OSTIF is proud to share the results of our security audit of SEAPATH. SEAPATH is an open source project hosted by Linux Foundation Energy (LF Energy) that consolidates clusters of servers for energy and power management across substations at the utility level. With the help of Ada Logics and LF Energy, SEAPATH will continue to grow as a provider of secure and centralized energy software management.
Audit Process:
To undertake a holistic audit of SEAPATH, Ada Logics began by establishing a formal threat model to identify the scope of the project and its liabilities. The project was audited to identify vulnerabilities against the threat model and ISA-IEC-62443 cybersecurity standards. This process resulted in two sets of findings: those issues identified though the threat model and fuzzing, and recommendations based on comparison of SEAPATH to the ISA-IEC-62443 standards. SEAPATH is currently not in production, though it is being used, so auditors reviewed the project in the context of preparing it to be production-ready. Third-party projects used in SEAPATH were therefore reviewed in context of that scope and recommendations for security improvements made.
Audit Results:
- Formalized custom threat model
- 18 issues related to the SEAPATH threat model
- 8 Medium, 2 Low, 8 Informational
- 14 recommendations related to ISA/IEC-62443 compliance
- +4 new fuzzers for Pacemaker (a third party project in SEAPATH)
- Integrated Pacemaker onto OSS-Fuzz for ongoing testing
- Holistic audit of SEAPATH documentation, code, and function
- Supply-chain security assessment
Though applicable for deployment globally, SEAPATH originated as a French project with initial pilots in France, and as such, follows the French cybersecurity agency ANSSI’s hardening guidance. The project’s effort to follow ANSSI’s principles has hardened their security and made it possible for the project to be integrated and used in an integral role in France’s energy grid. In context, the project was quick to respond to the impactful issues reported. Timely efforts like this show the dedication of the SEAPATH maintainers to sustaining and improving the security of the project. OSTIF commends the work done by SEAPATH on the journey to this audit as well as the steps taken afterwards to address identified issues and reconcile with security recommendations by Ada Logics.
Thank you to the individuals and groups that made this engagement possible:
- SEAPATH maintainers and community- specifically Eloi Bail
- Ada Logics- Adam Korczynski and David Korczynski
- LF Energy- John Mertic and Dan Brown
You can read the Audit Report HERE
You can read the LF Energy Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting more critical work, contact [email protected].