Based on the early stage venture funding, the SBOM, or software / firmware visibility and risk analysis, product segment appears to be potentially the next big thing in the OT security category. It’s in a similar place as the OT detection and visibility product segment was in 2017. But how will asset owners actually use these offerings?
Remember back in the early days of the OT Detection market it was the creation of an asset inventory, not detection, that led to the early sales and kept those companies alive. While most people grok why you would want to know all of the components in your software, product or system, actually doing something with all that data is a lot of work and of minimal value in OT today. So where are the near term SBOM wins for asset owners and vendors?
Near Term Wins
Procurement: The main win for asset owners is getting another way to assess the security development and maintenance practices of a vendor before you buy a product or system. Even if you have no plans to use the SBOM. If you ask a vendor for a SBOM and they can’t easily provide it, deduct points. Also ask the vendor for the SBOM from a few version back, because you likely won’t always run the current version. If they can’t easily provide it, deduct points.
If the vendor is hesitant to hand this over until purchase, just ask to visibly inspect it. We have done this for years with artifacts that should have been created based on the vendor’s security development lifecycle. Show me your threat model? Show me your fuzzing results? Even if you never evaluate the competence of the efforts, you will at least know if they are following their own processes.
The second thing to look at is are the elements in the SBOM reasonably up to date. If you have SBOMs for two different versions separated by years, check to see if they are updating the components. This will give you some idea of how they are maintaining the product or system, and I believe you will see some significant differences between vendors.
And third, if the tool you are using is also identifying things such as hard coded passwords, insecure functions, proprietary crypto, etc. This will let you know current and possible future cyber risks to the product or system. All of these items can be considered in your procurement decision and help guide a cyber maintenance strategy after commissioning.
Accessible Attack Surface: The risk reduction achieved in applying easily identified security patches for OT cyber assets is negligible for ~95% of the OT cyber assets (see insecure by design). Multiply the patching burden added by integrating the SBOM is a bad use of limited resources from a risk management standpoint. Patching this ~95% is more about staying on a supported version than reducing cyber risk.
The risk reduction in patching the attack surface accessible from outside the OT zones, typically 5% or less, is large. This would typically be your firewall, your remote access solution, and your servers / devices inside the OT zone or OT DMZ on the ports accessible through the firewall.
It may be possible for asset owners in the near term to maintain and track a SBOM for these smaller number of cyber assets. It will be key for the solution to incorporate VEX, or one of the alternatives, to limit the effort to exploitable vulnerabilities. There likely will be a high correlation between the vendor that doesn’t support something VEXie and doesn’t update the component in their product.
Vendor Dev and QA: Vendors will be asked for SBOMs, and these tools can make it easier to provide them. Some of these companies may provide a service to not only create the SBOM in an appropriate format, but to provide them to authorized customers and prospects. (I still need to write up my view on how this market will develop)
In addition, most of these tools identify security issues. It is another test tool that could be used by QA to verify some secure coding practices have been followed.
Long Term Work
The SBOMs will get integrated into most OT and IT asset inventory tools. As noted above, the value of this information is minimal for 95% of the OT cyber assets today. It would be a mistake if the already flawed emphasis on universal patching of OT was made worse by an increased effort asset owners to maintain SBOMs and apply even more patches for the 95%.
It’s not that it’s wrong or a bad thing to do. Cyber hygiene rarely is. The point is almost all asset owners should be spending their resources on other efforts with much greater risk reduction.