If you're looking for my
pandemic posts, go here.
People normally think of questions
as a means of soliciting information. However, in many cases the question is
the message. For example, if a mother asks her child whether he’s brushed
his teeth that morning, she’s doing it because she’s conducting a scientific study
of tooth brushing. Rather, she’s sending him a message: “Brushing your teeth in
the morning (and evening) is important for your health and well-being, and I
care about both of those things.” Even if he has brushed his teeth, he will absorb
this message and it will reinforce this behavior (unless he’s a teenager, in
which case all bets are off).
And the same goes for software
bill of materials (SBoM). This was brought out very clearly on the fourth page
of a six-page infographic
piece in Dark Reading (which is an excellent cybersecurity
newsletter. I’ve been reading it for 12 or 13 years, ever since I was in
college 😊). Here’s that whole page:
“If you have nothing to hide..." can be the beginning of
a facile and overly simplistic statement about visibility. At the same time, if
a supplier is unwilling or unable to provide transparency into their risks,
it's a clear sign that your risk from that third party has risen by many
degrees.
According to Alex Santos, CEO and co-founder of Fortress Information Security, the
question for many in the supply chain is not only how transparent they're
willing to be, but how transparent they're able to be.
"It's getting down to that level of detail, the bill of
materials, the suppliers of the suppliers, if you will, that is underlying and
important to the supply chain," he says. "That [understanding is] one
of the next frontiers."
The issues are similar for both software and physical
components that make up the supply chain, Santos says.
"Where is each piece of hardware constructed, and where
do those components come from? Has the security of open source code been
verified? Where was it developed? Was it a community based in China or around
the globe?" he asks. "The same thing goes for the hardware. Was a
hardware producer in China? Are there sufficient controls in place to make sure
that that hardware is free of backdoors and other malicious constructs?"
Each organization, and each industry, will have different
requirements for how far down the supply chain these questions must be
answered. Direct suppliers, especially, must be willing and able to assist in
the drive to transparency, or they'll become a primary indicator that supply
chain corruption is possible.
I know very few NERC entities (or
really any type of organization) are asking their suppliers for an SBoM now (even
just a first-level SBoM, which is probably the most you’ll get at this point). But,
even if you’re doubtful you’ll get it, you should always at least ask the question,
for three reasons:
1.
The Supplier may actually be able to give you an
SBoM. You can use that information to mitigate your own supply chain
cybersecurity risks, as described in the previous post
in this series.
2.
If the supplier can’t give you a full
first-level SBoM, you should make clear that it’s really unacceptable that the supplier
doesn’t even know what’s in their own product. And ask them when they’ll
have that information. If they can’t even tell you when that will be, you
should seriously start looking for another supplier, assuming there is a real
competitor (in many cases when it comes to control systems, there’s no serious
competition and you’ll stick with this supplier anyway. But you don’t have to
depend on the supplier to provide you an SBoM, as I’ll discuss in another post
in this series. The series may stretch into 2022, the way it looks now).
3.
They also may tell you they do have a good SBoM,
but they can’t give you that information because it’s a trade secret.
Unfortunately, they do have a point, and it’s probably not worthwhile to get
all excited about this and threaten to drop their product. However, as I said
above, there are other ways to get an SBoM, not just from your supplier. And an
SBoM can certainly be shared securely between a supplier and its customers,
including of course NDAs signed by the customers. My guess is that, as recognition
of the need for SBoMs grows (both in general and particularly in the energy
industry), suppliers will begin to see the advantages of securely sharing these
documents.
Any
opinions expressed in this blog post are strictly mine and are not necessarily
shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
Are
you hot at work – or should be – on getting ready for CIP-013-1 compliance on
October 1? Here is my summary of what you need to do between now and then.
No comments:
Post a Comment