JACoW is a publisher in Geneva, Switzerland that publishes the proceedings of accelerator conferences held around the world by an international collaboration of editors.
TY - CONF AU - Copy, B. AU - Ehm, F. AU - Elson, P.J. AU - Page, S.T. AU - Pratoussy, M. AU - Van Mol, L. AU - de Martel, J.-B. ED - Schaa, Volker RW ED - Götz, Andy ED - Venter, Johan ED - White, Karen ED - Robichon, Marie ED - Rowland, Vivienne TI - Protecting Your Controls Infrastructure Supply Chain J2 - Proc. of ICALEPCS2023, Cape Town, South Africa, 09-13 October 2023 CY - Cape Town, South Africa T2 - International Conference on Accelerator and Large Experimental Physics Control Systems T3 - 19 LA - english AB - Supply chain attacks have been constantly increasing since being first documented in 2013. Profitable and relatively simple to put in place for a potential attacker, they compromise organizations at the core of their operation. The number of high profile supply chain attacks has more than quadrupled in the last four years and the trend is expected to continue unless countermeasures are widely adopted. In the context of open science, the overwhelming reliance of scientific software development on open-source code, as well as the multiplicity of software technologies employed in large scale deployments make it increasingly difficult for asset owners to assess vulnerabilities threatening their activities. Recently introduced regulations by both the US government (White House executive order EO14028) and the EU commission (E.U. Cyber Resilience Act) mandate that both Service and Equipment suppliers of government contracts provide Software Bills of Materials (SBOM) of their commercial products in a standard and open data format. Such SBOM documents can then be used to automate the discovery, and assess the impact of, known or future vulnerabilities and how to best mitigate them. This paper will explain how CERN investigated the implementation of SBOM management in the context of its accelerator controls infrastructure, which solutions are available on the market today, and how they can be used to gradually enforce secure dependency lifecycle policies for the developer community. PB - JACoW Publishing CP - Geneva, Switzerland SP - 196 EP - 200 KW - software KW - controls KW - operation KW - framework KW - software-component DA - 2024/02 PY - 2024 SN - 2226-0358 SN - 978-3-95450-238-7 DO - doi:10.18429/JACoW-ICALEPCS2023-MO4BCO03 UR - https://jacow.org/icalepcs2023/papers/mo4bco03.pdf ER -