Welcome to the Interactive Agenda for SecurityWeek’s 2020 ICS Cyber Security Conference! (View the full conference website and register for the conference here)

Back To Schedule
Wednesday, October 21 • 2:45pm - 3:15pm
Lurking Beneath the Surface: Uncovering Hidden Components in ICS Software

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Today’s ICS software is never written from scratch. Vendors focus development resources on core competencies and prefer to buy (rather than build) components available off the shelf, such as license managers, installers, and cryptographic libraries. This strategy, while efficient in terms of development effort, entwines the vendor’s security posture with multiple suppliers and open source projects. Worse, it makes it difficult to see what exactly is included in a package. In 2018, asset owners were exposed to critical vulnerabilities in the Gemalto Sentinel License Management Software because major ICS vendors quietly embedded it in their products and ICS operators didn’t know. And searching the CVE databases didn’t help as the vulnerabilities appeared under Gemalto rather than the vendor names.

ICS vendors deal with a similar challenge: their developers rely on libraries, frameworks, and other 3rd-party code to be efficient and avoid recreating proven functionality. In turn, these components usually have their own embedded third-party and open source code originating from widely-used repositories, such as GitHub, where attackers have been known to plant malicious code. And if their DevOps environment is lax about version control, the developers may unwittingly embed old versions of code with known vulnerabilities.

This talk introduces techniques to help both ICS vendors and operators assess the validity and safety of ALL the components of any given ICS package — before it is shipped or installed. We look at using a Software Bill of Materials to expose mystery components, and score each one for safety and security.

Learning Objectives
  • Understand the depth and breadth of embedded “mystery components” in ICS packages from both a vendor and asset owner perspective.
  • Learn how to view the relationships between components, across multiple product lines and vendors.
  • Explore tools and solutions for exposing and scoring components prior to installation on critical systems.

avatar for Eric Byres

Eric Byres

Chief Technology Officer, aDolus Technology
Eric Byres, the Chief Technology Officer at aDolus Technology Inc., is widely recognized as one of the world’s leading experts in the field of Operational Technology (OT) cybersecurity. He is the inventor of the Tofino Security technology – the most widely deployed OT-specific... Read More →

Wednesday October 21, 2020 2:45pm - 3:15pm EDT