Software bills of materials (SBOMs) are used to secure industrial IoT devices by enabling better cybersecurity and maintenance. The normal use case for SBOMs is for user-managed software. However, SBOMs can also be used as a tool to describe software pre-installed on a device. Because device users don’t have a direct relationship with the software supplier, they must rely on the device manufacturer to track and manage device vulnerabilities. Here are the top 10 things you should know about using SBOM in securing industrial IoT devices:
1- Risk Mitigation and Decision Making
SBOMs help software developers mitigate risks posed by vulnerable components, allowing them to make decisions such as replacing high-risk components or providing a patch for a vulnerability.
2 - Software vs. Firmware
There are two types of SBOMs that are regularly developed; one is for user-managed software products, and the other is for the software and firmware installed in an IoT or IIoT device. The difference between the two is that user-managed software products already have software pre-installed, while the software updates for an IoT device are applied by the supplier remotely. Therefore, the owner of the device would need to receive an SBOM for every user-managed software product.
3 - Component Cybersecurity vs. Licensing Risks
There are two primary types of risk that SBOMs manage: component cybersecurity risks and component licensing risks. Component licensing risks mostly concern software developers, while component cybersecurity risks impact the organizational goals of the company.
4 - Common Format
CycloneDX and SPDX are two full-featured SBOM formats that can be represented in multiple forms. While those forms include spreadsheets, the most widely used representations are XML and JSON.
5 - VEX
Vulnerability Exploitability eXchange (VEX) is a document type that was developed to solve software vulnerabilities and is commonly referred to as a “companion artifact” to an SBOM. Both existing VEX formats are machine-readable.
6 - Visibility
Vulnerabilities found in software components are not all exploitable and most of them cannot be utilized by an attacker with common capabilities to compromise the product. However, a software user won’t know if the vulnerability that was disclosed is serious or exploitable in the context of intended use.
7 - Monitoring
Companies managing component vulnerabilities in user-managed software products would contract the supplier to provide a new SBOM whenever there is a change in the software, which may involve an automated tool that can ingest SBOMs and VEX documents. When the compilation of vulnerabilities is performed regularly, the organization will always have an up-to-date list of exploitable component vulnerabilities that it can feed into its vulnerability management tools. It can also use the list to coordinate with the product supplier and determine when to patch serious exploitable vulnerabilities.
8 - Manufacturer's Obligations
Because of the device manufacturer’s obligation to the customer, they must be able to provide a complete SBOM to the customer, which is updated whenever there is a software update.
9 - Manufacturer vs. Supplier Liability
The manufacturer of the device becomes responsible for patching serious vulnerabilities if the supplier fails to do so for whatever reason. This is because the device manufacturer is the one with the direct relationship with the end-user and can make the request to the supplier.
10 - Proper Tracking
To properly track and address device vulnerabilities, manufacturers should register the device in the National Vulnerability Database and report software and firmware vulnerabilities installed in the device.
Finally, if you're interested to learn more about how to use SBOMs to secure IoT devices we'd strongly recommend you to read further the following study published by the IIC or reach out to specialized experts.