What is an SBOM?
An SBOM (Software Bill of Materials) is a detailed list of all software components, libraries, and dependencies present in a software product or Embedded system.
In OT environments, an SBOM is crucial for understanding which vulnerable components are present in Firmware or industrial software, and how quickly they can be addressed.
🧠 Why is an SBOM important?
| Benefit | Description |
|---|---|
| Transparency | Insight into all (open-source) components in use |
| Rapid vulnerability analysis | Detection of CVEs in known libraries or dependencies |
| Supplier risk management | Understanding of software origin from third parties |
| Compliance & regulation | Required under, among others, the Cyber Resilience Act, NIS2, ISO 27036 |
| Faster incident response | When a vulnerability becomes public (e.g. Log4Shell), quickly determine whether your assets are affected |
🏭 SBOM in OT context
| Application | Example |
|---|---|
| Firmware of PLC | Contains a list of internal OS components and protocol stacks |
| HMI software from supplier | List of Qt, OpenSSL, or database components |
| Remote Access gateway | Insight into cryptography and authentication logic in use |
| Cloud SCADA platform | Transparency on back-end modules and dependencies in use |
🧩 Formats & standards
| Format | Description |
|---|---|
| SPDX | Widely used and supported by the Linux Foundation |
| CycloneDX | SBOM standard focused on security and DevSecOps |
| SWID | Software ID Tags – more focused on licence management |
In many cases, vendors deliver SBOMs in SPDX or CycloneDX format as a JSON/XML file.
🔐 SBOM & Cybersecurity
| Security measure | Relation to SBOM |
|---|---|
| Vulnerability Management | CVE scanning based on SBOM components |
| Patch management | Targeted updates of vulnerable modules from the SBOM |
| Supplier Security | Setting requirements for software transparency from suppliers |
| Threat Intelligence | Linking the SBOM to threats in real time (zero-day alerts) |
| Firmware Signing | Verifying that the SBOM and binaries match |
✅ Best practices
- Request an up-to-date SBOM from every new software supplier
- Integrate SBOMs into your Asset Inventory and CMDB
- Scan SBOMs regularly for new vulnerabilities (CVEs)
- Document SBOM checks in your Third Party Risk Management
- Combine SBOM with Code Signing and Secure Boot for full supply chain control
📌 In summary
An SBOM makes visible what really runs in your industrial software. It forms the foundation for vulnerability management, supplier transparency, and Compliance.