In this session we uncover the five key supply chain risks to ICS software and firmware. We’ll show you specific examples of each of these threats; we’ll introduce a framework funded by the DHS to safeguard against ICS supply chain attacks. Finally we’ll show you how to satisfy security requirements like NERC CIP-013, without introducing onerous or error-prone processes:
- Verification of software integrity and authenticity: Learn how to ensure that your staff are not loading counterfeit or tampered software and firmware into critical systems.
- Vulnerability detection and disclosure: Learn how to generate a Software Bill of Materials (SBoM) to reveal unexpected sub-components that may contain vulnerabilities or malware.
- Validation of firmware versions: Learn how to ensure that firmware is an up-to-date version, tested and approved by the vendor rather than an unauthorized or obsolete version.
- Validation of certificate-chains: Learn how to detect fraudulently signed packages masquerading as authentic, avoiding Stuxnet-style attacks where private keys have been stolen.
- Detection of blacklisted products: Learn how to uncover sub-components in software from banned suppliers.