Prepping up for 2022, as OT industry focuses on federal government regulations, SBOMs

Looking ahead to 2022, the industrial sector is focused on meeting federal government legislation and regulations, and the rollout of SBOMs (software bill of materials) that would help in delivering transparency to the software supply chain for the critical infrastructure sector. 

The federal controls aim at enhancing visibility in the existing framework while understanding software vulnerabilities, in order to prevent cyber-attacks and software malfunctions. The sector is currently working on operationalizing SBOM demands while integrating the concept into existing tools, daily operations, and the cybersecurity and vulnerability ecosystem. The Cybersecurity and Infrastructure Security Agency (CISA) is also currently working on SBOMs and is leading with the launch of four workstreams, including cloud and online applications, tools and implementation, sharing and exchanging SBOMs, and using on-ramps and adoption.

A recent OTORIO survey revealed that respondents identified that failure to comply with regulations is even more of a concern for respondents than the consequences of a cyberattack. In addition, the OT (operational technology) sector is focused on the tightening of legislation and regulations pushed forward by governments that are taking an increasingly active role in cyber defenses.

Critical infrastructure cybersecurity has been thrust into the spotlight, Eric Byres, founder and chief technology officer at aDolus, told Industrial Cyber. “SBOMs are the first necessary step into achieving full software supply chain visibility for operators, regulators, and legislators. Having immediate executive-level visibility into supply chains will be a minimum requirement for management at all agencies and companies so they can confidently and quickly respond to the next security crisis,” he added. 

The industry has a number of influential IT software companies, like Microsoft, and OT vendors, like OSIsoft, that have developed the capability to produce SBOMs at scale for their products, Byres said. “They are now exploring how they distribute these SBOMs to their customers in a controlled manner.” 

At the same time, end-users are learning how to use SBOMs effectively to improve their security, according to Byres. “Sometimes, such as when you are trying to determine if you have a vulnerable component running in your facility, all that is needed is a simple text search. But over the long run, expect to see SBOMs used as an input into existing security platforms, especially asset management platforms,” he added. 

SBOM, while not a new topic, is relatively new in industry adoption, pointed out Tony Turner, vice president for product security at Fortress Information Security. “While many in the industrial sector are closely watching how this SBOM initiative is playing out, it is still a bit early to determine how many will adopt this capability in their approaches,” he added. 

Vulnerability management is one of the single biggest drivers for SBOM, and as the recent Log4j vulnerability showed, software transparency is a huge blind spot, Turner told Industrial Cyber. “That being said, many asset owners are still struggling with network segmentation and other foundational controls, and SBOM has not yet made its way into the lexicon for most operators,” he added.

“We are seeing rapid change (partially driven by Log4j), and by the end of 2022, we think that SBOM will begin carving out a regular place in their tool belt,” Turner said. “The reality is that very few existing tools have the ability to natively work with SBOM and few SBOM translation sources can convert SBOM analysis into usable data objects for cybersecurity and vulnerability management. Industrial sector companies, now confronting dual crises in supply chain risk and vulnerability management, must find tools that both address these concerns and bring them into alignment,” he added.

Injecting a different perspective, Tom Alrich, an independent consultant specializing in supply chain security of critical infrastructure, told Industrial Cyber, that there are three problems standing in the way of full implementation of the EO 14028 SBOM provision, scheduled for August. U.S. President Joe Biden rolled out in May last year an Executive Order 14028 that mandated all federal agencies start requiring SBOMs from their suppliers, in a bid to modernize US critical infrastructure and its approach to cybersecurity by increasing visibility into threats and working on ways to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.  

“Most important: There is no tool available – or on the horizon – that ingests SBOMs and VEXes and identifies exploitable vulnerabilities in product components. The solution to the three problems is to make suppliers responsible for this, not users. They should be doing this now, anyway,” according to Alrich. The VEX (Vulnerability Exploitability eXchange) concept plays a crucial role within the SBOM and vulnerability management space. 

Looking on from an industrial perspective, the federal government regulations with regard to SBOM helps in developing agency guidelines and bringing about potential changes.

The US government regulations, particularly EO 14028 released last May, will significantly impact behavior outside the government, Byres said. “First, if supplier X agrees to provide SBOMs to the US government, finding a reason to refuse to provide those SBOMs to large commercial clients will be a struggle. And this demand for SBOMs will ripple far beyond the US. We’re aware of sovereign oil companies in the Middle East who are now looking to duplicate the US government requirements for the software supply chain for all OT purchases they make in 2022.”

