The Linking the Oil and Gas Industry to Improve Cybersecurity (LOGIIC) program have announced the release of a new study report entitled, “SBOM Study: Managing ICS Software Risks to Oil & Gas.” In 2021, LOGIIC conducted a study to understand how a software bill of materials (SBOMs) and other vendor capabilities can be used to manage cybersecurity risks to industrial control systems (ICS) software that may be introduced from third-party components that are part of vendor solutions. This study was based on SBOM research conducted by LOGIIC. Reference material for the study included Executive Order 14028 (May 12,2021) that President Biden issued on Improving the nation’s cybersecurity. The order includes new requirements for software vendors selling software to the U.S. government. One of these requirements consists of providing a U.S. government purchaser a SBOM for each product either directly or by other means such as a website.
A SBOM is a formal record containing the details and supply chain relationships of various components used in building software. It is effectively a list of ingredients or a nested inventory. SBOMs enable better software security and supply chain risk management. It is critical for each industry sector to establish a common set of practices and market expectations that is viable and reflects the needs of the industry.
The study included discussions with Oil and Gas industrial control system vendors to understand and analyze the current state of SBOM development and utilization. The study also makes industry recommendations for SBOM development.
To read the report, please visit the LOGIIC homepage.