Assets—building on predictive analytics, predictive maintenance, condition monitoring, and the like;
  • Production line—improving utilization of the production assets;
  • Human productivity—for example, the recent acquisition of CMMS supplier Fiix

I’m definitely interested in seeing where Rockwell’s new emphasis in software and edge goes. Many years ago, I asked then-CEO Keith Nosbusch about the software business. He said at that time it was an experiment. Higgins didn’t say that exact thing, but his remarks left no doubt that his area is primed to be a Rockwell growth vehicle.

Video Streaming Plus 5G Bandwidth Equal a Safer Plant

Back in the 90s, I used to haul around a $25,000 vision system in the trunk of my car to perform demonstrations of machine vision technology applications.

Today, there is more video power in my smartphone than in that entire system.

Just like all the technologies we use in manufacturing, vision systems and video have become more powerful and useful,most often leveraging consumer electronics or IT innovations. I visited a small chemical refinery that installed streaming video into its operator interface for a unique, but essential, personnel safety/security application. Located in a rural area of Texas, the refinery operators periodically opened the gates to allow railway cars into the facility or to let the filled cars leave. The open gates became a welcome invitation to the local coyote population. Of course, these guys were not wanted wandering around the facility. The video system watched for incursions and alerted personnel.

Not too long ago, the bandwidth required by that streaming video would have been too expensive or awkward to be economical. Now, it’s just another sensor.

Intelligent Video for Health and Safety

These Covid pandemic days have led to new use cases for video. AT&T identifies a few key examples on their video intelligence page:

  • Temperature monitoring
  • PPE monitoring
  • Ensuring social distancing
  • Counting people to maintain safe capacity

Infrared thermal imaging has progressed to the point that strategically placed thermal imaging cameras can monitor personnel for fevers—an outward sign of potential Covid infection. We can potentially stop the spread of the virus at the plant entrance.

Another Covid-related application involves contact tracing and social-distancing assurance. These applications require high bandwidth along with sophisticated analysis software—both now readily available. And, both technologies are poised for improvement. We will see 5G installations before long that will improve bandwidth, speed, and latency forvideo applications.

“Outside of these pandemic applications, process plants with hazardous areas have found video sensors to be a perfect solution to determining personnel safety during an incident. Rescue teams need to know who is in the area and where they are. Security teams can be alerted if someone wanders into a hazardous or restricted area.

Intelligent Video for Quality Control

Then we return to the applications I once tried to solve—product quality. While it is best practice to fix the process such that defects are not produced, vision inspection is another step in assuring products that fail to meet specification are not shipped to customers. Taking a feedback loop from inspection information provides a pathway to solving the process problem. As network bandwidth improves and video sensors become smaller, cheaper, faster, these video IoT solutions become more attractive.

5G is the Foundation

Apple released its latest iPhone (one of which is lying on my desk) with great hoopla about 5G. Apple pundits were originally less than enthusiastic about the 5G bandwidth. I have been advising them, along with clients and readers,about the tremendous value that will be unlocked by 5G. It may not be as apparent in an individual iPhone, but we will see a massive shift in business and manufacturing applications.

5G skeptics do exist, but most technologists are decidedly bullish on the possibilities. I think that manufacturers of many varieties will begin deploying the networks for one or two of the reasons that fit them, and then discover that they’ve received more benefit than they expected. Then managers and engineers will have difficulty remembering why there was any debate over moving from LTE to 5G.

As the AT&T Business team puts it in their “Agility Refined” white paper: 

5G is the next generation of wireless communications technology. In essence, 5G will put the network edge closer to users and devices. It uses mid-band frequencies and millimeter wave (mmWave) to help accomplish this. 

5G offers significantly larger spectrum allocations and enables exponentially increased data rates. It has a reduced range compared to today’s 4G frequencies—but the antennae needed for 5G are much smaller. This will allow for a dense network of small cells, enhancing the current user experience.

As you lay out your 5-year-and-beyond scenarios, this intelligent video powered by 5G will be technology to keep in the narrative.

This post was sponsored by AT&T Business, but the opinions are my own and don’t necessarily represent AT&T Business’s positions or strategies.

New Product for Industry 4.0 Solutions

As part of my Hannover Messe interviews a couple of weeks ago, John Gonsalves, a VP at Cyient, introduced me to “our answer to Industry 4.0” for connected workers and supply chain. The new product is INTELLICYIENT, a suite of Industry 4.0 solutions that will enable digital transformation for industries that draw significant value from their assets such as manufacturing, industrial, aerospace, automotive and off-highway, utilities, and mining and natural resources. 

