Much has been written and said about software bills of material (SBOM) and their value to cybersecurity teams, in particular those responsible for vulnerability and patch management. Knowing what software components make up a commercial product—including open source libraries—is essential to understanding the potential risks and exposures associated with either an off-the-shelf or homegrown application.
There may be another such tool going mainstream soon—the hardware bill of materials (HBOM). As certain federal, state, and local government entities and military installations need to manage risk posed by adversaries in cyberspace, a full rundown of hardware components—and semiconductor chip provenance—is going to be an essential part of risk management efforts on this front.
In this episode of the Nexus Podcast, Schneider Electric Vice President of Supply Chain Security Cassie Crossley joins to discuss the nuances of this aspect of hardware security and the growing need for HBOMs within critical infrastructure.
For example, Crossley explains many of the complexities of the chip and hardware supply chain and the importance of traceability of components to meet compliance requirements for U.S.government and military, in particular. In most instances, hardware produced in China, for example, is a no-go in these environments and an HBOM can help clear up some of the muddied supply chain waters.
“Compliance is the biggest use case for an HBOM,” Crossley said. “A laptop built on Monday could have a different set of chips on Thursday because they’ve changed out the line. Many are asking for an HBOM because you have to give the full aspect of the possibilities [of manufacturing changes]. Finding out exactly what’s in that one depends on what’s on the line.”
HBOMs generally are similar to SBOMs in that they list on components that should be part and parcel of the hardware being purchased. Sometimes they can include non-digital components, Crossley said, such as capacitors or printed circuit boards—anything other than the chip. For cybersecurity concerns, the focus would be on “intelligent components,” Crossley said, including integrated circuits and semiconductor chips.
“In the critical infrastructure space, we are definitely being asked for them in certain areas, usually for regulatory reasons” Crossley said.
She pointed out that the National Defense Authorization Act Section 5949 spells out certain vendors such as China’s Huawei whose chips and components have been banned from procurement because of fears of interdiction. She points out that soon, fourth parties such as a banned vendor’s suppliers may also be off-limits. The complexity that introduces, however, is enormous.
“There can be more [on a board] than what’s in the specs. You need to understand what should be there,” Crossley said. “I’ve seen some excellent research talks and examples where additional tech in chips have been put on the board. Those are targeted in specific cases. In mass production cases, it’s much harder to make that kind of change. That’s why we haven't seen national news in that respect.”
Crossley also covers a number of other aspects related to HBOMs, including their machine readability, who consumes them and how, the complexities of chip manufacturing, HBOM benefits and challenges, and what types of working groups may be needed soon to spur more development and adoption of HBOMs.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
