Panel: SBOM and Securing the Supply Chain

Chair: L. Jean Camp, Indiana University

Moderator: L Jean Camp, Indiana University

Panelists:

• Zachary Tudor, Idaho National Laboratory
• Allan Friedman, CISA
• Kevin Kane, Microsoft Research
• Daniel Hein, Garmin International

Abstract: The Internet of Things (IoT) has revolutionized our interaction with the physical world. While the benefits of the widespread adoption of IoT devices (which is projected to expand to 30.9 billion devices by 2025) are significant, security has often been neglected in them. One straightforward approach to addressing the risk of insecure IoT devices is to create and enforce appropriate access control (ideally during the onboarding process), and ensure devices are fully patched.

The requirement for software transparency  to enable that assurance of patching are the core of the Software Bill of Materials (SBOM). SBOM assumes a clear understanding and transparency of dependencies, the ability of developers to express these, and the capacity to integrate this into operations.  In the recent Executive Order on Improving the Nation’s Cybersecurity by the Biden Administration SBOM was identified as a critical component of a secure supply chain, including not only IoT but also all commercial and open-source software. Both the IETF and the Department of Commerce are actively engaged in integrating  SBOM (which focuses primarily on the data structures) and MUD (which focuses on the retrieval of the data files for secure onboarding, access control, and operation).  How much will the adoption of these technologies change the security landscape? What critical security issues might these obviate, and what new challenges will emerge?