Digital BOM Combines Hardware and Software To Secure Supply Chains

By Mark Canel,  Vice President of Strategy and Business Development, Imagination

The world has changed. Cyberattacks have become the norm rather than the exception. They target hospitals, industrial installations, consumer goods. They cause considerable economic damage. They disrupt the safety and the security of millions of people. They bring high returns to the perpetrators.

Governments are starting to recognize the problem of cybersecurity and they are issuing mandates to prevent to prevent attacks from taking a hold within device ecosystems. The single major issue across industries is the fragmentation of the supply chain. It is most of the time quasi-impossible for a major services provider such as an airport or a port authority to know the provenance of the sub-elements of the devices that it manages.

The directive of the US government on the SBOM is a step in the right direction.  It defines the SBOM as a formal record containing the details and supply chain relationships of various components used in building software. Many of the use case benefits center around tracking known or newly identified vulnerabilities, but SBOM can also support use cases around license management and software quality and efficiency.  It can lay the foundation to detect software supply chain attacks.

Beyond the software, there is also the issue of the hardware. It is the root of the system. When we integrate hardware and software, we need to consider the Digital BOM which is the combination of the hardware BOM and the software BOM. It is the combination of these two records that give the full view of the system: The system is the integration of the hardware and the software. The actors in both supply chains need to be traced to ensure the security and safety of the complete system.

Unfortunately, the device industry is characterized by the fragmentation of the supply chains. The lack of consistent identity schemes for IoT devices is driving leading services providers to build walled gardens. The services providers rely on the devices to take actions based on data generated by the devices. For example, industrial plants and utilities will rely on the readings of temperature sensors to control the operations and output of power plants. However, given the multitude of sensor providers, it is a challenge ensuring that all the data readings come from genuine devices that have not been hacked. When data generated by devices is not tagged by an identifier, its worthiness is degraded. The operations of the system are less trustworthy.

Common schemes to identity devices, bind them dynamically to applications and manage them during their lifecycle are required. The Digital BOM, based upon the hardware BOM and the SBOM, is key to have a full and accurate picture of an IoT system. This concept is also applicable to the automotive industry. Collaboration based upon the hardware and software BOMs removes inefficiencies in the supply chains. It also adds transparency. It enhances security for the parametrization and authentication of the IoT devices. It enables competition and creates opportunities across markets and supply chains for all participants in the IoT market.

Users of the devices and consumers of the services that they generate benefit from the identity schemes that track the devices and their sub-elements throughout the life of the device. The services providers have robust and standardized models by which to identify devices and their blocks of IP. They can authenticate the data generated by the devices. The services are built on trustworthy systems that can be securely managed throughout their life and provide continuous assurance.

On the subject of SBOM, Device Authority also recently teamed up with Jitsuin to look into what the Executive Order means, what you need to do to be compliant and how it will bring trust and transparency to all digital infrastructure.  Watch the video to find out more.