.jpg "ONEKEY GmbH")
Study: Software Bills Of Materials Not Yet an Industry Standard
Study: Software Bills Of Materials Not Yet an Industry Standard
- Industry survey: A Software Bill Of Materials is the exception, not the rule.
- OT+IoT Cyber Security Report by ONEKEY: Industrial control systems are often not adequately protected against hacker attacks.
- Cybersecurity is still a low priority for many manufacturers of equipment, machinery and systems.
Duesseldorf, 9 October 2024 – A Software Bill Of Materials (SBOM), i.e. a parts list of all software components in a networked device, is the exception in German industry, although it is considered an indispensable prerequisite for effective protection against cyber attacks. This is according to the new “OT+ IoT Cybersecurity Report 2024” from the Duesseldorf-based cybersecurity company ONEKEY. The study on the cyber resilience of industrial control systems (ICS) and Internet of Things (IoT) devices is based on a survey of 300 industry executives. Respondents included chief executive officers (CEOs), chief information officers (CIOs), chief information security officers (CISOs), chief technology officers (CTOs) and IT managers. The report will be published on the ONEKEY website in October.
Outdated Software as a Gateway for Attackers
According to the survey, less than a quarter (24 per cent) of industrial organisations have a complete Software Bill Of Materials (SBOM). While computer and network software is usually recorded, there is often no overview of the embedded software in countless devices with network access, such as machines and systems of all kinds," said Jan Wendenburg, CEO of ONEKEY.
“This is fatal," he said, "because outdated software in industrial control systems is an increasingly popular gateway for hackers." He cited manufacturing robots, CNC machines, conveyor belts, packaging machines, production systems, building automation systems, heating and air conditioning systems as typical examples. “All of these systems are connected to the corporate network and there is software in almost every single component," said Jan Wendenburg, illustrating the large attack surface that companies offer to cyber criminals if they do not keep their programs in the production and logistics chain, for example, up to date. However, the majority of companies (51 per cent) either has no software at all or, at best, an incomplete Software Bill Of Materials.
Software BOMs with Many Gaps and Uncertainties
"In many companies, there are many gaps and uncertainties in the Software Bills Of Materials for networked devices," said Jan Wendenburg, adding: "A single outdated program in a machine can be enough to give hackers access to the company network." According to the report, it is particularly alarming that almost a quarter of companies surveyed do not even know if and where Software Bills Of Materials exist.
"It's like driving on the motorway at night without lights," said the ONEKEY CEO, illustrating the potential danger. He concluded: "With an average of more than 2,000 software vulnerabilities discovered each month, the question for a company that does not automatically monitor and update its software is not if it will fall victim to a cyber attack, but when and with what consequences."
Suppliers and Subcontractors Barely Checked
According to the ONEKEY report, the lack of visibility into software components in machinery and equipment is due to the fact that very few industrial companies carry out a comprehensive review of the embedded software of their equipment suppliers and third-party vendors. Just over a third (34 per cent) use questionnaires from industry associations such as the VDMA to assess the cyber security situation of their suppliers. 31 per cent rely on standardised assessments and certifications. More than a tenth (11 per cent) say they have no systematic process in place to ensure that the equipment, machinery and systems they buy for operational use are adequately protected against cyber attacks.
"We advise every industrial company to use a Software Bill Of Materials to get an overview of the cyber risks from production to logistics and building automation. In this way, the security gaps that are uncovered can be effectively assessed and neutralised before they are discovered and exploited by hackers," said Jan Wendenburg. He emphasised: "A modern analysis platform creates a Software Bill Of Materials (SBOM) automatically and with comparatively little effort. However, it can be very expensive if hackers gain access to the company network via the shop floor because outdated software is being used."
EU Cyber Resilience Act to Take Effect in 2027
The ONEKEY CEO pointed out that from 2027, the EU's Cyber Resilience Act (CRA) will legally require manufacturers of equipment, machinery and systems to protect their control systems against cyber attacks with up-to-date software. "Manufacturers who continue to supply systems with known programming vulnerabilities, or who do not immediately provide an update for newly discovered vulnerabilities, will be liable for the consequences if hackers use their outdated software to break in and cause damage," he said, appealing to all Industry 4.0 suppliers to prepare for the new CRA legislation in good time.
A third of the companies surveyed are already up to date: they update their software as soon as a patch is available to fix the vulnerability. A full 28 per cent automatically check for vulnerabilities in devices already shipped to customers. 30 per cent are satisfied with occasional manual checks. 31 per cent do not patch at all and wait for the next scheduled release to close the door to hackers. "A delay that can prove fatal, because it is precisely this window of opportunity between detection and remediation that cyber criminals naturally exploit," warns Jan Wendenburg.
Overall, however, there is still a lot to be done: 16 per cent of respondents no longer check their devices for security vulnerabilities after delivery. 10 per cent no longer provide updates or security patches, and a remarkable 26 per cent of respondents do not know the update policy for their industrial equipment.
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes - without source code, device, or network access. Proactively audit software supply chains with integrated Software Bill Of Materials (SBOM) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
Contact us: ONEKEY GmbH, Kaiserswerther Str. 45, 40477 Duesseldorf, Germany, Sara Fortmann, e-mail: sara.fortmann@onekey.com, website: https://onekey.com PR Agency: euromarcom public relations GmbH, Muehlhohle 2, 65205 Wiesbaden, Germany, e-mail: team@euromarcom.de, website: www.euromarcom.de
- - - -