Industrial cyber security: You cannot protect what you do not see

Visibility is important to maintain holistic risk management. To achieve visibility, it is crucial to have control over which systems and components one has, where these are located, and which dependencies and vulnerabilities exist within the selected solutions.

The process of identifying methods and solutions to improve visibility in industrial ICT-systems (OT) have been ongoing for several years. During this time, the concept of Software Bill of Materials (SBOM) has become increasingly recognised.

Documentation related to visibility is also commonly requested by Havtil during audits. However, we find that many faces challenges related to establishing adequate visibility in OT.

What is SBOM?

An SBOM is a detailed register containing the various software components in a product. A good SBOM provides an overview of, among other things, the name of the component (both software and hardware), version, supplier information, dependencies, licence information, and known vulnerabilities.

The purpose of an SBOM is to identify, and more effectively respond to, vulnerabilities through the system’s life cycle. By establishing and maintaining an SBOM, processes related to mapping dependencies, identifying existing vulnerabilities, and monitor new vulnerabilities through the supply chain are improved.

A clear overview of the equipment and software in your environment makes it easier to systematically map these to known vulnerabilities. This reduces the risk of vulnerabilities in components and software remaining unnoticed and therefore unassessed. Such vulnerabilities are often exploited by threat actors and used for running malicious code or escalate privileges.

Understanding dependencies enables better mapping of system and software criticality. This can support the prioritisation process related to the order of which security updates should be implemented, or where other risk-reducing measures should be implemented.

Additionally, an SBOM provides visibility of components that have reached, or is close to end-of-life or end-of-support. This makes it easier to implement compensating measures and plan for future upgrades of components.

New requirements provide new opportunities

Starting at the end of 2027, new requirements for products with digital elements distributed within the EU, will come into effect under the Cyber Resilience Act (CRA). One of these requirements is that all such products are required to include an SBOM.  

Havtil notes that several of the big suppliers for the petroleum sector have initiated this work. Considering this, it is a golden opportunity, for both operators and shipowners, to improve visibility in their systems and collaborate with suppliers to achieve a better vulnerability picture.

America’s Cyber Defense Agency (CISA) has published an updated guidance document outlining the minimum requirements for an SBOM to support organisations to manage software risks in a more efficient manner. The guidance document can be found here.

Effective implementation requires involvement

Effective and impactful implementation of SBOM requires, at a minimum, that the SBOM contains enough information about licencing, supplier, dependencies, and vulnerabilities, to provide a correct risk picture of relevant risks.

To achieve effect of SBOM, the data must also correlate with vulnerability databases, maintenance programmes, risk databases, and other data sources. A good implementation of SBOM requires, in other words, automated processes that operate in a common machine-readable format, and that the larger suppliers, shipowners, and operators also contribute to this work.