The Power of SBOMs: Building Resilience in Our Critical Infrastructure

As a member of the PCAST Working Group on Cyber-Physical Resilience, I was involved in crafting the recent report outlining crucial steps to fortify the intricate systems that underpin our daily lives. One of our key recommendations, “Recommendation 4B: Promote Supply Chain Focus & Resilience by Design,” highlighted the role of Software Bill of Materials (SBOMs) in achieving this goal.

The report champions an “80/20” approach, where we prioritize securing the 20% of technology most critical for mitigating risks across 80% of systems. This targeted approach emphasizes the importance of strategic effort allocation.

Now, let’s delve into how SBOMs fit into this equation.

The widespread adoption of SBOMs offers a powerful tool for identifying and managing vulnerabilities across various critical infrastructure sectors. Many software applications, including those used in critical infrastructure, rely on open-source libraries and frameworks. SBOMs provide transparency into these shared components, enabling stakeholders to identify and address known vulnerabilities across different sectors. For example, the popular logging library “Log4j” was found to have a critical vulnerability. SBOMs helped identify systems across healthcare, finance, and transportation sectors that used this library, allowing for a coordinated and swift patching effort.

In the context of critical infrastructure, an SBOM provides a clear picture of the software components within a system, including their origin, function, and potential vulnerabilities. This transparency empowers stakeholders to:

* Identify and Address Risks: By understanding the software components used, vulnerabilities within the supply chain can be readily identified and addressed. This proactive approach minimizes the attack surface and mitigates potential security breaches.

* Enhance Collaboration: SBOMs facilitate collaboration between critical infrastructure owners, service providers, and technology vendors. By sharing this information, stakeholders can work together to identify and address vulnerabilities more efficiently.

* Promote Security-by-Design: With a clear understanding of the software components involved, stakeholders can encourage the adoption of secure coding practices and implement security measures throughout the development lifecycle.

The PCAST report encourages collaboration between CISA, Sector Risk Management Agencies (SRMAs), and Sector Coordinating Councils (SCCs) in identifying key technology providers and vendors within each critical infrastructure sector. This collaborative effort and widespread adoption of SBOMs can lay the foundation for a long-lasting commitment to cyber-physical resilience.

By embracing these recommendations and fostering a culture of transparency and collaboration through the use of SBOMs, we can significantly enhance the resilience of our critical infrastructure and safeguard the essential services we rely on daily.

‍Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD).