Aperture Podcast: Tom Pace on SBOMs for ICS and OT
By Michael Mimoso | Aug. 22, 2021
You’re much more likely to get your hands on a parts list for a child’s little red wagon than you are a software bill of materials (SBOM) for an industrial control system or device running on your OT network.
That’s the state of affairs facing owners and operators of critical infrastructure and manufacturing responsible for public safety or critical services delivery. Without the visibility an SBOM may provide into the components used to build firmware or a software product, decision-makers could find themselves struggling to properly assess their risk in the event of an incident, or be unable to make adequate response decisions or vulnerability remediations.
Tom Pace, founder of startup NetRise, discusses SBOMs for ICS and OT on this episode of Claroty’s Aperture Podcast. Pace acknowledges that SBOMs for industrial software and firmware are a rarity, and organizations are buying software without being totally aware of the risks present within their space or those that may occur downstream.
“We have a bill of materials for food, for hardware, for chemicals, for all of these other things, but we don’t have it for software, which is arguably the most important thing powering the world right now,” he said. “It doesn’t seem to align well.”
SBOMs are analogous to ingredient labels on food products, or parts lists for toys and automobiles. They are a structured list of components such as libraries and modules required to compile and link software, and even the supply chain relationships between them. With an SBOM in hand, an organization can quickly see whether a vulnerable component is running in their environment and break through the black-box nature of some ICS and OT software packages or firmware installations.
“I find it kinda crazy that we’re worried more about Steve in Accounting’s laptop than we are a programmable logic controller,” Pace said, acknowledging the risks that accompany a compromise on the business network are also significant. “The point remains that these devices are serving incredibly important functions, whether they be in nuclear power plants or power utility companies serving tens of thousands of people. It’s crazy to me that we have a list of ingredients or a bill of materials for a red wagon, but we don’t have a list of ingredients or a bill of materials for a programmable logic controller.”
The tide may be turning, however. The U.S. executive order around cybersecurity signed in May by President Biden includes SBOMs as a standard procedure for secure software development whereby vendors would provide an SBOM to each purchaser or publish it online. The Commerce Department, working with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, were ordered to publish minimum elements for an SBOM.
Pace covers numerous other topics in this episode, including:
How SBOMs can help mitigate device risks
The value proposition of an SBOM
How an SBOM is generated and consumed
Clearing misconceptions about SBOMs
And that one time he met Chuck Norris
Finally, check out Pace’s presentation on SBOMs the ICS Village at DEFCON, below, from earlier this month.