Many people are unaware of this, but there are trillions of lines of software code out there, present in almost every conceivable type of product or device, helping us live better lives, work more efficiently, and contribute to a better world.
A single cyberattack that is strategically executed could disrupt everyday life and even result in billions of dollars in revenue loss and business recovery. Recent events such as the SolarWinds, Apache Log4j software library, and OpenSSL vulnerabilities have proven that such an attack is a real possibility.
Schneider Electric, as a leader in integrated energy management and industrial automation solutions, cares deeply about preventing those kinds of attacks from happening on our systems – or on our customers’. That’s why securing our supply chain – using a secure-by-design approach from development to manufacturing and commissioning to operations and maintenance – is a key part of our security posture as outlined in our Trust Charter. It’s also why securing our software supply chain is an equally important part of our security posture – and why, in early 2021, we created a policy that requires software bill of materials (SBOMs) for every product we release.
SBOMs: A missing link in supply chain security
An SBOM, according to the U.S. Executive Order 14028, is “a formal record containing the details and supply chain relationships of various components used in building software.” Even though this executive order was issued in 2021, SBOMs today are still often overlooked or ignored both in the U.S. as well as around the globe.
However, SBOMs provide comprehensive information – such as data on proprietary, third-party, and open-source components and libraries as well as code dependencies, licensing, and provenance – that contribute significantly to:
- Regulation compliance: Executive Order 14028 requires U.S. federal agencies to enhance cybersecurity and software supply chain integrity by requesting SBOMs from companies they do business with. As an example, Schneider Electric is required to have SBOMs for its products in the U.S. Department of Energy Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program. The European Union is in the process of implementing the Cyber Resilience Act (CRA) which will include a requirement for SBOMs, that will go into effect in early 2027.
- Procurement requirement: It is becoming more common for companies to require SBOMs in contracts as a basic requirement. They can also help validate a vendor’s maturity, transparency, and cybersecurity responsibility in a competitive procurement process.
- Internal compliance: Many companies, like Schneider Electric, produce SBOMs as required by internal secure development lifecycle policies and to enhance ISA/IEC 62443-4-1 certifications.
- Risk mitigation: SBOMs can reveal subcomponents within a product that may contain unwanted risks related to a released vulnerability as part of the Common Vulnerabilities and Exposures (CVE) program. Identifying these proactively can help reduce future risks and unwanted consequences.
- Accelerated vulnerability management: Risk remediation can be accelerated when companies leverage the information in their SBOMs inventory. For instance, Schneider Electric’s SBOMs were helpful during the Log4j and OpenSSL vulnerability events and helped us quickly identify potential risks so we could release customer security advisories in a timely manner.
The time is now for enhancing customer trust with SBOMs
Because of our early involvement with the global SBOM movement and governmental policies, Schneider Electric now has processes in place that allow us to share SBOMs easily and quickly with our customers and asset owners upon request.
If you are considering putting an SBOM program in place, here are a few of the best-practice steps that we have followed:
- Make SBOMs a policy requirement: Building a repository of SBOMs for a company’s past and present product offerings will take time, but with a policy in place, it won’t be long before a robust inventory of them is built.
- Develop a process for older mature solutions: While the evolution of SBOMs is relatively new, many industrial systems are not. Legacy systems were installed 10 to 20 years ago, before SBOMs were even a thought, but luckily today there are binary analysis tools that can create SBOMs for these older systems through a relatively easy scanning process.
- Build a storage system: There are also solutions that help effectively manage, store, analyze, and track SBOMs. This is vital for a company like Schneider Electric that has an inventory of thousands of SBOMs.
- Provide easy accessibility for customers: SBOMs are often requested during a contractual process or when an asset owner is performing risk management activities. In these cases, SBOMs need to be shared securely, so it’s wise to create a process to deliver them upon request. Schneider Electric considers our SBOMs to be intellectual property, and thus we require a mutual non-disclosure agreement (NDA) to be in place before providing access to the SBOMs. Our SBOM sharing portal allows asset owners to retrieve the SBOMs in either of the two machine-readable SBOM formats: CycloneDX or SPDX.
Take an important step towards a safer and more secure world
While SBOMs may be in their infancy, software supply chain security is evolving quickly in response to sophisticated threat actors who are constantly trying to find new ways to exploit software code.
Schneider Electric believes that SBOMs can play a significant role in protecting the products and services that are vital to everyday life. And, for our company, SBOMs are another way that is helping us enhance the trust in our solutions that we continually strive to achieve with our customers.
