Before we dig into Sbom and software supply chain , lets discuss Nmap for a bit . I have written about Nmap in my previous topic. The context was asset identification . Nmap is a powerful tool to do asset identification when done with caution. We explained that using Nmap in OT networks is a bit risky .Nmap has plenty of scripts and it comes also with ICS scripts that identify ICS ports and devices:
- bacnet-info.nse
- enip-info.nse
- fox-info.nse
- iec-identify.nse
- modbus-discover.nse
- omron-info.nse
- pcworx-info.nse
- s7-info.nse
No need to clarify their names as they are self evident. A reminder of usage ! never use these scripts on a live production system or device. I came across an article that proves that a PLC went into defective/error mode after running nmap using one of the above scripts . That means it stopped operating, the impact is : Denial of View and Loss of Availability. This is a big NO with capital letters in OT and ICS.
So to continue with the benefits of Nmap. We want to use it this time for Sbom. Nmap helps us find running services and applications with their corresponding details (application name , version , port number ..etc). Be aware of false positives. Nmap also can help us identify vulnerabilities . Nmap can help us achieve this in many ways , see this guide on how install and use them:
- Nmap-vulners scanner
- Nmap -vuln
- Nmap Vulscan
- NSE scripts and librariries
This paragraph is for beginners, those who are not familiar with programming ! A software is composed of a code that comes normally in the form of internal or external libraries or modules. Sometime a software has dependencies. Dependencies sometimes are written by different developers. The code could be open or closed source. Not to mention code security or abandoned code. And other issues that arise during software development cycle. Please refer to my topic ICS/OT Supply Chain for more information.
Generating an Sbom is fairly simple. You can also do it yourself (DIY) . However, Sbom can become complex sometimes depending on the situation. Allow me to show you my simple method , this is my gift for organizations and individuals (new starters) who wish to know the security of their OT applications but don’t have the resources to spend on Sbom complex or commercial solutions or on consultants. In this article , I will show you a general methodology , it’s a tool-agnostic , you can search for the tool that fits your needs and find practical. This methodology works on Linux Mac, and Windows. As a bonus I will suggest some tools. If you know a good tool, please feel free to suggest it. You may find that some of the tools that I have suggested are OS-specific or it does part of the job. Like I said, not all tools fit your goals and environment, you may need to use more than one tool to accomplish a task. Some tools require manual effort and others are automated. I have provided a link at the resource section below for more information.
How to generate an OT/ICS Sbom?
Stage 1: Find installed software. Package managers in Linux enable you to list installed software and libraries . Use it as an initial step. Get and install windows tools that help you see installed applications. There are external tools that does this step.
Stage 2: Find dependencies. Once you identify an application whether its used in ICS/OT operations or not . Its time to see its dependencies (eg. libraries). Write this down as a second step
Stage 3: Find vulnerabilities. Search for vulnerabilities for these applications and their dependencies using tools or databases to see if they have any security issues.
That’s how its done in a nutshell. That’s how to do Sbom inventory. However there are different Sbom formats: SPDX, SWID and CycloneDX. These formats are normally required by some organizations.There are tools and guides to help you with that too. This article only helps you generate basic Sbom information. Make sure what information (metadata) you require and for what purpose in order to choose the right tools and method.
Suggested tools [Stage 1 + 2] : Syft by Anchore , Tern , SPDX SBOM Generator , Linux native package managers , dumpbin , ldd , objdump , dependency walker , dll-files.com , discoversdk.com
Suggested tools [ stage 3 ] : , nvd.nist.gov , cisa.gov/uscert/ics/advisories , ShiftLeft Scan , CVE-Scanner-for-your-SW-BOM
Resources: