SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

The idea of a software bill of materials seems to be gaining traction. The Linux Foundation has had a group working on a standard. This news details the success of the effort. 

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the Software Package Data Exchange (SPDX) specification has been published as ISO/IEC 5962:2021  and recognized as the open standard for security, license compliance, and other software supply chain artifacts. ISO/IEC JTC 1 is an independent, non-governmental standards body. 

Intel, Microsoft, Phillips, Sony, Texas Instruments, Synopsys and VMware are just a handful of the companies using SPDX to communicate Software Bill of Materials (SBOM) information in policies or tools to ensure compliant, secure development across global software supply chains. 

“SPDX plays an important role in building more trust and transparency in how software is created, distributed and consumed throughout supply chains. The transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena,” said Jim Zemlin, executive director, the Linux Foundation. “SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.” 

Ninety percent (90%) of a modern application is assembled from open source software components. An SBOM accounts for the software components contained in an application — open source, proprietary, or third-party — and details their quality, license, and security attributes. SBOMs are used as a part of a foundational practice to track and trace components across software supply chains. SBOMs also help to proactively identify software component  issues and risks, and establish a starting point for their remediation.

SPDX evolved organically over the last ten years through the collaboration of hundreds of companies, including the leading Software Composition Analysis (SCA) vendors – making it the most robust, mature, and adopted SBOM standard. 

To learn more about how companies and open source projects are using SPDX, recordings from the “Building Cybersecurity into Software Supply Chain” Town Hall that was held on August 18th.

ISO/IEC JTC 1 is an independent, non-governmental international organization based in Geneva, Switzerland. Its membership represents more than 165 national standards bodies with experts who share knowledge and develop voluntary, consensus-based, market relevant international standards that support innovation and provide solutions to global challenges.

Supporting Comments

Intel

“Software security and trust are critical to our Industry’s success. Intel has been an early participant in the development of the SPDX specification and utilizes SPDX both internally and externally for a number of software use-cases,” said Melissa Evers, Vice President – Software and Advanced Technology Group, General Manager of Strategy to Execution, Intel.

Microsoft

“Microsoft has adopted SPDX as our SBOM format of choice for software we produce,” says Adrian Diglio, Principal Program Manager of Software Supply Chain Security at Microsoft. “SPDX SBOMs make it easy to produce U.S. Presidential Executive Order compliant SBOMs, and the direction that SPDX is taking with the design of their next gen schema will help further improve the security of the software supply chain.”

Siemens

“With ISO/IEC 5962:2021 we have the first official standard for metadata of software packages. It’s natural that SPDX is that standard, as it’s been the defacto standard for a decade. This will make license compliance in the supply chain much easier, especially because several open source  tools like FOSSology, ORT, scancode and sw360 already support SPDX,” said Oliver Fendt, senior manager, open source at Siemens. 

Sony

”The Sony team uses various approaches to managing open source compliance and governance,” says Hisashi Tamai, Senior Vice President, Deputy President of R&D Center,  Representative of the Software Strategy Committee, Sony Group Corporation. “An example is the use of an OSS management template sheet that is based on SPDX Lite, a compact subset of the SPDX standard. It is important for teams to be able to quickly review the type, version and requirements of software, and using a clear standard is a key part of this process.”

Synopsis

“The Black Duck team from Synopsys has been involved with SPDX since its inception, and I personally had the pleasure of coordinating the activities of the project’s leadership for more than a decade. Representatives from scores of companies have contributed to the important work of developing a standard way of describing and communicating the content of a software package,” said Phil Odence, General Manager, Black Duck Audits.

VMware

“SPDX is the essential common thread among tools under the Automating Compliance Tooling (ACT) Umbrella. SPDX enables tools written in different languages and for different software targets to achieve coherence and interoperability around SBOM production and consumption. SPDX is not just for compliance, either; the well-defined and ever-evolving spec is also able to represent security and supply chain implications. This is incredibly important for the growing community of SBOM tools as they aim to thoroughly represent the intricacies of modern software,” said Rose Judge, ACT TAC Chair and open source engineer at VMware.

Wind River

“The SPDX format greatly facilitates the sharing of software component data across the supply chain. Wind River has been providing a Software Bill of Materials (SBOM) to its customers using the SPDX format for the past 8 years. Often customers will request SBOM data in a custom format. Standardizing on SPDX has enabled us to deliver a higher quality SBOM at a lower cost,” said Mark Gisi, Wind River Open Source Program Office Director and OpenChain Specification Chair.

Founded in 2000, The Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. The Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, RISC-V, Hyperledger, Jenkins, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration.

Coalition for Open Process Automation Launches COPA QuickStart

The Open Process Automation Forum has made progress over the past few years. You can see a chain of reports and thoughts I’ve written over that time. These ideas remind me of a phrase we had amongst the graduate assistants when I was in grad school (we were all political philosophy majors), “Operationalize your eschaton!” In other words of Wendy’s restaurants, “Where’s the beef?” Is anything practical going to evolve from all this standards work?

Then an organization called “Coalition for Open Process Automation” contacted me with information about its formation, members, and, best of all, certified products. This is a giant step forward. Check out the press release and website.

The Coalition for Open Process Automation (COPA) is pleased to announce the launch of COPA QuickStart to accelerate the adoption of Industrial Control Systems (ICS). This is aligned with The Open Group O-PAS Standard, a “standards of standards” for industrial process automation developed by the Open Process Automation Forum (OPAF).

COPA is a diverse group of leading IT and OT technology companies, led by innovative newcomers Collaborative Systems Integration of Austin, Texas and CPLANE.ai of Silicon Valley, California. Its partners include veteran industry leaders such as Phoenix Contact, R. Stahl, Supermicro, Nova SMAR, and CODESYS. With the release of COPA QuickStart, the Coalition is applying years of research, collaboration, and investment by members of OPAF to bring ICS systems to market that are built on industry standards for open, secure, and interoperable architectures.

Securing ICS’s from ransomware attacks and state-sponsored hacking is now one of the top priorities of governments and corporations. These cybersecurity issues along with outdated and crumbling infrastructure adds to the imperative to increase value generation and reduce total cost of ownership through digital transformation. The first step in digital transformation for industrial manufactures is Open Process Automation.

The COPA partner companies have engineered COPA QuickStart to incorporate components and technologies from multiple vendors into a single, advanced, and cohesive ICS. The COPA QuickStart system is the catalyst for industrial manufacturers to accelerate their adoption of state-of-the-art ICS systems that greatly improve security, flexibility, and profitability of their operations.

Industrial manufacturers can no longer take a “wait and see” approach to adopting modern and open control systems into their manufacturing operations. Until now, there have been no open control system products available for companies to buy. The COPA QuickStart system provides the critical first step in helping industrial manufacturers to start learning, proving, and adopting open architecture ICS solutions into their operations.

Don Bartusiak, who is known widely as the “Father of Open Process Automation,” previously served as ExxonMobil’s Chief Engineer for Process Control. He said, “industrial manufacturers have repeatedly told me that if O-PAS Standard aligned systems were available, they would buy them. The COPA QuickStart system is our answer to that challenge.” Dr. Bartusiak’s company, Collaborative Systems Integration (CSI) is the systems integrator for the COPA QuickStart offering.

The COPA QuickStart system is designed to accelerate the innovation efforts of leading industrial manufacturers, allowing them to realize the benefits of open systems sooner. The system includes:

A pre-packaged industrial control system, aligned with the O-PAS Standard and carefully engineered with best-of-breed components from Phoenix Contact, R. Stahl, Nova SMAR, Supermicro, CPLANE.ai, CSI, and CODESYS.

CPLANE.ai’s Fusion management software for seamless automation and orchestration across the entire life-cycle of an industrial control system from startup to operate to evolve. CPLANE.ai Fusion leverages capabilities engineered by Intel and is powered by Intel Edge Controls for Industrial.

The Advanced Computing Platform, built by Supermicro and powered by Intel Xeon D processors installed in a versatile short-depth 1U chassis.

Advanced digital technologies demonstrating the value of new capabilities such as fast-cycle Model Predictive Control, Reinforcement Learning Control, AI, and advanced cybersecurity.

