Using SBOMs to Secure Industrial IoT Devices
5 . Timely report all vulnerabilities , discovered in software or firmware products installed in the device , to the NVD , under the device ’ s CPE name 21 .
6 . Commit to providing a fix for any device vulnerability , which has been assigned a CVSS score of 9.0 22 or higher , within five days 23 of discovery of the vulnerability .
7 . Commit to the following : If the manufacturer modifies any open source product before installing it in the device , the manufacturer will provide appropriate notification of this with the SBOM , so the customer is informed that this component has been modified . The manufacturer should inform customers of any serious vulnerabilities that appear in this modified component .
8 . Commit to obtaining source code for compiled software products that are installed in the device if there is a reasonable possibility that the supplier of the product will not be in business within the normal lifetime of the product .
9 . Commit to regularly assessing all software or firmware products installed in the device for security issues including :
a . Unpatched exploitable vulnerabilities that have a CVSS score of 5.0 24 or higher ;
b . One or more unpatched exploitable vulnerabilities with a CVSS score of 7.0 or higher , which have remained in the product for six months or longer 25 ;
c . One or more components with an announced End of Life or End of Service date less than six months 26 in the future ;
21
When performing due diligence before purchasing an IoT or IIoT device , the user should check the NVD to ascertain whether a ) a CPE name is registered for the device , and b ) at least a few vulnerabilities have been reported for it . If the answer to either of these questions is negative , that should raise the suspicion that the manufacturer does not report vulnerabilities at all . Before purchasing from this manufacturer , the user should discuss this issue with the manufacturer . The user should obtain their commitment to register their device in the NVD and start reporting any exploitable vulnerability identified in any software or firmware product installed in the device .
22
The exact score for this provision can be negotiated between the device customer and the device manufacturer .
23
The exact number of days can be negotiated between the device customer and the device manufacturer .
24
The exact score for this provision can be negotiated between the device customer and the device manufacturer .
25
The exact CVSS score and time period can be negotiated between the device customer and the device manufacturer .
26
The exact time period can be negotiated between the device customer and the device manufacturer . 80
July 2022