How Will SBOMs Help Secure the IoT Device Environment?

In the fast-evolving IoT landscape, Michael Amiri from ABI Research unveils the key to securing IoT devices—Software Bills of Materials (SBOMs). Discover the why and how behind this essential cybersecurity strategy.

What Are SBOMs?

The landscape of the Internet of Things (IoT) is evolving rapidly, and by 2026, the installed base of connected devices will reach more than 70 billion installations based on ABI Research forecasts. While an increasingly connected world brings many comforts and benefits, including instant communications and enhanced convenience in everyday life, it also provides opportunities for malicious actors to take control of these devices or intercept transmitted data between devices or connections to back-end servers, the cloud, or databases. As with all connected technology adoption, emerging issues with security and safety mean organizations need a cybersecurity strategy to secure their IoT devices and the networks these devices use against emerging threats.

The need for security in a threatening environment means Software Bills of Materials (SBOMs) are increasingly becoming integral to addressing vulnerabilities. The fundamental role of SBOMs is to provide a clear understanding of software supply chains. Given the extensive use of software that uses open-source code in today’s IoT devices, an SBOM provides us with invaluable information about software supply chains and their possible vulnerabilities. Imagine an SBOM as the ingredient label for software components similar to ingredient labels on food packages. Like an ingredient label, the SBOM displays what’s in the software, including programming languages, libraries, and component versions. This information can be used to address threats or update and patch vulnerabilities. Like an individual who might purchase a food product based on allergens or other ingredients at a grocery store, IoT device users or Original Equipment Manufacturers (OEMs) can leverage SBOMs to raise awareness and make decisions about their device or software supply chain purchases.

SBOMs and Software Security 

SBOMs are a crucial first step to gaining visibility into the complex IoT environment. The IoT device environment’s various operating systems, network protocols, software, firmware deployment, the support of legacy devices with life spans that last decades, and the onboarding of new connected devices all pose challenges to a streamlined security strategy. Moreover, in many cases, gaining insight into a device’s software composition is a difficult task because manufacturers do not always make that information available or are unaware of all their device software components due to the layered and open-source nature of software. Consequently, users and organizations could have difficulty building comprehensive inventories of devices and their composition. Generating SBOMs with sufficient depth and granularity is the first step in providing device software composition transparency and, therefore, better device security management.

In addition to the security advantages of incorporating SBOMs, software developers are increasingly subject to regulation, with governments recognizing the urgency of proactively addressing threat management. In the United States, vendors targeting the federal market must “publish minimum elements for an SBOM” under the 2021 Executive Order (EO) 14028, known famously as the Cybersecurity EOOpens a new window . The Cybersecurity EO directs the U.S. Department of Commerce, in coordination with the U.S. National Telecommunications and Information Administration (NTIA), to publish the “minimum elements” for SBOM (see the table below), which it did in July 2021.

Source: NTIA

SBOMs and IoT Device Security 

Due to the increasing use of open-source libraries and third-party code in today’s software products, IoT device users must clearly understand their software supply chains. This is especially important in sensitive sectors such as medical devices. Government regulation in this area is also important to acknowledge. Based on the 2023 U.S. Consolidations Appropriations Act, new cybersecurity requirements are mandatedOpens a new window for medical devices specifically, including providing an SBOM that includes commercial, open-source, and off-the-shelf software components, and complies with related Food and Drug Administration (FDA) regulatory requirements, notably on pre-market submissionsOpens a new window for cyber devices. These emergent requirements will significantly boost the SBOM generation and SBOM analysis market. SBOMs provide visibility into the origin, versions, and vulnerabilities of third-party components used in these life-saving devices, leading to better tracking, monitoring, and managing software supply chains. This is a fundamental aspect of SBOMs if we recall that more than 70% of software supply chain stacks are open-source components. The visibility enables organizations to assess the performance and reliability of their suppliers and provides a channel for more efficient coordination and communication with stakeholders.

See More: How Data-driven Cities are Revolutionizing Urban Living 

The Future Market of SBOM Solutions

While anyone can generate a basic SBOM for free or a low-cost online, deeper SBOM generation, SBOM analysis, and software lifecycle management present a different story that requires specialized knowledge and technology and is a promising business proposition for early entrants into the SBOM services market. The software consumer market is still in the early stages of embracing SBOMs. Yet, the increasing number of connected devices that are also software-dependent means leveraging SBOMs for digital supply chain resilience will soon become imperative. Software producers are now the main consumers of SBOM services because they want to secure their supply chains from threats, such as vulnerabilities in the Log4j 2 Java library that is used to log error messages in applications. The software consumer market will eventually become the largest segment of the SBOM market over time. Consumers benefit from SBOMs for risk mitigation, adhering to IoT device legal requirements in certain sectors, and establishing vendor accountability.

The emerging legal requirements of SBOMs for device manufacturers and the security benefits that SBOMs offer software developers and users create a customer expectation for SBOM solutions as a core component of any software device security package. This will present growing business opportunities for SBOM solution providers in the near future.

How can SBOMs revolutionize your IoT device security strategy? Why are they crucial in today’s interconnected world? Let us know on FacebookOpens a new window , XOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON IOT DEVICE SECURITY

• How to Ensure Security for IoT Edge Device Processors 
• How IoT is Revolutionizing Remote Patient Monitoring and Chronic Disease Management 
• How ZTNA and the Right Network Hardware Drives IoT Security 
• MCUs and BLE Chips for Better IoT Device Security
• Best Practices for Secure Remote Management of IoT Devices