ConversingLabs highlights: RSA Conference spotlights software supply chain, critical infrastructure risk

We wrote about some of the interesting and must-see talks at this year’s show. We also had the opportunity to sit down with some RSA speakers to hear first hand about their research and insights. We’re highlighting those conversations in three new episodes of our ConversingLabs podcast series that we’re releasing now (thereby allowing you to “binge” Netflix-style on ConversingLabs.)

Here are the ConversingLabs Café-edition episodes from this year’s RSA Conference:

Episode 6: Robert Martin of MITRE on Supply Chain System of Trust

Robert Martin is a Senior Principal Engineer at MITRE and an expert on supply chain security. He’s also one of the principal creators of MITRE’s supply chain System of Trust (sot.mitre.org), which provides a framework for supply chain security risk assessments that is customizable, evidence-based, scalable and repeatable. Once implemented, the SoT will give organizations within the supply chain confidence in each other as well as different service offerings and supplies.

In this conversation, Robert and I talk about COVID has highlighted supply chain risks - whether its availability, counterfeit products or - of course - cyber risk, he said. But solving supply chain problems is not simply a job for the IT group, he tells me. Instead, it is something that needs to be driven from the very top echelons of an organization. That’s where the System of Trust comes in. It promotes transparency within organizations, allowing both leaders and developers to see all of the players in the supply chain and identify areas of risk.

Episode 7: Steve Lipner of SAFECODE on Supply Chain Security - Is It Even Possible?

When it comes to secure software development, Steve Lipner is one of those information security industry leaders who was there at the creation, so to speak. Lipner, the current Executive Director of the non-profit SafeCode, served as the Director of the Microsoft Security Response Center (MSRC) and from 2004 to 2013 - a critical period that saw Microsoft launch the now renowned Security Development Lifecycle (SDL) initiative, which Lipner oversaw.

As part of SafeCode, Lipner works to promote secure development principles more widely in industry. SafeCode provides free resources on secure software development as well as advice and recommendations for development organizations in the form of white papers, blog posts, social media posts, and more.

In this conversation from the sidelines at RSA, Steve recounts his own experiences on Microsoft’s Software Security Development Lifecycle Team as the point of the spear in Microsoft’s Trustworthy Computing Initiative. Lipner stresses that to move towards secure software must come from within (so to speak), rather than relying on outsiders (consultants and the like.) He also talks about the Biden Administration’s Executive Order (EO) on Improving the Nation’s Cybersecurity and the impact the EO is having (though it is still a work in progress, he admits).

Episode 8: Bryson Bort of Scythe.io on Lessons Learned from The Colonial Pipeline Incident

Bryson Bort is a cybersecurity industry leader with experience in both the public and private sectors. The founder and CEO of Scythe.io, Bryson is an expert in hardware security. He’s also co-founder of the ICS Village, a non-profit organization that builds critical infrastructure (CI) and presents it at various conferences.

In this conversation, Bryson sat down with ConversingLabs host Paul Roberts following his RSA panel discussion “Colonial Pipeline - What Happened, What Changed,” which featured panelists from government, the media, and the fuel industry. The Colonial hack, Bort said, was a “watershed moment” for the industry that saw a ransomware attack directly impact the lives of everyday Americans. But the bigger picture on Colonial must include years of ignored warnings about the possibility of just such an attack.

One of the big lessons from Colonial? Voluntary guidelines for cybersecurity - the U.S. government’s preferred method (to date) for addressing cyber risk - “just don’t work.” That’s because companies will always focus on the activities that generate profit for them instead, Bort said. That leaves it to the government and its enforcement agencies to prioritize cybersecurity for critical infrastructure, especially now that cybercriminals have set their sites on CI environments, while making ready use of vulnerable IT networks that can be used - as in the case of Colonial - to disrupt critical infrastructure functions.

Enjoy. And remember to check out the rest of our ConversingLabs series.