Hands-on training modules allowing engineers and executives to rapidly gain a deeper understanding of the next-generation control systems and the value they can deliver.

“Powered by Intel Atom x6000E series and Intel Pentium and Celeron N and J series processors with the Intel Edge Controls for Industrial software, the COPA QuickStart will help accelerate the adoption of OPAF-based control systems,“ said Richard Kerslake, General Manager of Industrial Controls and Robotics at Intel.

Steve Nunn, CEO and President, The Open Group said: “Through defining and promoting Open Process Automation™, OPAF and COPA are united by a common goal of helping industrial manufacturers accelerate their digital transformation initiatives. The launch of COPA QuickStart coupled with new developments to the O-PAS Standard represents a key milestone in the creation of open, secure, and interoperable architectures, which are critical to the future of industrial process automation systems. We are looking forward to continue working with COPA to address industry challenges and drive progress in process automation.”

“COPA QuickStart is the fruit of many years of collaboration by OPAF and COPA members. It is exciting to see the first, standards based open system become commercially available. Open Process Automation is the future, and we are excited to be a catalyst to accelerate that transformation,” shared Bob Hagenau, CEO, CPLANE.ai

First availability of COPA QuickStart system will be in Q3 of 2021. More information is available at www.copacontrol.org or by contacting CPLANE.ai.

About CPLANE.ai

CPLANE.ai automates the orchestration of distributed edge computing across a diverse landscape of hardware and software components. CPLANE.ai removes the complexity of provisioning, managing, securing, and evolving distributed systems. CPLANE.ai’s intelligent software platform automates the coordination and configuration of policies and procedures across multiple layers of distributed cloud infrastructure.

Podcast 227 Open and Interoperable

Podcast 227 Open and Interoperable

Imagine laying railroad tracks west from the US east coast and meeting up with a crew laying railroad tracks from the west coast only to discover that the width between the rails was different. Standards make a huge difference.

Open standards, open APIs, and open source all enable interoperability and all make life better for users. My discussions over the past couple of years indicates that US engineers are falling behind in the encouragement and use of these technologies. I hope I’m wrong, and I hope the new generation of engineers pick up these ways of working and move American manufacturing forward. And the rest of the world, too.

IIC Busy on IoT Front Publishes Standards Guide and Launches Patterns Initiative

Two news items from The Industrial Internet Consortium (IIC) came my way recently regarding work on IoT. One announced the the publication of the Global Industry Standards for Industrial IoT whitepaper. The other announced launch of an IoT Patterns Initiative.

The whitepaper offers industry guidance in the development, adoption, and use of IIoT standards. The whitepaper outlines a vision and strategy to enable interoperability and system compatibility across the entire IIoT ecosystem.

“The Industrial Internet of Things (IIoT) is a rapidly expanding world of connected objects. As IIoT systems proliferate, organizations consume large amounts of data through machine learning algorithms and share it between partners, customers, and others,” said Erin Bournival, Co-Chair, IIC Standards Task Group and Distinguished Engineer, Dell Technologies. “Integration and interoperability are critical in IIoT environments. That’s not easy to achieve in complex IIoT environments, so standards play a critical role.”

The whitepaper lists categories of standards and the organizations that produce them. It provides business cases for adopting standards as well as strategies for participating in standards development. “Users and vendors cannot engineer a custom interface every time components or systems need to interact,” said Erich Clauer, Co-chair IIC Standards Task Group, and VP Industry Standards & Open Source, SAP. “Standards are the lingua franca for interoperability and can make the explosion of interfaces manageable. For suppliers, standards can reduce or eliminate costs.”

“Operational Technology (OT) can no longer deploy isolated islands of automation,” said Claude Baudoin, Principal Consultant, cébé IT & Knowledge Management, and one of the authors of the whitepaper. “Information Technology (IT) and OT must work together to achieve digital transformation. IIoT environments are connected to enterprise systems through the internet, and must adhere to IT communication, security and data norms.”

What is more, customers require standards compliance to avoid vendor lock-in. Standards compliance creates a competitive environment in which failure to support standards — international, regional, industry- or function-specific — becomes a competitive disadvantage. Regulatory agencies require standards adherence to make their monitoring and auditing work feasible. Standards also make employee skills portable across divisions and companies.

