Vigilant Ops Wins Cybersecurity Challenge
The software bill of materials (SBOM) is on its way to being recognized as a key security document and the primary enabler of software transparency across all industries. In healthcare, FDA (US Food and Drug Administration) included the SBOM in the first draft of their Premarket Guidance in 2018, but they referred to it as a CBOM (Cybersecurity Bill of Materials). Today, SBOM, which is a detailed list of software components found in a product or system, has become the more accepted terminology.
As more cybersecurity breaches are announced, almost daily it seems, business leaders, industry experts, and regulatory agencies are looking to SBOM as an important element of a sound cybersecurity strategy. The SBOM is gaining so much momentum, that some have found it necessary to caution that the SBOM won’t solve all security woes, and that it is just one piece of the larger cybersecurity puzzle, albeit an important piece.
SBOM references have appeared across a wide variety of security-based content, including the recent news of an imminent Biden administration executive order. The order aims at strengthening the nation’s security posture and includes reference to the SBOM. From a regulatory perspective, FDA has prioritized the 2021 release of the final version their Premarket Guidance, mentioned above, which recommends that medical device manufacturers provide an SBOM with their products. In other SBOM news, Tag Cyber’s 2021 Security Annual – 2nd Quarter, includes an article titled “The Time Has Arrived for Software Bill of Materials”. The article includes a reference to the important SBOM work currently happening at the National Telecommunications and Information Administration (NTIA) under Allan Friedman.
When it comes to protecting software-based products and systems, it seems almost common sense that a lack of visibility into software components utilized in the product or system is a massive impediment. So, on one hand, the SBOM should seem inevitable and key security document. On the other hand, some industries are slow to change and adapt and only do so with the appropriate motivation. Unfortunately, or fortunately for the SBOM, the recent spate of cybersecurity attacks is providing that motivation.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
The recent SolarWinds attack report, which we summarized in a recent post, hinted at possible executive action as a response to the massive assault. That possibility has been realized, and a Biden administration executive order, requiring enhanced cybersecurity measures including the Software Bill of Materials (SBOM), is expected any day now. A National Security Council spokeswoman was recently quoted as saying that the SolarWinds attack showed that the “federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly. Simply put, you can’t fix what you don’t know about.”
The executive order will adopt cybersecurity measures recommended by security experts, including multi-factor authentication, data encryption, and a detailed list of the exact software components utilized, in other words, a Software Bill of Materials (SBOM).
The draft order also contains details around the creation of a cybersecurity incident response board. It is proposed that the board would be populated with representatives from federal agencies as well as cybersecurity companies. The purpose of the board is to collect breach information from victims of cyber-attacks in order to inform others of possible imminent threats and share critical information that could help organizations prepare. It’s not clear how victims would be incentivized to share information, nor is it clear how the information would be aggregated and shared with others.
Today, the Healthcare industry is a prime target for hackers, and the SBOM is a much-needed security document. Providing this transparency into deployed medical devices will enable faster responses from all stakeholders, ultimately resulting in improved patient safety.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
On February 17, 2021, a remarkable White House press briefing addressed possible executive action in the wake of the SolarWinds attack, the most systematic hack of the U.S. government in history.
In mid-February, the United States White House held a press briefing and announced possible executive action in response to a recent attack against some critical US agencies, including the US Department of Commerce and the US Department of Justice. The recent hack, referred to as the SolarWinds attack, has been referred to as “…the largest and most sophisticated attack the world has ever seen.”, according to Microsoft’s President Brad Smith.
The attack is named for the software tools provided by SolarWinds, a major software company with many thousands of customers. The attack on SolarWinds is commonly referred to as a supply chain attack, because the hackers attacked a third-party provider to gain access rather than attacking the targeted organization’s networks directly. For example, third-party software components being utilized in various systems and products are a prime attack target for hackers, given the difficulty in identifying the third-party components utilized in a specific system or product. This opaqueness prevents management of vulnerabilities, because you can’t protect what you don’t know about.
The Software Bill of Materials (SBOM) is ready to pull back that curtain and provide transparency into the third-party components and associated vulnerabilities. By providing an SBOM, which is a list of all third-party software running in a system or product, the manufacturer is providing much-needed transparency to their customers and end users.
A great place to start utilizing the SBOM is in healthcare. Today, the Healthcare industry is a prime target for hackers, partially because they utilize many millions of network-connected medical devices, and they are very slow at detecting malicious activity on their networks. One of the major reasons for their inability to respond quickly is the lack of visibility or transparency into those deployed medical devices. This is because medical device manufacturers are not currently required to provide SBOMs to their customers. And remember, you can’t protect what you don’t know about.
This might all be changing soon. The US Food and Drug Administration (USFDA) will finalize their Content of Premarket Submissions for Management of Cybersecurity in Medical Devices this year. The guidance recommends that SBOMs accompany manufactured medical devices, along with various levels of vulnerability monitoring. The SBOM is a much-needed security document, and the requirement to include can’t come too soon. Medical device manufacturers should consider the logistical details of generating and continuously monitoring SBOMs for their products. Putting processes and policies in place today will enable a more agile response when customers and regulatory agencies begin demanding SBOMs, and prospects refuse to consider products without SBOMs. Of course, savvy customers aren’t waiting for FDA to finalize the guidance, so maybe you should think about putting those SBOM processes and policies in place yesterday.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com