Using SBOMs to Secure Industrial IoT Devices
certainly because the device manufacturer isn ’ t looking for vulnerabilities in the first place . 17
• Of course , if the user knows the CPE name and current version number for at least some of the software products installed in the device , they can look up each of those products in the NVD . However , the user will usually not have this information , unless they have a complete , up-to-date SBOM for the device .
• However , even if a user does know at least some CPE names for software products installed in the device , and even if they discover a serious vulnerability for one of those products , they will not be able to install any patch they receive from the software supplier . This is because a device user is normally not able to apply patches directly to software installed in their device . The user must rely on the device manufacturer to provide the patch as part of their next full device update .
In other words , the organizations responsible for patching vulnerabilities found in software products installed in an IoT or IIoT device are the suppliers ( which might be open source communities ) of the installed products . But , because the users of the device are not the direct customers of the software suppliers , they cannot make requests ( or demands ) of those suppliers ; the manufacturer of the device needs to do that . If for some reason , the supplier of one of the software products installed in the device does not patch a serious vulnerability , it is the device manufacturer ’ s responsibility to patch the vulnerability themselves , or else replace the product altogether . 18
17
One firmware security specialist identified about 2200 unpatched vulnerabilities in just a single firmware product included in an IIoT device used in critical infrastructure environments . Yet , because the device didn ’ t have a CPE name , a search for it in the NVD would yield no vulnerabilities , leaving the user with a false sense of security . In fact , the device manufacturer , which sold around 50 different devices , had never registered a single one of their devices in the NVD . This means that a customer searching for any one of the devices in the NVD might be led to believe that it has no vulnerabilities . The researcher stated that this is a common problem with intelligent devices .
18
Of course , if the “ supplier ” of a product is an open source community , there may be nobody to fix a vulnerability . This could happen if the community has dwindled in recent years , and nobody is producing patches for the product anymore . This is why , for every open source software product included in their device , the device manufacturer needs to monitor the community supporting the product . The manufacturer should remove the product from the device if it becomes clear that the community has disappeared or is in the process of disappearing ( e . g . no commits on GitHub within for example the last six months ); this is analogous to removing a proprietary product from the device when its vendor has stated the product is in “ end of life ” ( EOL ) status .
If the community has disappeared or the product supplier has gone out of business , but the device manufacturer believes the product cannot be removed from the device , they need to be prepared to address any new serious vulnerabilities by immediately developing a patch , or even fixing the code
78 July 2022