Is SBOM the answer?

Government and industry experts have recently pointed to software bill of materials (SBOM) as a requirement for organizations, but what are you getting? David Foose spends some time exploring aspects of SBOM fever.

To continue the conversation around supply chain, I would like to take a few minutes to single out one of the items pushed to the forefront, providing a software bill of materials (SBOM).

This idea received special attention in Executive Order 14028 that was signed by President Biden. The order directed the federal agencies to request a SBOM or have it published on a public website. It directed NIST to define the minimum elements of SBOM, tools to generate, and use cases all with a very brief window of time to complete. For most of the fall of 2021, the herculean effort was shouldered by teams across several federal agencies.

The executive order did take special effort to clarify the intent of what it was looking for in the footnotes. It specified that an SBOM will “enumerate open source and commercial software components” in a product. It is “analogous to a list of ingredients” that could be used to ensure that components are “up to date.” It would also be provided in a “machine readable format.” This would be a departure from earlier discussions where some security experts suggested detailed reports that would come closer to traditional code reviews.

There are still some additional details that need to be defined. First, who is the “vendor” that will be providing the SBOM? Is it the person you purchased from or is it the original creator of the product? Is it good enough to tell you the software is Microsoft Windows 10 build 1607 IoT edition (which is even giving you build/patch level including licensing) or do I need to list out each individual Windows component and patch? This could be a negotiation at the time of the contract, but I am sure it is not going to be a universally understood obligation. When requesting additional information beyond what has been stated, who is obligated to provide? Microsoft or the person providing the final transaction? Again, this can be contractually stated and seems to be pushing towards a flow-down expectations where the information may not exist and the party who can generate it is not motivated to complete the task.

Perhaps it is in my best interest as a boutique vendor to a specific group of clients that I do this type of vetting/generating of information for all my primary products prior to sale. For decades, nearly all automation projects I have been a part of expected binders of media with licensing, versions, and install media as part of the initial turnover. What may be lacking would be some additional individual components and a document in the new ‘machine readable format’.

As many of our environments are very much on the brownfield variety, several companies and industry groups are attempting to tackle the problem of creating your SBOM with the least amount of disruption to running operations. Some approach the problem with technical capabilities of inspection. This is often done for speed to cover the environment versus reaching out to each individual vendor with a human. This is not scalable and can lead to frustrations. Frequently the creator of the device may not answer due to support or may not even exist anymore. Some groups are taking it a step further by building a repository of data from devices or companies from which they partner so that their users can check against. No need to scan because it has already been checked.

Let us say that you can scan your environment and get back most, if not all of your main devices and software versions. You now have a large list to supplement our original asset list. Next big bad bug hits. Your boss sends you the link from Bloomberg and you can give an immediate thumbs up or down if you are impacted. Job well done, right? Well, almost. If there is impact, that only starts the clock on “when it will be fixed”.

Who do you call now? The SBOM company that helped you find it? Maybe. That could be a service they could provide in the help to arbitrate common devices if there is an issue. Is it your immediate upstream vendor? Maybe. It depends on if you have a relationship that they are willing to take your phone call and act with any level of urgency. Money certainly greases the wheels, but answers only come so fast. This could be super critical depending on how pressing the vulnerability seems. Several events over the last few years had timelines to respond in days at most. Each link in the chain for someone to check is another delay on response. It should be telling that SBOM is not a user focused request when the President of the United States is asking for ‘machine readable’ documents. This is and always has been a niche ask for an extremely small subsection of analysist and vendors to build a product or service which should and will be wrapped into normal asset or vulnerability management. End consumers, much like your C level executives, just want the assurance it is handled and a timeline.

I still contend that SBOM exists in a form today that is useful for a large percentage of bugs that continue to not be triaged on a regular basis. Look at the decades of missed updates to workstations, servers, and network infrastructure. It isn’t a lack of knowledge that these devices are in the environment or the bugs that exist that are preventing organizations from action.

Are there examples of vendors abandoning versions of woefully neglected and vulnerable software into environments across enterprise and consumer electronics? Yes. Do we have instances where this untouched code was leveraged for a compromise? Also, yes. Would knowing that a device had a vulnerability on it that can be leveraged by a bad person in an active attack going on right now cause an individual to act? History has shown, just maybe.

Much like threat intelligence feeds or vulnerability databased efforts in the past, I don’t see this latest push for an ‘ingredients list’ of what is running on our gear leading towards nuanced defensive decisions. The information will be still generic, dated, and incomplete. Vendors will iterate methods of collection and then preach consolidation. End users will over-rely on tools leading to blinds spots.

Rinse and repeat.

Featured Posts

Featured
Exploring the Evolving Landscape of ICS/OT Cybersecurity at RSAC 2024
Exploring the Evolving Landscape of ICS/OT Cybersecurity at RSAC 2024

The RSA Conference 2024 spotlighted the critical importance of ICS/OT cybersecurity, reflecting a significant increase in attention compared to previous years. Ampyx Cyber CEO, Patrick Miller noted the strong presence of AI-driven security tools on the vendor floor and highlighted the conference's rich agenda featuring discussions on the convergence of IT and OT. As digital transformation continues, the industry's commitment to enhancing ICS/OT cybersecurity is more evident than ever.

Read More →
Reporting Cyber Incidents under DHS CIRCIA’s Proposed Rulemaking
Reporting Cyber Incidents under DHS CIRCIA’s Proposed Rulemaking

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on April 4, 2024 published its proposed rules requiring critical infrastructure entities to report significant cyber incidents and ransom payments to CISA. The proposed regulations are intended to consolidate, fortify, and strengthen the United States’ cyber defenses in critical infrastructure (CI) sectors.

Read More →
Ampere Industrial Security Evolves into Ampyx Cyber
Ampere Industrial Security Evolves into Ampyx Cyber

Ampere Industrial Security, renowned for its expertise in industrial security, announces its rebranding to Ampyx Cyber, marking a new chapter in its global presence with offices in Portland, OR, USA, and a new European base in Tallinn, Estonia. This strategic change represents an expanded commitment to providing top-tier cybersecurity solutions across continents.

Read More →
Embracing AI for the Electric Grid: Insights from NERC
Embracing AI for the Electric Grid: Insights from NERC

In the rapidly evolving landscape of the electric sector, the integration of cutting-edge technologies is not just an option; it's a necessity. Among these, artificial intelligence (AI) stands out as a transformative force, offering unprecedented opportunities to enhance grid reliability, security, and efficiency. Recognizing this potential, the North American Electric Reliability Corporation (NERC) has provided insightful comments on how AI can be harnessed to address the challenges and opportunities within the electric grid.

Read More →
CIP-015: The Crucial Role of INSM in Strengthening Grid Security
INSM, Internal Network Security Monitoring, NERC CIP, FERC, FERC 887
CIP-015: The Crucial Role of INSM in Strengthening Grid Security
INSM, Internal Network Security Monitoring, NERC CIP, FERC, FERC 887

introduction of CIP-015, a new regulation aimed at enhancing grid security by mandating Internal Network Security Monitoring (INSM) for high and medium impact Bulk Electric System (BES) Cyber Systems. This development, initiated by FERC Order No. 887, responds to the need for robust monitoring within trusted network zones to detect and mitigate potential cyber threats. CIP-015 emerges as a standalone standard after industry feedback suggested that INSM requirements did not align well with existing frameworks, shifting towards an objective-based rather than prescriptive approach.

Read More →
INSM, Internal Network Security Monitoring, NERC CIP, FERC, FERC 887
SBOMPatrick MillerSupply Chain, SBOM