The concept and benefits of a software bill of materials (SBOM) are simple to understand. SBOMs are a list of all software in an application or cyber asset.
Vendors need to create and maintain an SBOM to have any chance of credibly supporting their product over time. Many vendors have an SBOM, and some of those vendors actually track and update the software in the SBOM. The updates can be to address security vulnerabilities, but also to fix nonsecurity-related bugs and to keep the software components on a supported version.
Asset owners require an SBOM as part of their asset inventory to be able to know if a vulnerability affects their system. The CODESYS runtime vulnerabilities are one of my favorite examples. This runtime is used in hundreds of different models of programmable logic controllers (PLCs), but when ICS-CERT publishes a vulnerability advisory on CODESYS it does not include the PLC’s that rely on the CODESYS runtime as affected products.
A tiny percentage of those PLC vendors update CODESYS in their build and put out an advisory. Almost all of the PLC vendors don’t update the CODESYS component, because this requires resources to develop and test, and they don’t notify their customers. The same is true of industrial cybersecurity (ICS) protocol stacks, as well as common libraries used in operational technology (OT) and information technology (IT).
The hope is that the U.S. National Telecommunications and Information Administration (NTIA) led effort to promote a common SBOM format, facilitate SBOM proof of concept projects in various sectors and generally educate the stakeholders on the need and use of SBOMs is gaining traction. There are whispers that SBOMs will be part of the Biden administration’s efforts to deal with supply chain security issues.
Much like the discussion at the S4x20 panel led by NTIA’s Allen Friedman, the real question is what will asset owners do if SBOMs exist for OT systems?
One step back
SBOMs are information — information that can be used to attack or defend a system. Think of the Shodan tool that scans the internet and creates a database that can be queried by anyone with an account. Shodan can help an asset owner identify internet-accessible OT devices that need to be removed or protected. Shodan can also help an attacker identify vulnerable OT devices that are internet accessible. Once Shodan became available, it initially made the attacker’s job easier because they were using the information more and better than the defenders.
The same is likely to be true when SBOMs are introduced for OT applications and devices. An attacker with access to an SBOM will know if a PLC uses a vulnerable CODESYS runtime or a compromised distributed network protocol 3 (DNP3) stack. It is fair to generally characterize the OT environment as infrequently and unevenly patched for known software components, while admitting some sectors and some individual asset owners do better.
Once SBOMs for OT are created and distributed, it’s likely that it will be a step backward for OT cyber risk. There will be more risk because attackers will now have information on more ways to attack deployed systems, and the attacks on unpatched vulnerabilities will likely be around for years unless you expect the OT patching trends to change dramatically.
For a normal system, this increased attacker knowledge of vulnerabilities would be of great concern. In OT, it is much less so because of the PLC / Level 1 insecure by design issue. Applying all of the SBOM identified missing patches on 90%-plus of these systems would not make the attacker’s job much more difficult. The attacker will typically use documented features and functions rather than bother “hacking” once inside the OT security perimeter. Of course, this points out again the need to implement the increasingly available secure PLC with signed firmware and support for secure ICS protocols.
The SBOMs for the approximately 10% or less of the attack surface that either forms the security perimeter or is directly accessible through the security perimeter is extremely important. If the defenders don’t patch or otherwise address this issue faster than the attackers can leverage the information, which is likely, it will be a step backward.
This does not mean the SBOM effort should not go forward. SBOMs are needed by those asset owners with the maturity and resources to use them. They should not be held hostage by those who choose to invest less in OT cybersecurity. Still, we need to set expectations that SBOMs are unlikely to lower risk in at least the first 1-2 years they are available, and are in fact likely to increase risk.
Business models for SBOMs
The collection, monitoring and use of SBOMs in OT is a large job. Asset owners are lamenting the burden of patching Microsoft vulnerabilities, and more often than not, failing to meet their own set requirements of quarterly, semi-annual or even annual security patching. I don’t have hard numbers, but I have to imagine adding all of the software in an SBOM to the security patching program is at least a five-times increase in asset/patch combinations.
My prediction is that vendors will step into this issue and offer a service that will help:
- Vendors create and maintain their SBOMs
- Provide and update SBOMs for asset owners
- Tell both vendors and asset owners when a new vulnerability affects an SBOM
In the OT, world companies such as aDolus and FiniteState offer products and services to create SBOMs and identify vulnerabilities in the SBOM software components. (Note that the analysis these companies do goes beyond creating and evaluating the SBOM.) Others are sure to join as the supply chain and SBOM get more attention. But who pays for what? Three of the many possible business models include:
- Vendor pays for SBOM service: The vendor integrates the SBOM service into its security development lifecycle (SDL). The vendor can buy a license so that approved asset owners can access the SBOM service. The SBOM service would provide an SBOM for each build and information on all known vulnerabilities in the SBOM. This model would work best for vendors that deliver a whole system such as Emerson Ovation or Honeywell Experion.
- Asset owner pays for SBOM service: Today, most vendors are not providing SBOMs. If an asset owner wants to get an SBOM, they would have to provide the product and pay to have the SBOM created, maintained and monitored for vulnerabilities. The SBOM service vendor may agree to add it to their library at no cost for future annual recurring revenue. Even if the vendor agreed to provide the asset for the SBOM service to create the SBOM, the vendor may not be willing to fund the SBOM service for a large and unknown set of end users. This would be more likely in cases where the vendor does not know who gets their product as it is sold and deployed by integrators.
- Hybrid model where vendor and asset owner pay for the SBOM service: There are likely many combinations of the two above models.
One of the challenges for this SBOM service business is asset owners regularly modify the standard install of the cyber assets. This is often done for legitimate project reasons, and it also occurs due to poor change control. When we go in and audit systems, it’s not unusual to see a common cyber asset, such as a human-machine interface (HMI)/operator station, with different software installed in different computers. This can be different versions of the same software or sometimes additional software that got installed on only some of the operator stations. The SBOM service business is not going to be able to help with this.
One last thought: The SBOM service will need to communicate with the vulnerability management portion of the asset management solution. This integration will be key. Either the SBOM service will need to feed into the vulnerability management module, or the SBOM service will need to become the vulnerability management module and communicate with the asset inventory module.