Gonsalves, “The most successful Industry 4.0 solutions will be the ones that bring domain knowledge, depth of technological expertise, and engineering excellence and understanding of business operations. These have been the unique strengths of Cyient, which makes it a partner of choice across its Fortune 500 customers globally.”

Commenting on the launch, Anand Parameswaran, SVP and Global Business Head, Cyient Digital, said, “Cyient has leveraged its investments in the latest digital technology capabilities, and its three decades of experience in engineering and geospatial offerings for asset-intensive industries to design its INTELLICYIENT solution portfolio. With six digital solutions, powered by the interplay of nine technology studios, and our strong partner ecosystem, INTELLICYIENT will help enterprises globally achieve the full potential of digital transformation with IT-OT convergence. We aim to focus on the four key themes of smart automation, intelligent supply chain, end-to-end visibility of workflows and assets, and next-gen workforce solutions that are driving Industry 4.0 adoption.”

Akshat Vaid, Vice President, Everest Group, added, “Digital engineering has become all-pervasive, contributing over 23% to global ER&D spending. Within manufacturing, it manifests as Industry 4.0—the transformation of cyber and physical systems on the back of digital themes for enhanced visibility, control, and autonomy. Industry 4.0 investments have been rising steadily, and the COVID-19 crisis has provided an additional impetus as enterprises look to enhance manufacturing resilience. In effect, enterprises are no longer viewing this spend as discretionary but rather as an avenue for driving business resilience and competitiveness. They, however, struggle with a shortage of capabilities, organizational complexity, data integration, and speed of implementation when it comes to transformation-at-scale. This has led to a rise in outsourcing with third-party vendors offering services across consulting, development, integration, and management of existing deployments.”

Cyient is a global engineering and digital technology solutions company. As a Design, Build, and Maintain partner for leading organizations worldwide, Cyient takes solution ownership across the value chain to help customers focus on their core, innovate, and stay ahead of the curve. The company leverages digital technologies, advanced analytics capabilities, domain knowledge, and technical expertise to solve complex business problems. Cyient partners with customers to operate as part of their extended team in ways that best suit their organization’s culture and requirements. Cyient’s industry focus includes aerospace and defense, medical technology and healthcare, telecommunications, rail transportation, semiconductor, geospatial, industrial products, and energy and utilities.

Neurala and IHI Logistics and Machinery Partner to Deliver Effective OCR Automation

I have witnessed the evolution of Optical Character Recognition (OCR) over the past 35 years. This is an automated system of taking a picture in a digital vision system of some text, doing some magic processing, and outputting machine understandable text that can be used directly in your software application.

Neurala discovered this website’s reach and has been sending me a stream of updates. This is a company moving forward rapidly. Today’s announcement pushes the state-of-the-art.

Today, Neurala announced a partnership with IHI Logistics & Machinery. Neurala’s vision AI software will be deployed to increase the effectiveness of optical character recognition (OCR) reading of package information by automatically identifying expiration dates, to ultimately reduce waste and relieve workers from mundane, repetitive tasks.

IHI Logistics & Machinery is a leading global provider of material handling and factory automation solutions, with a focus on the management of food packaging information and logistics process improvement specifically. Traditionally, food and perishable items come into the warehouse with a production and an expiration date, with these important dates scanned by human workers with handheld OCR terminals upon arrival. It is a tedious job, and when an OCR terminal misreads an expiration date, it results in the need for inspection by humans. This also increases manufacturers’ costs and reduces profits. 

Neurala’s vision AI will improve OCR by automatically identifying a product’s expiration date, including validating where on the packaging the expiration date is located. It will also be able to verify that text on a box is the expiration date, as opposed to other numerical data such as the SKU or production date, if a series of dates is present. This reduces the need for manual intervention when errors or misreads occur and ensures that only accurate data is passed back to the ERP system.

“Introducing AI and automation into our workflow will be a game changer for our business,” said Takayuki Sado, general manager at IHI Logistics & Machinery. “By partnering with Neurala, we are able to bolster our value to our customers, by dramatically increasing the speed and efficiency of material handling. This level of automation is also extremely valuable, as it helps us do more with less – which is especially critical in a time when there are restrictions limiting the number of workers present on the warehouse floor.”

“Neurala is on a mission to help manufacturers realize the benefits of vision AI by partnering with companies around the world who are leaders in their industry,” said Max Versace, co-founder and CEO of Neurala. “We are excited to partner with IHI Logistics & Machinery to provide them with the technology needed to further their position as an innovator and leader in material handling.”