SBOMs in the procurement and maintenance of connected devices
Regulators in many domains have begun to look seriously at software vendors’ and operators’ management of supply chain risks. Recent software-related events have woken them up to modern software supply chains leaving connected systems highly vulnerable to attack, so they are making new rules. Vendors and end users in these supply chains, including those for IoT/OT, need to act or risk exclusion from markets or be liable for negligence.
Regulations span consumer IoT (UK Product Security and Telecommunications Infrastructure Act, EU Cyber Resilience Act) to national critical infrastructure (EU NIS 2). Software Bills of Materials (SBOMs) are mentioned explicitly in several of these regulations and as highly visible artefacts and enablers of many of the key processes they have attracted a lot of attention. The most action generated so far is from USA President Biden’s Executive Order 14028, requiring suppliers of federal agencies to implement rigorous software supply chain risk management practices by September 2023 or face being replaced.
Importing software components is now so commonplace and easy that many projects don’t give it a second thought, even though imported components routinely come with dozens of their own dependencies. Anything goes, as long as it helps advance the project. As this approach has spread, three problems have emerged that SBOMs can help to address.
This paper aims to explain for developers, buyers and operators of IoT/OT why they should care about SBOMs and what they need to do about them.
We outline what should go into SBOMs and the main SBOM standards, how IoT/OT vendors should generate and share SBOMs, and how everyone in the IoT/OT supply chain should use SBOMs to effectively reduce cyber risks for IoT/OT operators.
It has been prepared by a working group of the IoT Security Foundation’s Supply Chain Integrity Project, drawing on the experiences and insights of IoTSF members and contributors representing all parts of the IoT ecosystem. By documenting, advancing and sharing the current state of the art the IoTSF aims to advance IoT security, ultimately enabling wider deployment of this beneficial technology.
The report can be downloaded from the Publications Page, or by clicking the cover in the side bar menu.