Abstract
Critical infrastructure today is comprised
of cyber-physical systems, and therefore also vulnerable
to cyber threats. Many of these threats come from
within, through malicious code in software updates or
bugs that can be exploited. Further exacerbating the
issue is the fact that most software suppliers in critical
infrastructure are developing proprietary systems and
giving out minimal information about the composition
of their software products. With the US introduction
of a Software Bill of Materials (SBOM) requirement in
federal information systems, they are better prepared
to deal with cyber incidents. This article examines
regulations regarding software in critical infrastructure,
and whether there is any benefit to mandating SBOMs
in critical infrastructure.
of cyber-physical systems, and therefore also vulnerable
to cyber threats. Many of these threats come from
within, through malicious code in software updates or
bugs that can be exploited. Further exacerbating the
issue is the fact that most software suppliers in critical
infrastructure are developing proprietary systems and
giving out minimal information about the composition
of their software products. With the US introduction
of a Software Bill of Materials (SBOM) requirement in
federal information systems, they are better prepared
to deal with cyber incidents. This article examines
regulations regarding software in critical infrastructure,
and whether there is any benefit to mandating SBOMs
in critical infrastructure.