In this episode of The PrOTect OT Cybersecurity podcast, we have the pleasure of hosting Matt Wyckhouse, co-founder and CEO of Finite State. We delve deep into the changing landscape of Operational Technology (OT) security, and more specifically, the critical role of SBOMs (Software Bill of Materials) in our digitalized world.
Matt Wyckhouse sheds light on the increase in digitalization across industries and how off-the-shelf equipment and open-source software have gradually replaced specialized and isolated components in OT systems. While this shift has boosted efficiency in OT networks, it has inadvertently invited cybersecurity threats. In the haste to improve connectivity and functionality, security risks have often been given short shrift.
As he and Aaron further discuss open source software and the benefits of transparency, Wyckhouse draws attention to the complexities inherent in deciphering the vulnerability landscape. Complex software supply chains, combined with an evolving threat landscape, have made vulnerability research on OT equipment more accessible, which could attract potential threat actors.
In light of these challenges, Matt Wyckhouse emphasizes the importance of SBOMs in cybersecurity. An SBOM can offer asset owners and security professionals insight into third-party software within their systems, thereby enabling better risk management. This concept has the potential to revolutionize vulnerability management and incident response.
However, the journey towards effective software supply chain risk management is not without its hurdles. Matt shares insights on the challenges of implementing this shift, the importance of fostering collaborative relationships with vendors, and the need for compliance with secure software development standards like NIST. He also underscores the importance of mutual understanding over security testing and the need for a cooperative approach.
Wyckhouse explains that buyers can in some cases take the analysis into their own hands, such as performing binary analysis, and discusses Finite State's role in this process. He touches on remediation guidance for vulnerabilities and compensatory measures, and the importance of continuous data collection for visibility and security.
Some of the moral of this episode is not to blindly trust the products being integrated into our systems, but recognition of software supply chain security challenges are taking root. There’s a considerable amount of work to be done, but there is meaningful work being done in this space.
Still this summary acts as only a preview of this great discussion around SBOMs in OT security. For the full conversation be sure to listen to the full episode of The PrOTect OT Cybersecurity podcast. You wouldn't want to miss it!