The Center for Education and Research in Information Assurance and Security (CERIAS)
The Center for Education and Research inInformation Assurance and Security (CERIAS)
Principal Investigator: Christina Garman
Managing the integrity, authenticity, and reliability of critical systems includingManaging the integrity, authenticity, and reliability of critical systems including high priority operational technology (OT) components is becoming increasingly im-portant across various government sectors, as evidenced by the recent executive order on cybersecurity, EO 14028. Digital supply chains that sustain these critical in-frastructures are growing frequently diverse and complex, resulting in variations in the overall cybersecurity risk for energy systems. The transparency between vendors andasset owners concerning the hardware and software components of their adopted toolsalong with the security vulnerabilities within them have the potential to aid the sector’sability to mitigate risk.
The Digital Bill of Materials (DBoM) is a proposed solution to this obstacle whichallows sharing Software Bill of Materials (SBoM), Hardware Bill of Materials (HBoM), and attestations across vendors through a set of supported repositories. Current imple-mentations of DBoM introduce problems encompassing sharing of such crucial and sensitive (some of it may also be confidential) information in a secure and privacy-preserving approach. One such obstacle that a vendor may encounter is while sharing security-relevant information regarding a proprietary subcomponent producedby a third party and contained in the vendor’s software. Moreover, sharing softwarevulnerabilities in the digital supply chain may allow a malicious entity access to such sensitive information even before the vulnerability is patched. We wish to seek an-swers to questions like how could an entity check for the presence of software compo-nents (and subcomponents) or vulnerabilities anonymously and securely or how could a party trust an SBoM or HBoM entry. During the course of this project, we aim to de-fine DBoM threat models, identify security and privacy concerns that may arise while sharing such critical information, and attempt to propose solutions for the same.
Students: Arushi Arora
Arora, Arushi, Virginia Wright, and Christina Garman. "Strengthening the Security of Operational Technology: Understanding Contemporary Bill of Materials." Journal of Critical Infrastructure Policy• Volume 3.1 (2022).