Welcome to the interactive agenda for SecurityWeek’s 2019 ICS Cyber Security Conference. Sessions are being finalized and the final program will include 4 FULL DAYS of content. (View the full conference website here) (You can Register for the ICS Cyber Security Conference and training here)
Back To Schedule
Wednesday, October 23 • 8:15am - 9:00am
Five Blind Men and the Elephant Called ICS Supply Chain Security

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Is a secure ICS software supply chain important to your company’s critical operations? And what does securing your supply chain really involve? A 3-year study sponsored by the US Department of Homeland Security revealed many different perspectives. ICS vendors, asset owners, consultants and security researchers all identified numerous complex priorities including:
  • Counterfeit firmware detection: Asset owners need to validate that firmware is authentic and hasn’t been tampered with. Vendors need to know if counterfeits of their products are circulating on the internet.
  • Mystery sub-component detection: Asset owners are looking for a Software Bill of Materials (SBoM) to reveal unexpected or unapproved sub-components that may contain vulnerabilities or malware. Vendors want to be able to trace back which of their products might contain those sub-components.
  • Version validation: Asset owners want to confirm that firmware is an up-to-date version, tested and approved by the factory rather than an unauthorized or obsolete version. Vendors need to be aware if unapproved versions are being installed in the field.
  • Certification-chain validation: Asset owners need to detect fraudulently signed packages masquerading as authentic. Vendors need to know if their private keys have been stolen and are being used to sign malware.
  • Stability confirmation: Asset owners want reassurance that even valid firmware packages are bug-free and won’t introduce instabilities. Vendors want to know the market perceptions of their upgrades packages to be proactive and protect their reputations.
These are just a few of the perspectives identified in the DHS research project. A common theme among them is the exploitation of trust between ICS vendors and their customers (and other suppliers). This talk will explore specific examples of each of these threats and discuss FACT, a framework for safeguarding against attacks on trust and reliability.

Learning objectives:
  • Identify key cybersecurity risks to critical infrastructure supply chains.
  • Understand existing security strategies (e.g. certificate signing, hashes) and their limitations.
  • Explore tools and solutions for addressing specific supply chain threats.

avatar for Eric Byres

Eric Byres

Chief Technology Officer, aDolus Technology Inc.
Eric Byres is widely recognized as one of the world’s leading experts in the field of industrial control system (ICS) and Industrial Internet of Things (IIoT) cybersecurity. He is the inventor of the Tofino Security technology – the most widely deployed ICS-specific firewall in... Read More →

Wednesday October 23, 2019 8:15am - 9:00am EDT
Windsor Ballroom