SBOMs and the Hunt for Software Supply Chain Vulnerabilities
Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a longstanding, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.
That’s an excerpt from the fact sheet accompanying the May 2021 Executive Order on Improving the Nation’s Cybersecurity (EO). It refers to one of seven ambitious measures in the EO: shoring up security of that notorious playground for hackers, the software supply chain. Knowing that organizations lack visibility into the components that comprise their connected assets, bad actors can have a field day exploiting vulnerabilities to penetrate networks and take control.
Simply stated, the software supply chain refers to all code, binaries or components that go into a piece of software to make it run. More fully, it refers not only to those elements but to anything that touches them at any point, including who wrote the code, how it was tested for security issues, supported versions, license information and so on. If a software dependency has a vulnerability, chances are the software has the vulnerability, too.
The software supply chain is synonymous with reusable open-source and third-party components, which are ubiquitous in software development. Using them requires less effort, saves time, reduces cost and typically leads to higher-quality products. Without transparency into reusable components, however, it’s impossible to understand and mitigate their risk, especially before they become embedded in a new product. It’s no surprise that the call for a standard software bill of materials, or SBOM, is gaining momentum.
What is an SBOM?
An SBOM is a key building block for improving software security and risk management, particularly supply chain risk. It’s a nested inventory of all the code dependencies used to build a software product, including open source and third-party components, their licenses and versions, and their patch status. Many software vendors already provide SBOMs for their products, and there are many commercial SBOM generators on the market, as well as emerging standards for exchange. The energy, healthcare and automotive sectors are advancing with industry-specific proof of concept trials, and the Linux Foundation recently released a status report showing steady progress.
Widespread adoption of standardized SBOMs would allow developers, vendors, customers, researchers and regulators to quickly identify, trace, communicate and, ideally, mitigate risk. Meanwhile, two asset categories with particularly high supply-chain-component risks are operational technology (OT) and the Internet of Medical Things(IoMT).
Exposing insecure-by-design practices in OT
Supply chain vulnerabilities are especially problematic in OT systems that control critical infrastructure or manufacturing processes, where cybersecurity often remains an afterthought. Traditionally, OT assets were never connected, so they were not built with security or even integrity in mind. Adding security later can be exceptionally difficult. Vulnerable, critical and unsupported OT legacy systems may not accommodate an agent or be patchable. As a result, managing OT security and operational risk relies heavily on access control, segmentation and monitoring the network for anomalous behavior so you can isolate potential issues.
It’s been 10 years since Project Basecamp, an investigation into OT devices and protocols whose researchers coined the term “insecure by design.” With OT:ICEFALL, Vedere Labs demonstrates how little progress has been made in the last decade, largely due to the “opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications.” Some leading manufacturers are finally implementing “secure-by-design” principles in newer technology, but mandatory SBOMs would help speed reform and penetrate supply-chain opacity.
That opacity also impedes the CISA coordinated vulnerability disclosure (CVD) process. Take this example: In the absence of an SBOM, Vedere Labs researchers have had to track down manufacturer employees on LinkedIn to find someone to notify of a supply-chain vulnerability that is used in their products. Even when we’re successful, we find that most manufacturers lack a process to address supply chain vulnerabilities, which can add up.
The PATCH Act: A panacea for medical device/IoMT security?
Medical devices and IoMT are another category impacted by supply chain vulnerabilities, one with especially high stakes. If a device is hacked, patients’ personal health information (PHI) could be stolen or, worse yet, an implanted medical device could be ransomed. As the use of healthcare wearables from fitness trackers to biosensors increases, so do the risks of cyberattack.
Two recent examples of IoMT supply chain risks are:
- Access:7 – Seven supply chain vulnerabilities impacting medical and IoT devices that, if exploited, could enable hackers to remotely execute malicious code, access sensitive data or alter device configurations
- NUCLEUS:13 – Thirteen vulnerabilities affecting the Nucleus TCP/IP stack used in safety-critical devices such as anesthesia machines and patient monitors
These and other events have caught the attention of Congress. In March, the House and Senate introduced companion bills intended to significantly improve security and safety for medical devices: The Protecting and Transforming Cyber Health Care Act, or PATCH Act (S.3983/H.R. 7084). The bill establishes minimum cybersecurity requirements for the pre-market and post-market phases of a medical device’s lifecycle and codifies some of the non-binding FDA guidance on medical device cybersecurity dating back to 2016. Namely, it puts the onus on device manufacturers to secure their products – not consumers, providers or regulators – and requires them to implement secure-by-design principles, supply SBOMs for their products and implement a plan to address vulnerabilities.
The PATCH Act isn’t expected to pass in 2022 so will need to be reintroduced with the 118th Congress. Still, it sends manufacturers another clear signal that SBOMs are coming soon.
Secure everything you can see
SBOMs are a key building block for improving software security and risk management, but they are not a silver bullet, nor are they foolproof. There are complexities to generating a complete and accurate SBOM that can be readily updated. For now, securing everything that you can see is your best line of defense.
Forescout continuously discovers, classifies and assesses all IP-connected assets – IT, IoT, IoMT and OT –in your digital terrain, from campus to data center to edge. We use over 20 monitoring techniques that leverage deep integration with leading IT and OT network switches, routers, wireless, access points, firewalls, VPN concentrators and data center and cloud solution providers. Together, they discover what type of device is connecting, where and how it’s connecting, and who is using it.
Using this information, we continuously assess each asset to understand:
- Is it running an approved operating system, with the latest OS patches?
- Is antivirus software installed, operational and up to date with the latest patches?
- Are any devices running unauthorized applications or processes?
- Are devices using default or weak passwords, which is of particular risk for IoT devices?
- Have rogue devices been detected, including those impersonating legitimate devices via spoofing techniques?
- Which of the connected devices are most vulnerable to the latest threats?
Today, this is state-of-the-art visibility. Without SBOMs, however, no platform can detect the supply chain risk for every component of every asset in your network. Ideally, you need to know not just what assets are running on your network but what’s running on those assets. As we wait for that gap to close, our researchers and threat hunters will continue to leverage our device cloud to discover supply chain vulnerabilities, heed CVEs and help customers match their asset inventories with vendor advisories.
Read how Vedere Labs researchers discovered OT:ICEFALL – a set of 56 supply chain vulnerabilities caused by insecure-by-design practices that persist without SBOMs.