Geopolitical Tensions Force Critical Infrastructure to Focus on 'Trust-Driven Sourcing' and SBOMs

Executive Summary

Operators of critical national infrastructure (CNI) are increasingly prioritizing supply chain security and the concept of cyber sovereignty in response to a volatile geopolitical landscape. The growing understanding that adversaries can and do exploit third-party vendor relationships to launch devastating attacks has prompted a strategic re-evaluation of procurement and risk management. This has led to a push for 'trust-driven sourcing' and a focus on an organization's ability to maintain operational control without dependence on technology from potentially adversarial nations. Regulators are amplifying this trend, demanding greater transparency and resilience, with tools like the Software Bill of Materials (SBOM) emerging as a key mechanism for illuminating and managing supply chain risk.

Regulatory Details

The shift towards cyber sovereignty is moving from a theoretical concept to a practical requirement for CNI operators. It is being defined as an organization's capacity to operate and defend its critical systems with full control and assurance, independent of technology that could be influenced or compromised by a foreign government. This involves a deep understanding of the entire technology stack, from hardware components to software libraries.

Regulators are increasing their scrutiny and demanding more than just compliance checkboxes. They are pushing for tangible evidence of supply chain risk management, which includes:

• Vendor Vetting: Deeper due diligence on the origin, ownership, and security practices of all vendors, especially those providing technology for Operational Technology (OT) environments.
• Software Transparency: Mandating or strongly encouraging the use of SBOMs to identify all components within a piece of software, including open-source libraries and dependencies from 'long-tail' vendors.
• Converged IT/OT Security: Recognizing that a compromise in the IT supply chain can pivot to affect the OT environment, regulators are looking for holistic security programs that cover both domains.

Affected Organizations

This trend affects all sectors designated as critical infrastructure, including:

• Energy (power generation, transmission)
• Water and Wastewater Systems
• Transportation
• Telecommunications
• Healthcare
• Finance

Any organization whose disruption could have a debilitating effect on national security, economic security, or public health and safety is at the center of this strategic shift.

Compliance Requirements

While specific regulations vary by country and sector, the overarching compliance requirements are coalescing around the need for proactive supply chain risk management.

1. Risk Assessment: Organizations must be able to identify, assess, and document the risks associated with each vendor and software component in their supply chain.
2. SBOM Generation and Consumption: Organizations are increasingly expected to both generate SBOMs for the software they produce and consume/analyze SBOMs for the software they procure.
3. Vulnerability Management: Upon identifying a vulnerability in a supply chain component (via an SBOM), organizations must have a process to rapidly assess their exposure and deploy mitigations or patches.
4. Incident Response Planning: Supply chain attack scenarios must be explicitly included in incident response plans and tabletop exercises.

Impact Assessment

The focus on cyber sovereignty and supply chain security has significant business and operational impacts. It can increase procurement costs and complexity as organizations move away from the cheapest option to the most trustworthy one. It requires new skill sets and tools for managing SBOMs and analyzing software composition. However, the long-term benefit is greater operational resilience and a reduced risk of catastrophic failure due to a supply chain compromise. For vendors, providing transparency through SBOMs and demonstrating robust security practices is becoming a competitive advantage and a prerequisite for doing business in the critical infrastructure sector.

Compliance Guidance

Critical infrastructure operators should take the following steps to align with this evolving landscape:

• Establish a Supply Chain Risk Management (SCRM) Program: Create a formal, cross-functional program dedicated to managing supply chain risk, with executive sponsorship.
• Integrate SBOMs into the Procurement Lifecycle: Require SBOMs from vendors as a condition of purchase. Use software composition analysis (SCA) tools to analyze these SBOMs for known vulnerabilities and risky dependencies.
• Map Your Dependencies: Go beyond direct vendors and map out the 'long-tail' dependencies in your critical software. Understand which open-source projects or minor vendors your key systems rely on.
• Embrace 'Trust-Driven Sourcing': Redefine procurement criteria to weigh a vendor's security posture, transparency, and geopolitical origin alongside cost and features. Prioritize vendors who can provide strong assurances about their development lifecycle and component sourcing.