Thursday, September 23, 2021
The topic of software bill of materials (SBoM) to provide transparency into software supply chain risks and vulnerabilities for critical infrastructure is gaining momentum through such efforts as the Cybersecurity Executive Order 14028 and the EEI Model Procurement Contract Language. Additionally demand for suppliers to provide insights into their hardware supply chains and foreign adversarial risks is also producing the need for compliance with NDAA Section 889. These requests for transparency have raised many questions about how to meet requirements and do so in a secure fashion.
Join Fortress Information Security to learn how a Cyber Bill of Materials can support supply chain risk management for asset owners and suppliers alike.
Presentation Highlights and Take-Aways:
· An overview of recent cyber-attacks and the supply chain threat landscape for ICS
· Breakdown of supply chain security regulations: Section 889 A & B, NERC-CIP regulations and Executive Order 14028
· The Importance of both Software (SBOM) and Hardware Bill of Materials (HBOM) & 4th Party Evaluations
· Identifying and mitigating supplier concerns for adoption – Cutting through the Fear, Uncertainty and Doubt
· Continuous Monitoring, Attestation sharing and use of Blockchain as a force multiplier to secure the industry
· BOM supplier and purchaser coordination for success
How do SBOMS currently work (examples)- What are they? Who is currently utilizing them?
How can asset owners use SBOM?
Additional dialogue if time allows:
Are they secure? Is the code being updated upstream?
Who is going to maintain SBOMs?
Who at the facility (asset owner/end user) is responsible for maintaining and monitoring the SBOM?
Friday, September 24, 2021
Further panellists to be announced.
OEMs are taking a more active approach to product security and development, Patching is one of the oldest and most traditional ways to manage risk. It also is a slow and expensive way to manage risk so it is frequently avoided in the OT world. What else should be considered to manage risk?