As we head into 2025, experts weigh in on trends affecting software products in the medical, vehicle, and energy sectors. They also talk about manufacturer readiness for the EU Cyber Resilience Act, and other legislation coming their way. Below, we’ve broken out predictions based on the sectors.
Medical Sector
Predictions by Melissa Rhodes, SBOM Program Manager, Medtronic Product Security Office
Yes, you read that right. Melissa Rhodes is SBOM program manager working in the product security office. A search didn’t turn up statistics on the prevalence of this new role, but Melissa’s role signals the normalization of SBOM compliance in global manufacturers, at least in the critical medical sector. To that end, she makes the following two predictions related to SBOM attributes and vulnerability matching data:
More consistent SBOM attributes: “The attributes declared in SBOMs to uniquely identify software components will become more consistent over the next year for a couple of reasons,” Rose notes. “The first reason is that the third edition of the Framing SBOM Component Transparency publication was published in September and can assist creators with identifying consistent component attributes. The second reason is the growing need for SBOM data to move between tools for different aspects of risk assessment, which will necessitate that vendors focus on making SBOM data more consistent to ensure tooling interoperability.
More effective methods for matching vulnerability data: Rhodes also predicts that FDA and other regulations and guidance will improve matching methods for vulnerability data. In her words, she explains, “With the FDA’s cybersecurity guidance and the recently published MITRE report about normalization challenges for SBOM data, the healthcare industry will push for a more effective method for matching vulnerabilities to software components than what is currently available. Without effective matching methods, software components could be listed in SBOMs but then not provide the vulnerability information needed to monitor medical devices to keep them safe and secure.”
Auto Sector
Predictions from Darwin Sanoy, field CTO at GitLab
Darwin Sanoy from GitLab predicts that regulatory requirements, particularly with regard to cyber-physical devices in the critical transportation sector, will tighten up, especially in Europe, where manufacturers are still trying to catch up with ISO 26262 functional safety standards.
Regulations go beyond functional safety: “Functional safety is about ensuring that anything with embedded software where there’s a risk of harming humans, that there’s substantial work done to protect humans. Now manufacturers have to comply with UN 155 [a new regulation developed by the United Nations that came into full force in July 2024], which is focused around cybersecurity and cybersecurity management related to connected vehicles of any kind. This was related to a famous hack into a car through a tire pressure monitor.”
More pressure on supply chain: Sanoy describes the automotive industry supply chain as a massive conglomeration of subassemblies, all with many with electronic many and software features. “Even an airbag has some electronics in it, and this is just one of many parts shipped to multiple manufacturers who install them in their vehicles. Everyone along the supply chain has a duty of care to make sure what they build also follows cybersecurity standards and regulations around the globe.”
Driving demand for automation across the SDLC: These and other issues will drive demand for integrated, automated development platforms, adds Sanoy. “It will be increasingly important to implement platforms that manage all the intrinsic cognitive load of software security and compliance from day one. Core developers for embedded systems, especially for transportation, have more cognitive load without having to learn how to manage the software factory. That part needs to be automated.”
Consumer Embedded Systems
Prediction by Joel Krooswyk, federal CTO at GitLab.
When it comes to consumer electronics, Joel Krooswyk of GitLab points to the EU Cyber Resilience Act (still in draft form), which doesn’t apply to vehicles and other well-regulated manufacturing, but will apply to 26 types of embedded systems such as phones and smart home devices.
Manufacturers not ready for the EU CRA: “I suspect that a large percentage of vendors who utilize embedded systems may not be ready for automated compliance with CRA. Some vendors can manually assemble a SBOM or run static analysis scans on code today, though others cannot,” Krooswyk explains. “Securing code and quantifying inclusions regularly in the software development process will be an automation challenge for many more. Without automation, CRA compliance will be notably more difficult for any vendor selling into the EU.”
Memory safety vulnerabilities in C and C++ over burdens manufacturers: Krooswyk also brings up the issue of memory safety, adding that 70 percent of all critical vulnerabilities come from memory unsafe code, and nearly four-fifths of embedded code is based in C (which is memory unsafe). “Will any additional scrutiny be given to C-based systems, which have been proven to be more vulnerable over time?” he asks. “This could potentially generate a new, sizable burden on embedded manufacturers as they consider refactoring their code bases.”
Energy Sector (and continued viability of CISA)
Predictions by Dick Brooks, Co-founder and Lead Software Engineer at Business Cyber Guardian
Energy supply chain risk management will improve: Dick Brooks, who spoke with us recently about the Cybersecurity and Infrastructure Security Agency (CISA’s) Secure by Default drive, predicts that the energy industry will update Supply Chain Risk Management practices following NIST Guidance to better protect the electric grid from software supply chain risks. He points to FERC in Docket RM24-4-000 identifying the NIST Guidance most likely to impact the energy industry. As a result, he thinks the energy industry will adopt more of the actual NIST language in whatever is produced in a final form.
CISA’s continued role in secure-by-design: And, having been active in CISA’s SBOM and software supply chain efforts for decades, Brooks doesn’t think that the agency’s role in critical infrastructure protection will diminish under a new presidential administration. If anything, support for CISA’s mission is likely to grow. “The new administration will continue to support strong cybersecurity practices with South Dakota entities taking a more active role in implementing radical transparency and secure-by-design best practices to protect consumers from harm.”
Personally, Brooks is directly lobbying to keep CISA’s National Risk Management Center funded, and he cites how hard it would be to slow the spectacular momentum of the agency. “Secure by default and design seems to have caught on! It’s now part of the EU CRA Annex I; SBOM is being implemented broadly, so I doubt we will see these go away. Everyone needs to be rowing together to achieve success, following National Institute of Standards and Technology (NIST) standards and CISA Guidelines.”
