Control Systems Cybersecurity USA (8th annual live) Control Systems Cybersecurity USA (8th annual live)

Thursday, September 23, 2021

- EDT
Working Together to Achieve Supply Chain Transparency (Physical Live)
Tony Turner
Tony Turner
Fortress Information Security, VP Security Solutions

The topic of software bill of materials (SBoM) to provide transparency into software supply chain risks and vulnerabilities for critical infrastructure is gaining momentum through such efforts as the Cybersecurity Executive Order 14028 and the EEI Model Procurement Contract Language. Additionally demand for suppliers to provide insights into their hardware supply chains and foreign adversarial risks is also producing the need for compliance with NDAA Section 889. These requests for transparency have raised many questions about how to meet requirements and do so in a secure fashion.

 

Join Fortress Information Security to learn how a Cyber Bill of Materials can support supply chain risk management for asset owners and suppliers alike.

 

Presentation Highlights and Take-Aways:

·  An overview of recent cyber-attacks and the supply chain threat landscape for ICS

·  Breakdown of supply chain security regulations: Section 889 A & B, NERC-CIP regulations and Executive Order 14028

·  The Importance of both Software (SBOM) and Hardware Bill of Materials (HBOM) & 4th Party Evaluations

·  Identifying and mitigating supplier concerns for adoption – Cutting through the Fear, Uncertainty and Doubt

·  Continuous Monitoring, Attestation sharing and use of Blockchain as a force multiplier to secure the industry

·  BOM supplier and purchaser coordination for success

- EDT
Panel: How do SBOM's work and How do Asset Owners Deploy One? (Physical and Virtual)
Eric Byres (Virtual pres)
Eric Byres (Virtual pres)
aDolus Technology Inc, CEO
Tony Turner
Tony Turner
Fortress Information Security, VP Security Solutions
Chris Blask
Chris Blask
Advisor and SME, Chair ICS ISAC
Steve Springett (Virtual pres)
Steve Springett (Virtual pres)
OWASP CycloneDX Core Working Group, Chair of the OWASP CycloneDX Core Working Group

How do SBOMS currently work (examples)- What are they? Who is currently utilizing them?
How can asset owners use SBOM?

Additional dialogue if time allows:
Are they secure? Is the code being updated upstream?
Who is going to maintain SBOMs?
Who at the facility (asset owner/end user) is responsible for maintaining and monitoring the SBOM?

Friday, September 24, 2021

- EDT
Panel: How Can We Manage Risk Faster? (Physical and Virtual)
Andrew Kling
Andrew Kling
Schneider Electric, Product Security Officer
Michael Lester (Virtual pres)
Michael Lester (Virtual pres)
Emerson Automation Solutions, Director of Cybersecurity Strategy, Governance and Architecture
Tony Turner
Tony Turner
Fortress Information Security, VP Security Solutions

Further panellists to be announced.

OEMs are taking a more active approach to product security and development, Patching is one of the oldest and most traditional ways to manage risk. It also is a slow and expensive way to manage risk so it is frequently avoided in the OT world. What else should be considered to manage risk?