Experts recommend: Managing Risks in the Software Supply Chain of Industrial Equipment & Products

Experts recommend: Managing Risks in the Software Supply Chain of Industrial Equipment & Products

New expert whitepaper on managing risks in the software supply chain using IEC 62443 and automated software BOMs now available!

Düsseldorf/Germany, September 7, 2022 – With a new cybersecurity agenda, the German government wants to improve the security of industrial plants. That, however, does not seem to be materializing, criticizes the German Engineering Federation (VDMA). The association had expected broader support and promotion of resilience in the supply chain. „Unfortunately, the agenda does not meet this claim,“ says Claus Oetter, Managing Director Software & Digitalization at the VDMA, the largest network organization and an important voice for the mechanical engineering industry in Germany and Europe, in a press release. ONEKEY, a company specializing in plant and IoT security, confirms this and says: cyber attacks on „Industrial Automation and Control Systems“ (IACS) are on the rise. „In the past, IT and IoT systems were the main targets of cyber criminals. But the same threats, such as ransomware attacks and the interconnection of devices into massive botnets, are increasingly affecting IACS and posing a huge and barely calculable risk,“ explains Jan Wendenburg, CEO of ONEKEY and operator of one of the leading automated platforms for the automatic analysis of firmware used in industrial plant control systems of all kinds, especially critical infrastructure (CRITIS), as well as networked devices.

Software supply chain needs monitoring  
All too often it is made too easy for hackers, ONEKEY’s ongoing analyses reveal. „The internal components of the firmware and software required for operation are often unknown and dominated by a lack of transparency. Making the entire software supply chain transparent is even more difficult when the source code of the affected components is not available. An automated SBOM (Software Bill of Materials) created from the binary code can provide the transparency for everyone and enable the steps that policymakers still shy away from. In this case, the business community has to take over,“ says Wendenburg of ONEKEY. To this end, the company has published a white paper that decisively outlines the problem as well as solution scenarios. According to the VDMA, cyber criminals have already caused immense damage to software and digitalization of the German industry with so-called ransomware attacks. The costs of such cyber attacks are said to amount well to millions of euros per day, and production facilities are often at a standstill between four and eight weeks after a hacker attack, according to the VDMA. 

IEC 62443 guideline lays foundations  
The increased risk situation is leading to growing security requirements for plant owners and system integrators. Since 2009, the International Electrotechnical Commission (IEC) has developed a set of guidelines for the security of industrial automation and control systems: the IEC 62443. „In modern plants, 80 to 90 percent of the code base consists of third-party software components. Since much of the code base is not under the direct control of the vendor, a significant amount of the risk and exposure comes from third-party software components,“ adds Jan Wendenburg of ONEKEY. With the automated creation of SBOMs and vulnerability analyses on the basis of the ONEKEY compliance platform, a significant contribution is made to comply with IEC 62443-4-1 – with a high level of automation at the same time.

The complete whitepaper „Tackling Software Supply Chain Risks with IEC 62443 and SBOM“ can be downloaded here.

About ONEKEY:  
ONEKEY is a leading European specialist for automated security & compliance analysis for industrial (IIoT & ICS), manufacturing (OT) and Internet of Things (IoT) devices. Using automatically generated „Digital Twins“ and „Software Bill of Materials (SBOM)“ of devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, all without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time and can thus be specifically remedied. Easily integrated into software development and procurement processes, the solution enables manufacturers, distributors, and users of IoT technology to check security and compliance quickly and automatically before use, 24/7 throughout the product lifecycle. Leading companies, such as SWISSCOM, VERBUND AG and ZYXEL, are using this platform today – universities and research institutions can use the ONEKEY platform for study purposes free of charge.