More businesses and other entities use specialized or custom software in daily workflows. This makes it increasingly important that decision-makers understand the link between a software bill of materials (SBOM) and cybersecurity.
The SBOM details the tools, libraries, processes and components used to build the software. That information allows users to gauge the risks before deploying it. Relatedly, it helps them understand the relevant cybersecurity threats, including the aspects criminals may target. That is why SBOMs are well-established options for strengthening supply chain security through better visibility.
Complying With Recent Regulations
In some industries, SBOMs are requirements rather than optional documents. Such is the case for the medical device industry due to new guidance issued by the U.S. Food and Drug Administration (FDA). Medical device manufacturers filing their products with the FDA must include an SBOM.
Additionally, forthcoming requirements state manufacturers must comply with rules that indicate they have created cybersecure products. Relatedly, the FDA’s rules stipulate that medical device manufacturers must establish compliance programs that monitor for new regulations. How companies address vulnerabilities is another aspect of the FDA guidance. These parties must develop procedures for identifying and patching weaknesses and distributing relevant updates.
Besides creating an SBOM for all relevant medical devices, manufacturers should prepare a software of unknown provenance (SOUP) analysis. This is a requirement for software when the source code contains third-party software of unknown origin.
Manufacturers should seek advice from external cybersecurity experts about implementing these requirements. That way, they can determine whether they are already following best practices or must invest more time and effort in particular areas to align with current and future FDA regulations.
Statistics show health care breaches average $10.92 million per event. However, potential and current customers will likely feel more confident about using products when device makers rely on SBOMs and associated measures to reduce risks. Additionally, the cybersecurity departments at hospitals, doctor’s offices and other facilities can review the SBOM to learn whether particular software titles may pose unusually high risks. If so, leaders must decide whether the anticipated benefits outweigh the possible threats.
Improving Site-Related Visibility
Cybersecurity researchers have warned that the energy industry is a prime target for cyberattacks. Criminals operating online look for opportunities to wreak maximum havoc, and compromising critical infrastructure is an enticing prospect.
However, SBOMs can secure the energy industry’s supply chain by allowing professionals to catalog all software-related assets and their associated vulnerabilities. That information enables better responsiveness that increases the chances of cybersecurity resources being well spent. Additionally, the increased visibility into software origins and dependencies reduces blind spots and potential vulnerabilities that could make cyberattack attempts successful.
There are two types of asset audits to conduct. They can be carried out internally by a company’s staff. Additionally, external audits are outsourced to organizations that handle them. These checks are crucial from a cybersecurity perspective beyond SBOMs. Outdated assets — such as computers with old operating systems and application versions — can introduce vulnerabilities for hackers to exploit.
Gathering SBOM material becomes more complicated as the number of associated vendors increases. Employees of one of the largest electricity producers in America created an SBOM for one of the business’s substations. The task required collecting details from 17 vendors and 38 associated devices identified at the site.
The person leading the SBOM project admitted people had no idea which software versions they were running. Additionally, numerous business partners were managing different substation areas.
Progress was also slow since most of the utility company’s vendors declined to provide the requested information. Those that complied took an average of 60 days to submit it. Additionally, the team ran scripts on the content to detect inaccuracies. However, the hard work paid off by tightening cybersecurity, and those involved believe it will also support the procurement process.
Achieving Better Cybersecurity With SBOMs
Strengthening cybersecurity is a multifaceted effort, but SBOMs are an important part of success. They enable people to have a clearer understanding of the software they use or create, which provides tailored information that can help organizations increase their cyberattack defenses or respond more effectively once incidents occur.
Additionally, anyone creating software for tightly regulated industries should remain aware of SBOM-related particulars that may affect compliance measures soon. As more regulatory authorities increase cybersecurity controls, appropriate documentation within a software bill of materials shows manufacturers have met standards for creating effective and safe products.
Contributed by: Zachary Amos
