Biden cybersecurity order tackles software risks in energy, other sectors following Colonial hack

Dive Brief:

• Following a series of cyberattacks that exposed vulnerabilities in the United States’ critical infrastructure, President Joe Biden signed an executive order May 12 aimed at bolstering defenses and transparency, including development of a Cyber Safety Review Board (CSRB) to assess major intrusions.
• The recent Colonial Pipeline attack and SolarWinds supply chain hack illustrate that software procurement and distribution is a major vulnerability, according to a senior White House official. “We routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure,” they said in a Wednesday evening briefing with reporters.
• To address this, the executive order requires the use of a Software Bill of Materials (SBOM) in government procurements, to allow for more efficient tracking of known vulnerabilities. The Edison Electric Institute (EEI), which represents investor-owned utilities, and the North American Transmission Forum (NATF), which serves as a forum for power transmission entities, have been collaborating with the federal government to pilot the use of SBOMs in the energy sector. 

Dive Insight:

Experts say the software supply chain is at the heart of critical infrastructure security, and the executive order is a step forward in shoring up vulnerabilities.

“You can’t protect what you can’t see. And too many organizations don’t have a full picture of what’s inside their software. Most aren’t even looking,” Brian Fox, chief technology officer at Sonatype, said in a statement. The company develops software to help manage supply chain security.

Software security requires “full visibility to all of the code in an application. An SBOM is the only way to do this,” Fox said.

SBOMs indicate what components are in a piece of software, allowing end users to track and patch vulnerabilities.  EEI and NATF have been working with the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) and the Department of Energy’s Idaho National Laboratory, launching a proof of concept program for the energy sector to utilize SBOMs.

The order “clearly acknowledges the value of government-industry partnership,” EEI President Tom Kuhn said in a statement, adding that the group supports improving coordination “across government and with the private sector.”

“We have long maintained that grid security is a shared responsibility,” Kuhn said.

Tom Alrich, a security consultant helping to organize the energy sector SBOM proof of concept, says modern software products contain hundreds or thousands of components and each of those can have vulnerabilities. The use of an SBOM can help track and patch issues and allow utilities to address them early on, during procurement. 

But Alrich also said in an email that “two big questions” about the federal government’s software requirements are “what the government agency will be able to do with the SBOM,” and how SBOMs will be revised and re-distributed as software is updated.

“Those two questions are being worked out during three industry proofs of concepts being conducted by the NTIA now,” Alrich said, for the for healthcare, automotive and energy industries.

White House officials say they intend to use “federal buying power to jumpstart the market for secure software by requiring that all software we buy meet these standards in nine months.”

Ralph Pisani, president of Exabeam, a security management platform, said the executive order “could serve as a positive push” towards changes needed in the country’s cybersecurity approach. It adds an “extra layer of accountability for vendors with government customers.”

The order also establishes the CSRB, and will require the incident review board have a private sector co-chair. The board will be modeled on the National Transportation Safety Board, which responds to transportation accidents and disasters.

The board “will convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity going forward,” the official said.

Alrich said the review board addresses a gap in security.

“The problem is that understanding what happened in an incident is crucial to improving cyber defenses, but it also requires a specialized organization focused on incident review. This addresses that need,” he said.