JACoW is a publisher in Geneva, Switzerland that publishes the proceedings of accelerator conferences held around the world by an international collaboration of editors.
@inproceedings{copy:icalepcs2023-mo4bco03,
author = {B. Copy and F. Ehm and P.J. Elson and S.T. Page and M. Pratoussy and L. Van Mol and J.-B. de Martel},
% author = {B. Copy and F. Ehm and P.J. Elson and S.T. Page and M. Pratoussy and L. Van Mol and others},
% author = {B. Copy and others},
title = {{Protecting Your Controls Infrastructure Supply Chain}},
% booktitle = {Proc. ICALEPCS'23},
booktitle = {Proc. 19th Int. Conf. Accel. Large Exp. Phys. Control Syst. (ICALEPCS'23)},
eventdate = {2023-10-09/2023-10-13},
pages = {196--200},
paper = {MO4BCO03},
language = {english},
keywords = {software, controls, operation, framework, software-component},
venue = {Cape Town, South Africa},
series = {International Conference on Accelerator and Large Experimental Physics Control Systems},
number = {19},
publisher = {JACoW Publishing, Geneva, Switzerland},
month = {02},
year = {2024},
issn = {2226-0358},
isbn = {978-3-95450-238-7},
doi = {10.18429/JACoW-ICALEPCS2023-MO4BCO03},
url = {https://jacow.org/icalepcs2023/papers/mo4bco03.pdf},
abstract = {{Supply chain attacks have been constantly increasing since being first documented in 2013. Profitable and relatively simple to put in place for a potential attacker, they compromise organizations at the core of their operation. The number of high profile supply chain attacks has more than quadrupled in the last four years and the trend is expected to continue unless countermeasures are widely adopted. In the context of open science, the overwhelming reliance of scientific software development on open-source code, as well as the multiplicity of software technologies employed in large scale deployments make it increasingly difficult for asset owners to assess vulnerabilities threatening their activities. Recently introduced regulations by both the US government (White House executive order EO14028) and the EU commission (E.U. Cyber Resilience Act) mandate that both Service and Equipment suppliers of government contracts provide Software Bills of Materials (SBOM) of their commercial products in a standard and open data format. Such SBOM documents can then be used to automate the discovery, and assess the impact of, known or future vulnerabilities and how to best mitigate them. This paper will explain how CERN investigated the implementation of SBOM management in the context of its accelerator controls infrastructure, which solutions are available on the market today, and how they can be used to gradually enforce secure dependency lifecycle policies for the developer community.}},
}