Using SBOMs to Secure Industrial IoT Devices
Software bills of materials ( SBOMs ) are an important tool for ensuring the cybersecurity of Industrial Internet of Things ( IIoT ) and Internet of Things ( IoT ) devices . While much has been written about using SBOMs for user-managed software ( the normal software use case ), it is important to understand that SBOMs can also be used to describe the software and firmware installed in an IoT device , enabling better device security and maintenance .
In this article , the authors draw on their experience with both SBOMs and IoT / IIoT devices to identify the main ways in which an SBOM for an IoT device differs from an SBOM for a “ usermanaged ” software product – i . e . what most of us think of when we think of “ software ”. We describe how SBOMs for devices differ from those for software , and we explain the primary challenges facing SBOMs for devices . We close by describing how those challenges can be addressed .
It is hardly an exaggeration to say that today ’ s software products are built mostly out of components : code or compiled libraries that perform particular functions . Software would be much more expensive and take much longer to develop ( if it were developed at all ) if developers were not able to take advantage of components . The average software product includes over 100 components ; 90 % of those are open source . 1 Many software products contain thousands of components . Some are obtained as source code and others as binaries .
However , with more components , the risk of vulnerabilities from each component increases . The recently discovered Log4j vulnerabilities showed that a single library can be widely used , including in other libraries . It therefore is often buried under many “ layers ” of other components . This can make it literally impossible to discover every instance of that library . This also makes it impossible to patch each instance . Vulnerabilities like those in Log4j will probably be with us as long as we rely on computers .
An SBOM is at heart very simple : It is a machine-readable listing of the components in a software product or intelligent device ( collectively referred to as a “ product ” in this article ). 2
Having an SBOM allows a software developer ( supplier ) to learn of risks posed by components included in one of their products , so they can take steps to mitigate those risks by for example replacing vulnerable components with less vulnerable ones . Having an SBOM also allows a
1
2
Journal of Innovation 71