Using SBOMs to Secure Industrial IoT Devices
Of course , this means that a device typically utilizes many individual software products , developed by different organizations ( including open source communities ). How does the software running on the device differ from user-managed software ? The biggest difference is that a device is built to fulfill a specific purpose ; all of the software installed on the device is only there because it plays a role in fulfilling that purpose . Therefore , it makes sense to treat all the software and firmware installed on the device as a single unit .
On the other hand , user-managed software products each have their own purpose . The server on which they run is simply a platform ; a given software product can usually be moved from one server to another without any loss of functionality . Moreover , many user-managed software products can be installed on a single physical or virtual server yet have no connection to each other besides the fact that they run under the same instance of the operating system . The choice of which user-managed software products run on a particular server is entirely up to the user organization .
Therefore , in the case of user-managed software , the device owner needs to receive an SBOM for every software product ( including operating systems and firmware ) that they utilize . An SBOM for the server itself ( which would have to change whenever any of the software products on the server was updated , added , or removed ) would be meaningless 9 . Such an SBOM would simply provide a list of the software products currently installed on the server , which could just as easily be obtained from Windows Explorer .
However , the opposite is true for an IoT or IIoT device : the only SBOM that makes sense is one for the entire device . The end user is not directly involved in the decision whether to install , update or remove any software product in the device ; therefore , they cannot play a direct role in managing any risks posed by individual software products installed on the device . For versioning purposes , the manufacturer usually treats the entire set of software and firmware in the device as a single software product , even though it is often composed of many individual products that are also sold as user-managed software .
Regarding updates and patching , the device manufacturer normally groups updates and patches of multiple software products into a new release of the device software with a unique version number ; usually , the new release is “ pushed out ” to all the devices in use . The manufacturer of the device does not usually push out to their customers every update or patch for an individual software product contained in the device as soon as they receive it from the product ’ s supplier ; rather , they combine all the individual product updates and patches received since the last device update into a new device update with its own version number .
9
Note that the operating system of the device – whether an IoT device or an Intel-standard server running different types of software – is always treated as just one software product running on the device , for SBOM purposes .
74 July 2022