Last week, CISA (the U.S. Cybersecurity and Infrastructure Security Agency) issued an advisory about critical vulnerabilities in embedded software that opens the door to possible security breaches. No breaches have been reported to date, but the potential impact spans multiple industries, including healthcare. This short summary discusses how SBOM can help manufacturers respond and take action.
SBOM Can Help with Vulnerability Discovery
The Software Bill of Materials (SBOM) has been getting a lot of publicity as of late, and it is a critical piece of the cybersecurity puzzle. Generating an SBOM for a specific device is the first step in deployment. Next, those discovered components in the SBOM must be researched and all associated vulnerabilities found. This process of discovery must be continuous so that the SBOM remains updated and evergreen. One of the benefits of a continuously maintained SBOM is the ability to find newly released vulnerabilities more quickly, such as CVE-2021-31886 relating to this current vulnerability in embedded software.
SBOM Can Help Identify Impacted Devices
Organizations with the ability to generate SBOMs for their fielded products have a decided advantage because they can immediately identify impacted systems and deploy critical security patches targeted at only those systems that are impacted. This saves a tremendous amount of time spent sifting through customer records or calling customers trying to determine fielded system profiles.
SBOM Automation is Effective and Efficient
While SBOM is a critical security document, organizations should not make the common mistake of assuming the effort involved to generate and maintain is similar to existing security documentation, such as the Manufacturer Disclosure Statement for Medical Device Security (MDS2). The SBOM is much more involved, and if the manufacturer is responsible for multiple versions of multiple systems, the effort involved to generate and maintain SBOMs could easily require a full-time engineering resource, or substantial effort from several resources. Small manufacturers simply can’t afford it, while larger manufacturers are discovering that the opportunity cost of dedicating development resources to a maintenance task is just too high.
Summary
If you have not started to dig into the SBOM yet, you should. You can start with a search on SBOM or Executive Order 14028 or National Telecommunications and Information Administration (NTIA) Software Transparency. There are lots of great resources and good information is readily available.
If you have started down the SBOM path and are concluding that your effort won’t scale, check out automated SBOM solutions. Be on the lookout for SBOM generation functionality and continuous vulnerability monitoring. Automated alerts and sharing with authorized end users are also helpful features.