Initially, Software Bill of Materials (SBOM) were developed outside of the automotive industry to handle software license compliance. The benefits of SBOM for vulnerability tracking have since been broadly recognized and are now being deployed as part of the effort to secure the Software-Defined Vehicles (SDVs) of the future.
In this edition of SBD Explores, we will dive into the status of SBOMs in the automotive industry, look at their benefits and limitations (both inside the automotive enterprise as well as the broader software ecosystem), and share where they need to go to keep vehicle software safe.
What is happening?
SBOMs are a machine-readable format that enable important quality tracking and verification processes.
Modern vehicles contain software components from OEMs, suppliers, and third parties. This requires strong documentation to ensure traceability.
Automakers can compare SBOMs with vulnerabilities. This enable the application of faster fixes or the choosing of appropriate mitigations. Common Vulnerabilities and Exposures (CVEs) can be identified, and affected modules can be blocked from reuse.
Across ecosystems, SBOMs can help verify the software libraries used. Partners have had challenges ensuring that only fixed versions are used by future components.
Though not automotive, the Log4j/Log4Shell software flaw in 2021-2022 was discovered in a widely-used, open-source Java development library. Remediation challenges taught all cyber departments the importance of tracking and controlling versions of libraries used in released products.
SBOM has seen significant interest and implementation from automotive OEMs to address supply chain security issues.
Why does it matter?
While regulators currently use SBOM as a ‘check item’, security goals will be gained by thoughtful integration.
OEM software management must fit complex regulatory frameworks. Managing the growing software source code and binaries from suppliers, consortia and in-house needs standard formats and tools.
Supply chain attacks show the need to verify the authenticity of software sources. SBOM provides efficient methods across projects and across industries.
Regulations and best practice guidance push manufacturers toward good cybersecurity practices. OEMs need to implement the processes to maximize the benefits, while minimizing the cost.
SBOMs help quickly propagate implemented fixes, if the SBOM system is embedded in development and update processes.
Rather than a tool to assign blame between OEMs and suppliers, SBOMs should speed up fixes, and prevent known vulnerabilities from being distributed.
OEMs can use the Software-Defined Vehicle transformation to more clearly identify and efficiently protect the value creation of automotive software.
As OEMs increase their participation in the software value of automobiles, they are gaining deeper understanding of software system dependencies within and outside the organization. This understanding includes tracking licenses, original authors, and current maintainers of software packages.
In the near term, SBOM generation by scanning existing code will highlight areas of concern to system module integrators. As software authors add SBOM to their development flows, increased visibility to the relative risks of dependency options will improve system robustness.
As OEMs build more software in-house for next generation Software-Defined Vehicles, internal SBOMs can be better tracked to ensure known vulnerabilities are fixed before release.
OEMs are experimenting with the use of SBOMs with trusted partners. This is to provide increased traceability from first vulnerability news to accelerated repair of affected systems, and services, across their supply chain.
SBOMs meet the requirements of R156 and improve robustness of over-the-air updates.
In the long term, consumers will benefit from quicker updates and less recalls via OEM SBOM standardization for common middleware to better secure the vehicle ecosystem.
Who to watch out for?
Certification bodies and standards organizations are partnering with the automotive industry to achieve increasing levels of cybersecurity via collaboration.
OEMs need to improve SBOM processes to meet the requirements of future type approval regulations.
Certification bodies expect the continuous improvements needed to meet ever increasing cybersecurity challenges. It is a mistake to think that the same methods used for approvals today will be enough for the future.
Auto-ISAC and GlobalPlatform are two examples of organizations with automotive SBOM working groups.
Generic SBOM formats, protocols, and standards continue to be refined based on industry feedback and changing technologies.
Further requirements and recommendations, depending on robust SBOM implementations, are expected.
How should you react?
Embrace SBOM deployment and development by enabling company-wide and ecoystem software module version and control.
Leverage SBOMs to 'shift left' to take advantage of improved traceability resulting in fewer vulnerabilities and faster patching.
Identify industry consortiums and tool supplier partners to optimize deployment of existing SBOM solutions and processes for automotive applications.
Interested in finding out more?
Most of our work is helping clients go deeper into new challenges and opportunities through custom projects. If you would like to discuss recent projects we've completed relating to cybersecurity, contact us today!
Also, be sure to view our related content: