Think of a software bill of materials (SBOM) or hardware bill of materials (HBOM) as a list of ingredients of the components and code used to build a product. At one time, the critical infrastructure industry largely custom-designed the technology they used to manage their infrastructure. Because of that, they knew and understood the hardware or software components, the code, and how the system would operate.
But that was more than 20 years ago, and now, those organizations are almost entirely dependent on third-party vendors or supply chains.
The Problems Missing SBOMs or HBOMs Cause
Tobias Whitney, Fortress Information Security’s vice president for strategy and policy, says that with the transition to third-party supply chains, organizations have lost transparency.
“For all intents and purposes, the technology that we utilize for some of the most sensitive and critical operations in America or across the globe are incredibly dependent on a third party,” Whitney said. “Those third parties utilize solutions and applications and architectures that may not be incredibly well known to their buyer.”
When that technology is exploited or breached through a cyber-attack, that lack of knowledge makes it difficult for an organization’s cyber defense practitioners to determine the extent of the damage and prioritize response actions.
Betsy Soehren-Jones, chief operating officer at Fortress, was working as such a practitioner in the energy sector when Log4Shell, a zero-day vulnerability in the popular Java logging framework Log4j, was discovered in November 2021. Jones said they quickly realized they just didn’t have enough information about the system to determine whether it was a big problem or not. (As we all know now, it was.)
“If you think about walking down a cereal aisle and you need something gluten-free, you turn the box around and you look to see if there is any ingredient in there that has gluten,” Jones said. “That’s exactly what I needed to do for Log4, but I didn’t have an ingredient list and I didn’t know where to even go get it.”
How Can Organizations Use SBOMs/HBOMs?
So how do organizations use those lists? The starting point is developing a strong asset list, an inventory of all your systems.
“Once you have all those assets, you understand what functions are being performed where. The next step is to apply concepts of SBOMs and HBOMs,” Whitney said. “You want to be able to relate back to those particular assets when you find vulnerabilities to understand what ultimately could be impacting that asset based on exposure to this particular technology.”
That’s one of the things Fortress focuses on with our clients — providing a means for an industry to tap into that information in a way that is not overwhelming, and applying simple concepts to allow the user to understand the content.
Collecting that information allows cybersecurity practitioners to efficiently plan and delegate work and collaborate to get to a solution faster. That is what we learned from Log4j, Jones said.
But that’s just the first step. Once you have that information, how can you become more proactive not just in responding to attacks but preventing them?
There are two playbooks to be cognizant of, says Jones.
First, the owner of that technology has to use that information to understand and prioritize the critical systems that they cannot operate without. Secondly, the vendors and organizations who develop that technology have to be prepared to provide that information when the asset owner asks.
“So, if I’m going to small- and mid-sized businesses, I need to be able to say to them, here is the way that you need to collect this information,” said Jones. “Here is the standardized form you need to put it on. And here’s where you need to deposit that information.”
That process will allow industries to understand what critical vulnerabilities they need to mitigate first and perform that work faster.
Fortress is a recognized expert in the cybersecurity field and can provide solutions to your company’s SBOM and HBOM needs and beyond. Our platform makes it easy to collect data you can use to protect your most critical assets.
