After a year of high profile cyber incidents against Operational Technology (OT) systems, followed by a frenzy of regulatory initiatives from governments around the world, executives in critical infrastructure are accelerating their efforts to secure their operations. The software supply chain has been a particularly attractive target for attackers. SecurityWeek reported that software supply chain attacks tripled in 2021—and that’s following a 430% surge in 2020. It has not gone unnoticed.

This symposium will explore the risks posed by a lack of visibility into the OT software supply chain. It will describe the important regulatory requirements initiated by the US federal government and explore the impact of these regulations, both in the US and internationally. We’ll do a deep dive into the federal requirement for Software Bill of Materials (SBOMs), the critical role they play in risk reduction, and the future direction of supply chain transparency.

We’ll discuss some of the challenges of creating and using SBOMs in OT/ICS environments. OT technology has a long service life and there is often legacy software where the source code is no longer available. We’ll also cover how OT vendors can use VEX (Vulnerability Exploitability eXchange) documents to help prioritize vulnerabilities exposed by SBOMs.

Finally, we’ll wrap up with a real world example detailing the experiences of a major OEM vendor that determined the risk posed by the vulnerabilities in the Apache Foundation’s Log4j module, identified products where it was exploitable, and efficiently communicated with their customers using VEX.

The need for a secure supply chain is the new business imperative for operators of critical infrastructure and those who supply them with software and firmware. Don’t miss this chance to hear from the experts on how to forge an unbreakable chain in critical infrastructure operations.