Bomb (SBOM) and Patch?

I’m excited about the novel, important and practical implications of two sessions related to patching ICS at S4x20. So excited that we put both of them in keynote blocks.

The first is a follow on to the very popular S4x19 session on replacing the CVSS. The session is entitled: What to Patch When … Automating and Replacing the CVSS. It leverages an improved version of Art Manion’s proposed Never, Next, Now decision tree based model presented at S4x19. And hopefully will be a big step forward in fighting back the effort to measure progress and posture in ICS security based on how fast all patches can be applied to all ICS vulnerabilities. This will provide an answer to the what to patch when question.

The second part is equally important: automating the decision. We, the community, will fail if we invent a process that requires subject matter experts to review each vulnerability and patch … no matter how perfect that process is. The exciting takeaway from this presentation is the decision can be made contextually and automatically for anything in your asset inventory. I look forward to leading this discussion with Art Manion and Ralph Langner.

The second is Ok, A SBOM Exists. Now What? Allan Friedman of NTIA has been working with vendors to create software bills of material (SBOM) and preaching the value of SBOM’s in cybersecurity conferences all over the world. For the advanced S4 audience, the what and why of a SBOM is obvious. How will you know what vulnerabilities exist in your applications, components, devices and systems without a SBOM? So we don’t need the standard SBOM session.

As they make progress in getting SBOM’s created, the real question is what should the ICS community do with them when they exist? Do we expect asset owners to track all vulnerabilities of all software and firmware in their ICS? Will they place this responsibility on the vendors? Will vendors track and process this at no charge? Does a SBOM become public? Allan will lead a discussion with a vendor (David Foose from Emerson) and an asset owner (tba).