The second reason that the regulations will impact companies that don’t have direct sales to the US government is the government’s focus on the software supply chain, according to Byres. “The supply chain is called a chain for a reason. Even if you don’t sell directly to the federal government, what if one of your customers does, and they use your product as part of a larger solution? If the Feds cancel their contract for non-compliance, you can say goodbye to that customer. So the ripple effect of the federal government regulations is likely to be significant,” he added.

Two of the three major security events in the past 14 months (SolarWinds and Log4j) have been supply chain-related, Byres added. Right or wrong, government agencies took a lot of heat for these incidents and invested a lot of resources helping to clean them up. This pressure is not letting up: take for example the letter from 10 senators to DHS Secretary Alejandro Mayorkas and DOT Secretary Pete Buttigieg asking for an update on what the departments are doing to strengthen the nation’s resilience when it comes to cyberattacks on critical infrastructure, he added.

The single biggest regulatory driver, and perhaps the greatest impetus for change here are the requirements for suppliers to provide SBOMs to the federal government in relation to Biden’s EO 14028, according to Turner. “This is a requirement for suppliers to provide, but there are no regulatory requirements for asset owners to do anything with SBOM. That said, the regulations are raising the profile of the conversation. OT practitioners must be part of this discussion,” he added. 

It is clear – as the Log4j event has unfolded – that the need for software transparency is critical for IT and OT operators, Turner said. “Software transparency is the end goal and SBOM is a foundational tool to accomplish this objective, but ultimately SBOMs are a means to an end. If the regulation is thoughtful, asset owners and suppliers will see mutual benefit from the adoption of SBOM in 2022,” he added.

The adoption of SBOMs in securing OT environments is already making a difference, Byres said.

“Take for example the recent Log4j vulnerability. Companies with access to SBOMs were able to determine if they were at risk in a few hours, in contrast to taking weeks to determine risk for past widespread vulnerabilities like HeartBleed,” according to Byres. “This responsiveness is especially important for the OT sector, where active vulnerability scanning of plant floor networks is frowned upon. SBOMs provide a safe, passive way to understand what devices and systems are at risk.”

As more OT suppliers provide SBOMs, expect to see the data that SBOMs provide to be aggregated into information that executive management needs to understand and respond rapidly to evolving situations, Byres said. “Also expect to see the data from SBOMs be used to help leadership prioritize security upgrade projects and patching programs. The whole industry is starving for security professionals and giving management the tools to be able to deploy staff effectively is critical,” he added.

Turner, however, pointed out that the topic of vulnerability management and patching is very controversial in many organizations as patch management tends to be a very IT-centric control focused on compliance activities and good cyber hygiene. “Additionally, for the OT security team, we see how SBOMs can enhance safety, reliability, and productivity as well. As such, focusing the conversation on these topics may lead to increased adoption. We must focus on issues that are important to OT like increased software reliability and the use of safety as an analogous concept for cyber security. More reliable software is safer software,” he added. 

2022 will be “a year of education and awareness on the topic of software transparency, and by the end of 2022, we think we will start seeing more widespread adoption of these concepts. The adoption of SBOMs will make for safer and more reliable systems,” according to Turner.

Another critical element to SBOMs is the VEX, which works as a ‘companion artifact’ to an SBOM, making it ideal for product manufacturers and software suppliers to discover vulnerabilities within third-party dependencies of their products and preemptively assess the exploitability of these vulnerabilities.

The VEX concept “is likely to catch on quickly in 2022 because it reduces the workload for both suppliers and end-users,” according to Byres. Suppliers get an easy way to communicate the risk (or the absence of risk) that a customer is exposed to from a vulnerability. Rather than producing a long PDF listing 1000s of products and their potential exposure to a vulnerability, vendors can click a button and have a VEX document created for all versions of all the products the company produces. This greatly reduces the effort needed to reassure customers in times of a vulnerability scare,” he pointed out.

End-users still need tools to efficiently consume VEX documents at scale, but expect to see those available in the first half of 2022, Byres said. “VEX is based on the JSON format, which is machine-readable and easy to build tools for. In fact, aDolus is sponsoring the development of an open-source VEX tool that we hope to see available to all by June 2022,” he added.

Suppliers are best suited for the production of a VEX, as ultimately they will know best whether the vulnerable component identified in the SBOM is truly exploitable, Turner said. “VEX is still a very new concept and data formats and tooling are not yet widely available to support the concept.” 

Companies like Fortress and a few others such as OSIsoft are embracing the VEX concept.