“Organizations must define a standards strategy and execute it,” said Sven Toothman, Lead Project Editor and Industry Standards & Open-Source Architect, SAP SE. “IIoT stakeholders could adopt and implement standards as they emerge, but this limited engagement exposes an organization to surprises. By participating in standards development, organizations can anticipate the emergence of new standards. That involves a commitment and extends to processes, product design, and budget.”

IIC members who wrote the Global Industry Standards for Industrial IoT whitepaper and a list of members who contributed to it can be found here on the IIC website.

IOT PATTERNS INITIATIVE

The IIC also announced the IIC IoT Patterns Initiative to crowdsource, review, revise, and publish a library of high-quality and well-reasoned IoT patterns for use and reuse across industries.

A pattern describes a recurring design or architectural problem in a specific context and offers an established scheme for its solution. IoT patterns include architectural designs to represent essential cohesive components and their assembly; and design patterns that illustrate solutions to specific problems. 

“Patterns capture and condense teachings from developer and system architect experiences that others can use to tackle new problems,” said François Ozog, Director Edge & Fog Computing Group, Linaro, and Co-chair, IIC Patterns Task Group. “The IIC is also developing application notes to describe how to use patterns effectively in various contexts and to help identify the best patterns for solutions.” 

Use-cases describe various perspectives of a system based on user roles by defining user requirements and identifying essential functionalities. “Many patterns are technical,” said Daniel Burkhardt, doctoral student, Ferdinand-Steinbeis-Institut, and Co-chair, IIC Patterns Task Group. “But by focusing on end-user concerns and requirements, developers and system architects will use patterns effectively, and solution designs will improve.”

“Patterns enable industries to succeed through collaboration on best practices,” said Dr. Jason McC. Smith, OMG Vice President, and Technical Director. “IIC is leading the way in IoT by building a pattern repository that developers can use to solve new problems.”

IIoT developers and system architects can access the IIC IoT Patterns repository on the IIC Resource Hub. Developers can also join the IIC Community Forum to discuss patterns. Workshops to educate the IIoT developer community will follow. For more information about the IIC IoT Patterns Initiative, read our blog.

The Open Group Open Process Automation Forum Publishes the O-PAS Version 2.1 Preliminary Standard

After my first meeting with Don Bartusiak, then with ExxonMobil, at an ARC Forum, I thought this was an extremely ambitious idea thinking that an open, interoperable, relatively easily upgradable process automation system build upon industry standards was feasible. And the timeline was aggressive.

The Open Process Automation Forum, under the auspices of The Open Group, has persevered, grown, and has now released version 2.1 “into the wild” for comments from the broader process community before finishing and adopting early next year. So, please go to the Website and review. Your comments could be most helpful.

The marketing people sent a news release, but I realized there wasn’t a lot of “there” there, so I talked with Aneil Ali, Director of the OPAF since May a year ago to get a bit more detail. A key factor gleaned from our chat was that 105 members were involved in the development of this standard. Final release is slated for early 2022. 

I think the remarkable thing about 105 member companies is actually getting something done. All of us who have worked on this type of project know that there are companies (which I shall not name) who send engineers to join with the express purpose of asking lots of questions in order to delay the process or even (hopefully) entice everyone else to give up in despair. This committee worked through 22 recurring weekly meetings to bring this together. Remarkable.

And Ali does not expect the pace to slow.

To recap: Version 1.0 dealt with interoperability; Version 2.1 with information model; Version 3.0 (in process) will focus on application portability—system orchestration.

Some of the details of 2.1 include defining standard function blocks, addressing IEC61499, IEC61131, IEC62443 (security), and OPCUA. O-PAS is a “standard of standards”, an approach that greatly reduces detail work.

In addition to this standards development work, companies have been building ongoing prototype test beds and field trials which are underway proving this is more than mere paper. The Forum has also been conducting plug fests and developing certification testing partners and parameters.

The group has really come a long way.

From the press release:

The Open Group, the vendor-neutral technology consortium, has announced the publication of the O-PAS Version 2.1 Preliminary Standard. Developed by The Open Group Open Process Automation Forum (OPAF), this release represents a key milestone towards testing and field trials of the O-PAS Standard, enabling greater interoperability and portability in manufacturing control systems.

