Written by Rob Dobson
In May 2021 President Joe Biden issued out Executive Order 14028. The order focused on “Improving the Nation’s Cybersecurity” to support and protect the nation’s critical infrastructure and Federal Government networks. The EO called out a number of key focus areas including:
This directly relates to the trustworthiness and transparency in ALL digital infrastructure – IT, OT, IoT, IIoT. Anything that runs software is in scope – cloud services, on-prem application servers and connected things – all systems that provide critical functions. A big part of Enhancing the security of the supply chain is focused around Software Bill Of Materials (SBOM) and the sharing of these to those that need to know, clearly providing visibility and transparency of what software is running in the supply chain.
Fast forward 18 Months and the EU has set out a Cyber Resilience proposal which introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle. In a nutshell this Act sets out to:
There are some very similar concepts between EO 14028 and the EU Cyber Resilience proposal, focussing on any “digital element”. This goes into some detail and calls out a number of elements in the Annexes across 1) the security requirements for digital elements and 2) Vulnerability handling requirements. In Annex 1, section 2 (Vulnerability handling) it calls out the following:
This is clearly driving SBOM concepts to improve software visibility, vulnerability management and remediation through the supply chain. There are standardized tools out there to help generate and communicate SBOMs (Cyclone DX, SPDX etc) and other tools and databases to help share SBOMs and manage the vulnerabilities associated with them, including applying Vulnerability Exploitability eXchange (VEX) data.
The requirement to remediate vulnerabilities without delay is an interesting one. Clearly, there isn’t one size fits all for this and there are a few options here:
In any deployment (IoT, IIoT etc) to remediate thousands of devices is a daunting challenge without automation, for example imagine having a high risk CVE identified affecting 50,000 devices connected in your infrastructure – it’s great that you now have visibility of this but what do you do about it?
If remediation means temporarily suspend their access to critical infrastructure, then automation will help i.e. revoke each devices Machine identity & credentials so access is unauthorized. But then what about the process of securely patching them and proving they are secure? To do this, and ultimately bring the 50,000 devices back online with new Machine identities & credentials once the vulnerability has been addressed – security automation is vital.
Please wait while you are redirected to the right page...