Evolving SBOMs and supply chain threat: ICS Pulse Podcast, Eric Byres, aDolus Technology

Courtesy of Brett Sayles

Miami Beach welcomed the S4 show into town in February 2023, where industrial cybersecurity professionals and companies from around the globe gathered to discuss the major trends and threats to the industry. While there, ICS Pulse sat down with Eric Byres, CTO and board member of aDolus Technology, to discuss the value of software bill of materials (SBOMs), why operational technology (OT) is getting weaponized and reasons for optimism heading into the future. Listen to the full podcast here, and check out part 1 of our discussion here.

The following was edited for clarity.

ICS Pulse: Let’s talk about visibility, which is a lot of what you guys do at aDolus. How have you seen SBOMs evolve over the years since you started talking about them?

Eric Byres: Really early on, when I was starting to look at the risk to the supply chain, what I realized is if I didn’t know what was in software, there was really nothing I could do. Any time you’re trying to fix or secure anything, if you don’t know what’s there, it’s an old truism: If you don’t know what you’re trying to protect, you’re not going to protect it. The same is true, we’ve seen, with the whole software market. It’s great to say, “I’ve got an HMI (human machine interface) sitting over there from Wonderware,” or something, but if you don’t know the components and the software and the operating system and the underlying what did you actually buy, you’re not going to be protecting it.

Now, what’s exciting to see is that the industry has caught on to this risk, and understood this risk, and is starting to deal with this risk very, very quickly, which is really encouraging. It took us about a decade before people really realized that companies had to understand what was hanging off the OT network. That took a lot of pain. I feel sorry for companies out there that were in that market early on. It took me about a decade before people even understood that maybe an industrial firewall was a good idea.

But that’s not the case with the software supply chain problems, and maybe we can thank our enemies for that. SolarWinds, PIPEDREAM, DragonFly, they’ve generously run the training course for the entire industry that if you don’t know what software you’ve bought, you’re not protecting it, and the bad guys will tell you what software you’ve got by attacking it.

ICSP: There are two main types of SBOMs out there. In your opinion, is there a difference between the two? Is one likely to become the standard, or is it OK that we still have these two different versions out there that people are using?

Byres: I want to preface that. First of all, the SBOM is just the tool to get there. The important thing about the SBOM is it’s just an ingredients list. It’s just a standardized way of writing down what software was inside that software package or in that controller. You know, “What are the bits and pieces in that PLC (programmable logic controller)?” And it’s very much like, “What are the screws that were used to hold the cover on the PLC?” What’s the list?

So there are two standards out there — three officially. They are SPDX, CycloneDX and SWID. But I’m pretty sure that we can now say that SWID has gone the way of ARCNET or one of those old network technologies. I don’t consider it a big deal, quite frankly, that there are two. I grew up when there was Token Ring and Ethernet. Nobody said, “We’re not going to put in a local area network until we’ve decided which one’s going to lead.” It was really easy to do translations. You could buy a cheap, pretty inexpensive Token Ring to Ethernet gateway if you needed it. It was a piece of cake. The same thing here. There are tons of tools to translate it, so everybody should just pick their favorite and run with it.

I honestly think that the SPDX standard is the one that’s going to win out. It’s the one that you see people like Microsoft backing. Quite frankly, and we saw this with Ethernet, when the big guys get behind the standard, no matter whether you argued a Token Ring was better or worse than Ethernet, it doesn’t matter. If you argue that Beta was better than VHS, it doesn’t matter. Eventually, it’s going to be, “Where’s mass going?” I think that SPDX is going to win. I also think SPDX actually has an advantage, and that is it doesn’t try and put vulnerabilities into the SBOM.

The SBOM should be an ingredients list, not a risk list. I want a list of ingredients that shouldn’t change. I don’t want it churning continuously because there’s continuous vulnerability changes. So I honestly am much, much more of a fan of the SPDX side of the house, but the CycloneDX guys will kill me for that.

ICSP: Why is the supply chain so vulnerable right now?

