Generating SBOMs from B&R SDM dumps
Hi everyone,
I’ve been spending quite some time looking into the Cyber Resilience Act (CRA) and what it means for industrial automation systems.
One thing that becomes clear quite quickly is that software transparency and system evidence will become increasingly important.
Since B&R systems already provide a significant amount of diagnostic information through System Diagnostics Manager (SDM), it seemed natural to explore how far that information could be used as the basis for generating structured system evidence.
As an engineering experiment I built a toolkit that processes SDM system dumps and generates a set of artifacts from them.
Among other things it:
-
extracts system information from SDM dumps
-
generates CycloneDX SBOMs
-
normalizes diagnostic logs
-
creates system evidence bundles
-
verifies SDM package authenticity, allowing dumps transported via USB or other media to still be validated for integrity (when signed on the runtime system)
The project is published here:
The idea is simply to explore how existing diagnostics could support things like CRA documentation and general system transparency.
For anyone interested in the broader CRA context around B&R systems, I’ve also collected some background material and references here:
https://thepassionateprogrammer.com/services/050_cra
Best regards
Patric