Table of Contents:
Securing Critical Infrastructure: The Role of SBOMs
Cybersecurity in Critical Infrastructure: An Overview
Introduction to Software Bill of Materials (SBOMs)
How SBOMs Contribute to Cybersecurity
Types of SBOMs and How They Are Different
Benefits of Build-time and Binary SBOMs
Use Cases for Critical Infrastructure
Taking SBOMs to the Next Level
Securing Critical Infrastructure: The Role of SBOMs
The protection of critical infrastructure is paramount. From power grids to transportation systems, the backbone of society relies heavily on interconnected software systems. However, with this increased reliance on technology comes a heightened risk of cyber threats that continue to increase in frequency and sophistication.
In this blog, we’ll explore the significance of Software Bill of Materials (SBOMs) in fortifying the cybersecurity of our critical infrastructure.
Cybersecurity in Critical Infrastructure: An Overview
Critical infrastructure encompasses various sectors essential to society’s normal functioning, including energy, water, transportation, and communication. As these systems become increasingly digitized, they also become susceptible to cyberattacks. Threat actors, ranging from nation-states to malicious hackers, target vulnerabilities in software systems to disrupt operations, compromise data, and cause widespread chaos.
Introduction to Software Bill of Materials (SBOMs)
A Software Bill of Materials (SBOM) is a comprehensive list of components and dependencies within a software system. Think of it as a detailed inventory that outlines all the ingredients used to build a particular software product, including libraries, frameworks, and third-party modules. SBOMs provide invaluable transparency into the software supply chain, offering insights into the origin and composition of every component.
How SBOMs Contribute to Cybersecurity
The significance of SBOMs in cybersecurity cannot be overstated. These documents serve multiple critical functions:
Enhancing Supply Chain Security: With the growing efficiency of software development outsourcing and third-party integrations, the software supply chain has become increasingly complex. SBOMs enable stakeholders to track every component’s origin and assess its security posture, mitigating the risk of supply chain attacks.
Facilitating Vulnerability Management: By providing a detailed inventory of software components, SBOMs streamline vulnerability management processes. Organizations can quickly identify and address vulnerabilities within their software stack, reducing the window of exposure to potential cyber threats.
Supporting Vulnerability Disclosure and Reporting: Effective communication with customers and stakeholders is essential in cybersecurity. SBOMs facilitate transparent vulnerability disclosure by providing recipients with a clear understanding of the software’s composition and any associated security risks.
Types of SBOMs and How They Are Different
According to the Cybersecurity & Infrastructure Security Agency (CISA), there are multiple types of SBOMs: Design, Source, Build, Analyzed, and Deployed. While each serves a specific and valuable purpose, two types impact the effectiveness of cybersecurity for critical infrastructure: build, Deployed, and Runtime (also called Binary).
Build-time SBOMs are generated during the software build process and offer insight into the components used in the software. Used mostly by product manufacturers and developers, Build SBOMs gather data from source files, dependencies, built components, build process ephemeral data, and other SBOMs to create a releasable artifact.
Binary-based SBOMs provide an inventory of software that is present in a running environment and/or has been executed. It offers infrastructure operators insights into components present in the system and external call-outs or dynamically loaded components.
Benefits of Build-time and Binary SBOMs
Integrating Buildtime and Runtime SBOMs into cybersecurity strategies helps to strengthen the resilience of critical infrastructure systems against cyber threats and ensure the uninterrupted operation of essential services.
While they don’t create security themselves, SBOMs provide the insight needed to secure embedded software, systems, and connected devices by identifying the areas of opportunity to improve security.
Both Build-time and Binary SBOMs offer unique benefits to stakeholders:
Build-time SBOMs: Product Manufacturers
- Improved accuracy of SBOM details because it uses information from the build and/or Continuous Integration/Continuous Deployment (CI/CD) processes.
- Improved risk assessment and mitigation strategies.
- Greater visibility into more components than just source code.
- Compliance with regulatory requirements such as NIST SP 800-161.
Binary SBOMs: Operators of Infrastructure
- Visibility into what’s currently in use when the system is running.
- Details about what components and parts are active or not in use.
- Streamlined vulnerability management processes.
- Compliance with regulatory mandates.
Use Cases for Critical Infrastructure
As part of its Secure by Design initiative, CISA advises the use of SBOMs for software supply chain security:
Publish Software Bills of Materials (SBOMs). Manufacturers should have command of their supply chains. Organizations should build and maintain SBOMs for each product, request data from their suppliers, and make SBOMs available for downstream customers and users. This will help demonstrate their diligence in understanding the components they use in creating their products, their ability to respond to newly identified risks, and can help customers understand how to respond if one of the modules in the supply chain has a newly found vulnerability.
Here are some use cases that demonstrate how SBOMs can be used to help protect different sectors of critical infrastructure:
Water and Utilities: SBOMs play a crucial role in enabling the security and resilience of water and utilities infrastructure. Because water utilities rely on interconnected IT and OT systems, often have legacy infrastructure, are part of an interconnected supply chain, and tend to employ limited cybersecurity resources, they are attractive targets for cyber adversaries.
SBOMs can mitigate some of these risks as part of an overall cybersecurity strategy by identifying and mitigating vulnerabilities in control systems and IoT devices. They can also recognize vulnerabilities across the software supply chain so the water or utility company can proactively protect itself against attack.
IOT/Embedded Systems: The Internet of Things (IOT) and embedded systems enable increased efficiency, productivity, and accuracy in operations. However, limited security measures, rapid increase in devices, insecure communication protocols, weak authentication, and lack of regular updates put IoT devices and embedded systems at higher risk of cyber attacks.
To mitigate these risks, organizations and manufacturers must prioritize cybersecurity throughout the entire lifecycle of IoT and embedded devices, including design, development, deployment, and maintenance. Leveraging SBOMs at each lifecycle stage provides deep visibility of potential vulnerabilities.
Weapons Systems: In the defense sector, weapons systems are interconnected global networks dependent on information technology to provide real-time information, communication, and reaction. The integration of commercial off-the-shelf (COTS) components, lack of secure-by-design practices, and the convergence of cyber and physical threats elevate weapons systems to top targets for nation-state threats.
Employing a strong cybersecurity strategy throughout the entire lifecycle of weapon systems enhances protections against cyber warfare. SBOMs shared among private and public entities across the software supply chain for weapons systems ensure awareness of all potential vulnerabilities and enable proactive actions to increase safety and defenses.
Taking SBOMs to the Next Level
Cyber threat actors are learning as quickly as cybersecurity professionals and are creating more sophisticated vulnerability threats faster and in greater volumes. This evolution requires cybersecurity defenses to evolve exponentially faster.
One way to do this is to integrate cybersecurity practices directly into existing DevOps pipelines to minimize performance impact and ensure complete visibility of components and parts at build time. Utilizing automated tools to extract component information during the build process streamlines the compilation of build-time SBOMs while still gathering vital build-time data.
Conclusion
SBOMs are indispensable tools for safeguarding critical infrastructure against cyber threats. While they may not create security themselves, they offer invaluable insights that arm critical infrastructure organizations with the information necessary to strengthen their cybersecurity posture.
By integrating SBOMs into security frameworks, product manufacturers, developers, and infrastructure operators can enhance visibility, streamline vulnerability management, and mitigate risks effectively.
As cyber threats continue to intensify and cross over to physical vulnerabilities, adopting SBOMs will be a crucial, proactive step in securing our critical infrastructure.