Byres: It’s because it’s got an incredible multiplier effect for the bad guys. If I was on offensive cybersecurity, it’s where I would focus. You look at what the Russians did with SolarWinds. They penetrated one company. They put a lot of effort into getting into the SolarWinds Corporation, but then they had this multiplier effect where they get toeholds into 18,000 companies. Now, fortunately, they actually got overwhelmed and only handled about probably 20 or 30 where they actually took advantage, but that multiplier effect is amazing.

We saw the same thing with DragonFly — attack one company, get into 300 or 400 companies. So that’s the trouble with the supply chain. Even when the bad guys don’t have to attack a company, like we saw with Log4j, the vulnerability is there in this technology, in this product that’s so widely embedded, that it’s a gold rush for the attacker. It’s like, “Thank you very much. I don’t have to fight to get past the firewalls of my intended victim. I just need to find somebody who wrote some bad code that my victim uses.”

ICSP: Exactly, with just one third-party supplier who didn’t take their security seriously, you’re into all of these major companies.

Byres: I saw a really interesting presentation, which I can’t go into a lot of details about, two years ago about a hack on a major West Coast power company, and it was done by hacking into a very small construction services company that worked for them. These guys had one computer and a whole bunch of backhoes, and the attackers went after those guys because those guys didn’t even know how to back up their computer, never mind secure it. So it’s that whole thing about the weakest link, and the suppliers to a big corporation are typically the weakest link. The big corporation has got all its policies and procedures, and they’re going to be hard to break into, but you can go after their suppliers and use that as a backdoor in. And you’ve got more choice. You’re going after one big guy or 500 little suppliers, and one of them has got crappy security.

ICSP: What do you expect the big story to be in the coming year in cybersecurity?

Byres: Well, it depends on the political landscape, but currently as we shoot down balloons and things are heating up with some of the nation-states that are not friendly to Western interests, shall we say, we’re going to see these efforts that they’ve been working on to weaponize OT. So we’re probably going to see some sort of — I don’t think it’s going to be like a Pearl Harbor — but we’re going to see things detected that are clearly nation-state attempts to be able to take advantage. And we’ve seen them happening.

Triton, somebody messing with your safety system is not doing it for money. Safety systems do one thing, basically protect lives in a critical process. If you’re deliberately attacking a safety system, you are doing it to do destructive acts. Now, very fortunately in that case, that was detected before the bad guys were able to pull the trigger. So I think we’re probably going to see more of these where there are actors, foreign state actors, who have penetrated in. Hopefully, I only read in the papers this year about the ones that it was close but we caught them. I hope we don’t read the, “Oops, we didn’t catch them in time, and they caused this major catastrophe or this major accident.”

PIPEDREAM was the same thing. [It’s] very lucky we got on top of that because that was clearly intended to be destructive to the liquified national gas industry. And you can understand why, too. I mean, it’s not hard to figure out who would like to make sure that America can’t produce or ship liquified natural gas. There’s a certain war going on over in Europe right now that is also an energy war. You can see that’s what’s going to happen over the next year. Hopefully, we find these efforts before they cause trouble, and I’m hoping that we don’t find them after they’ve caused trouble.

ICSP: Just because I don’t want to end on a negative note, what gives you reason for optimism right now?

Byres: One of the things that’s giving me optimism is the fact that we are finding them before they cause trouble. One of the reasons is there’s been awareness building for the last 20 years. I’m at an event here (S4) that used to have 40 people attend. Now, there’s over 1,000 people here, and they’re passionate and they’re working hard. And there are government officials here who are really paying attention and listening to see what could be done. It’s no longer these mandates — “Well, you do this” — but much more communications.

We’re seeing the suppliers of equipment much more interested, SBOMs being a great example. We’re seeing organizations like Schneider saying, “Yeah, we are going to supply SBOMs to our customers.” It’s that cooperation that I see, this community working together. It not being an us versus them, but, “We’re going to work together,” is really, really exciting. The passion people have here to do the right thing, to make our infrastructures, our way of life safer, that’s pretty cool.




Keep your finger on the pulse of top industry news