Friday, August 28, 2020

Is software bill of materials the answer to all of our problems? Part III



If you're looking for my pandemic posts, go here.

People normally think of questions as a means of soliciting information. However, in many cases the question is the message. For example, if a mother asks her child whether he’s brushed his teeth that morning, she’s doing it because she’s conducting a scientific study of tooth brushing. Rather, she’s sending him a message: “Brushing your teeth in the morning (and evening) is important for your health and well-being, and I care about both of those things.” Even if he has brushed his teeth, he will absorb this message and it will reinforce this behavior (unless he’s a teenager, in which case all bets are off).

And the same goes for software bill of materials (SBoM). This was brought out very clearly on the fourth page of a six-page infographic piece in Dark Reading (which is an excellent cybersecurity newsletter. I’ve been reading it for 12 or 13 years, ever since I was in college 😊). Here’s that whole page:

“If you have nothing to hide..." can be the beginning of a facile and overly simplistic statement about visibility. At the same time, if a supplier is unwilling or unable to provide transparency into their risks, it's a clear sign that your risk from that third party has risen by many degrees.

According to Alex Santos, CEO and co-founder of Fortress Information Security, the question for many in the supply chain is not only how transparent they're willing to be, but how transparent they're able to be.

"It's getting down to that level of detail, the bill of materials, the suppliers of the suppliers, if you will, that is underlying and important to the supply chain," he says. "That [understanding is] one of the next frontiers."

The issues are similar for both software and physical components that make up the supply chain, Santos says.

"Where is each piece of hardware constructed, and where do those components come from? Has the security of open source code been verified? Where was it developed? Was it a community based in China or around the globe?" he asks. "The same thing goes for the hardware. Was a hardware producer in China? Are there sufficient controls in place to make sure that that hardware is free of backdoors and other malicious constructs?"
Each organization, and each industry, will have different requirements for how far down the supply chain these questions must be answered. Direct suppliers, especially, must be willing and able to assist in the drive to transparency, or they'll become a primary indicator that supply chain corruption is possible.

I know very few NERC entities (or really any type of organization) are asking their suppliers for an SBoM now (even just a first-level SBoM, which is probably the most you’ll get at this point). But, even if you’re doubtful you’ll get it, you should always at least ask the question, for three reasons:
1.      The Supplier may actually be able to give you an SBoM. You can use that information to mitigate your own supply chain cybersecurity risks, as described in the previous post in this series.
2.      If the supplier can’t give you a full first-level SBoM, you should make clear that it’s really unacceptable that the supplier doesn’t even know what’s in their own product. And ask them when they’ll have that information. If they can’t even tell you when that will be, you should seriously start looking for another supplier, assuming there is a real competitor (in many cases when it comes to control systems, there’s no serious competition and you’ll stick with this supplier anyway. But you don’t have to depend on the supplier to provide you an SBoM, as I’ll discuss in another post in this series. The series may stretch into 2022, the way it looks now).
3.      They also may tell you they do have a good SBoM, but they can’t give you that information because it’s a trade secret. Unfortunately, they do have a point, and it’s probably not worthwhile to get all excited about this and threaten to drop their product. However, as I said above, there are other ways to get an SBoM, not just from your supplier. And an SBoM can certainly be shared securely between a supplier and its customers, including of course NDAs signed by the customers. My guess is that, as recognition of the need for SBoMs grows (both in general and particularly in the energy industry), suppliers will begin to see the advantages of securely sharing these documents.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Are you hot at work – or should be – on getting ready for CIP-013-1 compliance on October 1? Here is my summary of what you need to do between now and then.


No comments:

Post a Comment