The O-PAS Standard defines a Reference Architecture and Information Model that will enable a distributed and heterogeneous ecosystem of industrial process automation resources to interoperate. The aim of the Standard is to stimulate innovation, lower system lifecycle costs, and provide end-users with more freedom when managing obsolescence within systems.

Created with the direct involvement of over 105 OPAF Member organizations, Version 2.1 progresses the overall Information Model of Version 2.0, while also adding new configuration portability capabilities.

“This latest advancement of the O-PAS Standard reflects the overall consensus of industry leaders: open, secure, and interoperable architectures are the irrefutable and inevitable future of industrial process automation systems,” commented Aneil Ali, Director of the Open Process Automation Forum. “The sense of urgency among product managers and sales teams to achieve this goal is therefore well-founded, with end-user test beds, prototypes, and field trials already up and running.”

Alongside Version 2.1, a certification program for the O-PAS Standard – due to launch in the first half of 2022 – is being developed against the various Profile-based requirements. As part of this work, test tools are currently being beta tested with suppliers.

“The updated version of the O-PAS Standard empowers end-users to look more closely at product roadmaps for O-PAS inclusion,” continued Ali.  “As suppliers work to adopt the Standard within these roadmaps, OPAF is open to as much industry collaboration and feedback as possible.”

Following a finalized Version 2.1 Standard, scheduled for publication in Q1 2022, OPAF will work towards Version 3.0, which will address system orchestration, application portability, and further detail the physical distributed control platform.

About The Open Group Open Process Automation Forum

The Open Process Automation Forum is an international forum of end-users, system integrators, suppliers, academia, and other standards organizations working together to develop a standards-based, open, secure, and interoperable process control architecture. Open Process Automation is a trademark of The Open Group.

About The Open Group

The Open Group is a global consortium that enables the achievement of business objectives through technology standards. Our diverse membership of more than 800 organizations includes customers, systems and solutions suppliers, tool vendors, integrators, academics, and consultants across multiple industries.

Software-centric Automation Hannover Messe Update from Schneider Electric

Schneider Electric has been publicizing an implementation of the decoupled control hardware and software envisioned by the Open Process Automation Forum using IEC 61499. https://themanufacturingconnection.com/2021/02/schneider-electric-updates-ecostruxure-automation-expert-forges-strategic-agreement-with-wood/ For example, a recent post from the blog.

At last week’s Hannover Messe, Schneider Electric used its press conference to tout some updates to its Ecostruxure Automation Expert.

The press release is included below for your information, plus a bonus press release regarding a new, smaller footprint UPS.

First, a couple of notes. I listened recently to some software developers discussing the benefits and drawbacks of version numbering their software. The traditional way is to begin with version 1.0  and then increment. Of course, no one (or few?) buy version 1.0 which is typically pretty buggy. An alternative is to version number by year thus avoiding the dreaded V 1.0. Automation Expert has just been released a couple of months ago as Version 21.0. The new release discussed below is version 21.1.

Someone, I know not whom, asked a pointed question during the press conference. Schneider points to its offering following the IEC standard. The questioner wanted to know if Automation Expert was just another proprietary software with some standards baked in. The question was not answered directly. The answer given dealt with decoupling hardware and software allowing each to be independently upgraded. Good question to keep in mind if other companies dive into this water. Or—perhaps there is room for an independent software developer to jump into the fray if and when.

Automation Expert V21.1 Release

Schneider Electric released version 21.1 of EcoStruxure Automation Expert, its software-centric universal automation system. Adoption of the new technology is proving immediately beneficial for consumer-packaged goods, pharmaceutical and logistics enterprises. 

“EcoStruxure Automation Expert v21.1 is an important milestone in our journey to help manufacturers achieve the step-change advancements possible with a digital-first approach to industrial automation,” said Fabrice Jadot, Senior Vice President, Next Generation Automation, Schneider Electric. “Today’s operations need to react quickly to fluctuating market and environmental dynamics and rapidly mitigate potential risks. By separating the hardware and software lifecycles, EcoStruxure Automation Expert enables automation applications to be built using asset-centric, portable, proven-in-use software components, independent of the underlying hardware infrastructure. This software-centric approach delivers unprecedented cost and performance gains and frees engineers to innovate by automating low-value work and eliminating task duplication across tools.”

