What does successful SBOM deployment – an SBOM win – look like for ICS asset owners and suppliers?

What does successful SBOM deployment – an SBOM win – look like for ICS asset owners and suppliers?

This roundtable will discuss the impact of SBOM deployment and practical usage of SBOM and VEX for both ICS asset owners and suppliers. Discussion focuses on how SBOM deployment helps identify, prioritize, and protect against attacks that may be prevalent or particularly relevant to the ICS sector and industries. SBOM deployment, anchored in machine-readable and ingestible data, and linked to security controls, vulnerabilities, and threat modeling, has the potential of allowing a live view of an organization’s internal and external ICS security perimeter’s posture, fully leveraging SBOM, HBOM, the status of all components via VEX (Vulnerability Exploitability Exchange information) and utilizing MITRE’s ATT&CK data and framework as well as vulnerability databases. Organizations seeking to leverage security standards and controls like ISA/IEC 62443 and SBOMs are likely to identify numerous gaps in the security posture of the ICS under review. Being able to prioritize subsequent and ongoing remediation through supply chain collaboration, organizations can protect their ICS systems in the strongest and most efficient manner. SBOM deployment with security control, vulnerability, and threat context, should enable effort to be directed towards the security issues of highest concern and also based on the deployed OT network and threat landscape within which the ICS systems operate. The ability to navigate between real-world attacks and the state of an organization’s security posture in relation to ICS systems based off SBOM deployment is extremely valuable: instead of a ‘check-in-the-box’ allowing security professionals to ‘sleep well’ better knowing an organization’s true readiness and ability to avoid, deter or repel real-world attacks.

Discussion from both an ICS asset owner and supplier perspective can focus on SBOM deployment:

• Where, why, for who?
• An evolving ICS threat landscape
• Policy, legislative, and contractual drivers
• What markets are or should be impacted

• What and how?
• How to create and manage SBOMs – tooling and automation on the product and asset management side
• How to drive SBOM interoperability – defined SBOM, defined data format, defined exchange mechanism
• How to achieve compliance, risk management and other use objectives with an SBOM and additional services built off an SBOM – i.e., sector specific patch guidance, prioritized patch management, VEX validation, threat intelligence

• Gaps or blind spots?
• How to establish economies of scope and scale for SBOM data sharing and mediation
• What about validation, also independently, of SBOM and VEX information
• Where and how do HBOMs enter

Gonda Lamberink: As Vice President of Critical Manufacturing, Lamberink is responsible for Fortress’ Manufacturing business and verticals growing C-SCRM solutions with manufacturers that are part of critical infrastructure supply chains. Critical Manufacturing focus includes communication, automation and processor equipment and technologies in Telecom/ICT, Industrial Automation, Commercial Facilities, Pharma, Healthcare and Transportation sectors.

Tony Turner: As Vice President of Research and Development, Turner leads the Fortress Labs team conducting cybersecurity research and managing Fortress’ products focused on software supply chain, vulnerability management and product security for Critical Infrastructure, Manufacturing, and Department of Defense business lines.