Exploring SBOMs and Software Escrow: Strategies for Securing OT Supply Chains
“Timely and secure information sharing can bridge the gap between vulnerability and security.”
This was a key message from a webinar on ICS & OT Supply Chain Risk Management presented by Information Security Media Group. The webinar discussed how Industrial Controls Systems (ICS) and Operational Technology (OT) can be particularly vulnerable to supply chain risks. In addition, it explained how today’s trend toward greater information sharing – including software-related information sharing – is especially relevant for critical infrastructure.
One way to mitigate these risks is by sharing information with a Software Bill of Materials (SBOM) to help navigate real-world attacks and the state of an organization’s operational security. We’ll look at SBOMs, and the closely related software escrow agreements, to understand how they can help lessen supply chain risk – protecting business-critical applications from both cyber risk and vendor failure or lack of support.
Supply chain risk and the ability to respond
Supply chain attacks were one of the top three types of cyberattacks to increase, according to recent NCC Group research. Concerningly, the survey of approximately 1,400 cyber-security decision-makers at large companies found that only one in three (32%) respondents were “very confident” that they could respond quickly and effectively to a supply chain attack.
The survey uncovered that there is significant confusion among organizations about whether a company or its suppliers are responsible for keeping supply chains secure. Around one-third (36%) of respondents said that their company is more responsible for preventing, detecting, and resolving supply chain attacks than their suppliers, while just over half (53%) said that their company and its suppliers are equally responsible for the security of supply chains. This level of confusion can leave companies vulnerable, thinking that someone else is responsible for supply chain security.
“One of the reasons to focus on industrial control system supply chain attacks and their supply chain effects is that there is lateral movement possible from IT to OT networks,” states Gonda Lamberink, VP of critical manufacturing solutions at Fortress Information Security, one of the webinar speakers. She goes on to explain, “Software supply chain has been discussed a lot as being more of an attack factor … supply chain partners may not have the same level of security controls or resources in place, and therefore form a weak link.”
Software vendor risk is an issue that goes far beyond cyber-resilience and needs to consider overall resilience. This overall resilience can be gained with SBOMs, as well as software escrow agreements supported by verification services.
What is a software bill of materials (SBOM)?
A Software Bill of Materials, or SBOM, is a “formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product,” according to the NIST glossary.
The definition from the US Cybersecurity and Infrastructure Security Agency (CISA) further explains that “a software bill of materials has emerged as a key building block in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up software components.”
The webinar explains that SBOMs have long been used in the manufacturing space to define how a product is manufactured. It’s really just a list of ingredients, but not knowing what’s in our software can bring eye-opening risks. Connecting the dots between the SBOM and the assets and the suppliers requires holistic visibility and the ability to execute a risk reduction strategy.
New US regulations require SBOMs for departments of defense and energy contracts
The US government has embraced SBOMs in response to cyberattacks like Log4Shell. The Biden administration has worked closely with security experts, as well as CISA, to produce government resources and legislation intended to improve the United States security posture, according to Security Boulevard.
On August 17, 2022, the US House of Representatives passed H.R. 7900 – National Defense Authorization Act for Fiscal Year 2023. Section 6722 of this Act states that all organizations seeking to conduct business with either the Department of Defense (DoD) or the Department of Energy (DoE) are now required to provide a Software Bill of Materials (SBOM) for every new and existing software contract.
How can SBOMs help mitigate risk?
SBOMs are useful for software developers and manufacturers, buyers, and operators according to a GCN article that explains the US Executive Order on Improving the Nation’s Cybersecurity. “An SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities,” the order states. “Buyers can use an SBOM to perform vulnerability or license analysis … and those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.” The biggest value comes when SBOMs are stored collectively in a repository that many applications and systems can query, the order adds.
Currently, organizations looking to find and manage vulnerabilities check the National Vulnerability Database for Common Vulnerabilities and Exposures, but without an SBOM, they have no way to identify the components of a software package. SBOMs would provide a way to track software dependencies across supply chains, manage vulnerabilities and anticipate emerging risks.
What is Software Escrow Agreement?
A software escrow agreement is similar to an SBOM in concept. With a software escrow agreement, the software supplier periodically deposits a copy of the software source code and associated materials for secure storage with a neutral, third-party escrow agent. This applies to both on-premises software and Software-as-a-Service (SaaS). The deposited materials are updated at regular agreed-to intervals and verified to make sure that the source code held in escrow is always up to date and reflects the current version of the software application.
The escrow agent, such as NCC Group, ensures that the material can be accessed and released should the need arise. In the event of an escrow release, the software customer can then maintain the software, working from the original source code, whether that be in-house or by engaging with another supplier. However, since the source code is the software developer’s intellectual property (IP), it is never released unless pre-determined conditions are met.
Software escrow provides assurance that the source code and data behind critical applications are secure, and always available. This lets businesses protect their IT investments, manage third-party risk, and maintain the software application in the event of software supply-chain disruption. Cloud, software, and technology escrow solutions can offer legal, technical, and proportional assurance to firms in dealing with their third-party suppliers, particularly where they embrace the concept of “Resilience by Design.” Escrow agreements and verification services act as a technical insurance policy and business continuity strategy, safeguarding the long-term availability of business-critical technologies and applications while protecting intellectual property.
Our perspective is that a software escrow agreement with verification services can effectively supplement an SBOM, with even greater resiliency. As a part of the NCC Group verification process, all of the services, suppliers, and hardware are detailed out – essentially producing a very detailed SBOM.
So, how can SBOMs and Software Escrow work together?
As SBOMs gain traction as an important element in software security and software supply chain risk management, it makes sense that the SBOM – that list of ingredients – is enhanced by a software escrow agreement and securely stored in a software escrow account that is automated and administered by a neutral third party. This does several things:
Source code can add to the value of the SBOM
In addition to the nested inventory of ingredients that make up software components, the actual source code would add immeasurable value for business-critical software applications.
An escrow agreement protects the software developer’s IP
The SBOM would be kept and administered by an escrow agent, a neutral third party who would not release it unless pre-determined conditions are met. This gives the software developer assurances when sharing their software source code.
It formalizes and automates the deposit process
With an escrow agreement, a regular, formalized deposit process is put into place and the process is automated to make certain that the source code and materials are kept up to date.
Verification ensures that the software works as intended
There are several different options for software escrow verification to test the source code and material to ensure it is correct, complete, and can be rebuilt into the working application.
Secure storage is essential
Either physical or virtual vaults need to be managed with the utmost security.
As organizations and governments continue to explore ways to make supply chains more secure, combining the idea of SBOMs with software escrow is a new approach that can bring a multitude of benefits.
If an SBOM is a required part of a procurement process, you can elevate the usefulness of that safeguard beyond just cybersecurity. By pairing the SBOM with a cost-effective software escrow agreement, companies can expand their overall resilience by adding protections against the failure of their software developer.