GEA is one of the largest technology suppliers for food processing and a wide range of other industries. The company focuses on technologies, components, and sustainable solutions for sophisticated production processes in diverse end-user markets where time to market and agility is essential. EcoStruxure Automation Expert greatly simplifies the integration between operational technology (OT) and information technology (IT) creating new agility for GEA and its customers.

Master Systèmes, an industrial automation system integrator and Schneider Electric Master Alliance partner, is using EcoStruxure Automation Expert to increase the agility and flexibility of one of its cosmetic customer plants.

Schneider Electric is also implementing EcoStruxure Automation Expert in its own Smart Distribution Center in Shanghai, China to reduce costs and improve efficiency.

Because the software is decoupled from the hardware, modifying the conveying line to adapt as flow requirements change is easier and more cost-effective. With EcoStruxure Automation Expert, identifying the root cause of failure and troubleshooting is four times faster. And with 45% less products on the error line, throughput is increased by 5.3%.

Among other advancements, EcoStruxure Automation Expert V21.1 includes: enhanced cybersecurity, diagnostics, discovery and commissioning features, and expanded libraries and language support.

In addition, improved integration with AVEVA System Platform ensures EcoStruxure Automation Expert customers can take advantage of AVEVA’s market leading software for supervisory, enterprise SCADA, MES, and IIoT applications with minimal engineering overhead. One study showed the EcoStruxure Automation Expert and AVEVA combination reduced engineering efforts by over 50%.

New 3-phase UPS

Schneider Electric announced the global launch of the Galaxy VL 200-500 kW (400V/480V) 3-phase uninterruptible power supply (UPS), the newest addition to the Galaxy family. Available worldwide, this highly efficient, compact UPS offers up to 99-percent efficiency in ECOnversion mode for a full return on investment within two years (model dependent) for medium and large data centers and commercial and industrial facilities. A live, virtual “hands-on” event for data center professionals and partners will take place May 4 to demonstrate Galaxy VL’s capabilities and features from Schneider Electric’s Innovation Executive Briefing Center.

With data center floor space at a premium, the compact design of the Galaxy VL is half the size of the industry average at .8 m2. Its modular and scalable architecture enables data center professionals to scale power incrementally, from 200 kW to 500 kW with 50 kW power modules, providing flexibility to grow as their business demands.

With Galaxy VL, Schneider Electric introduces Live Swap, a pioneering feature which delivers a touch-safe design throughout the process of adding or replacing the power modules while the UPS is online and fully operational, offering enhanced business continuity and no unscheduled downtime. Additionally, Live Swap’s touch safe design offers increased protection for employees who no longer have to transfer the UPS to maintenance bypass or battery operation during the insertion or removal of the power modules.

Key Benefits of the new Galaxy VL:

  • Maximize space to enable future growth: Galaxy VL is the most compact in its class, 50-percent more compact than the industry average at.8 m2, freeing up valuable data center real estate and IT space. Additionally, Galaxy Lithium-ion Battery Cabinets deliver total space savings of up to 70 percent compared with VRLA battery solutions.1
  • Save money: Galaxy VL’s modular, scalable platform enables you to pay-as-you-grow, reducing CapEx investment, operating costs, energy consumption, and TCO. Scale power instantly in 50 kW increments from 200 to 500 kW with no extra footprint.
  • Reach sustainability goals: Up to 99-percent efficient in ECOnversion mode for a full return on investment within two years in energy savings (26,280 EUR annual electricity savings). A Schneider Electric Green Premium product, it includes the option for long-lasting Lithium-ion batteries.
  • Increased Reliability through EcoStruxure3By connecting Galaxy VL to EcoStruxure—Schneider Electric’s open, interoperable, IoT-enabled system architecture and platform—data center operators can benefit from EcoStruxure™ IT software and services. These EcoStruxure offerings enable customers to monitor, manage, and model their IT infrastructure and get service support 24/7 anywhere, anytime.