Product Lifecycle in OT – with solutions

Exercice 1 : Papers / report study

In separate groups you analyze a report Prüfung von Manipulationsmöglichkeiten von Hardware in verteilten Fertigungsprozessen (PANDA), taken from here - do not worry, the report is in English - and various papers/articles.

3 groups will assess :

• WP2 of the report -> (Firmware and Chill)
• WP3 of the report -> (Ghost in the machine)
• WP4 of the report -> (Honeywell I shrunk the Network)

while 3 others will look into

• Federal council’s report on “Product safety and supply chain risk management in the cybersecurity and cyberdefence sectors” - (French, German and Italian) -> (Patching the unpatchable)
• A Survey on Life-Cycle-Oriented Certificate Management in Industrial Networking Environments -> (PLC-ya Later)
• KMS: The Key to Secure Management of Cryptographic Objects and Workshop Summary Report for “Building on the NIST Foundations: Next Steps in IoT Cybersecurity” (for the latter, focus on the key take aways) -> (}{target=”_blank”The Scada-doo Crew)
• Long term key management architecture for SCADA systems -> (The Zero-Day Detectives)
• Cyber Resilience Act Requirements Standards Mapping (focus on the spirit and key take aways of the document) -> (Unplanned Downtime)

Your deliverables

Your task is to create a 1-page summary and to present it to the rest of the class during our next course. The outcomes will be share across the class afterwards.

Exercice 2 : SBOM in practice

We have seen the importance of SBOM (or BOM more generally) in the course. There exists multiple tools for generating such an information and a list of tools can be found under SPDX - Open Source Tools.

As we are using mostly python and docker, we focus on the following tools :

• trivy (many formats, including python - see Supported languages for a complete list)
• syft (many formats, including python - see Supported Ecosystems for a complete list)

Go ahead and generate SBOM for the following examples :

• your own OPC UA server
• the image nginx:1.27.4

Solution

The solutions are :

• trivy fs --format spdx --output result.json opcua_server (check also out trivy fs --scanners vuln,secret,misconfig opcua_server). Alternatively, issue syft --from opcua_server -o spdx-json.
• https://medium.com/@krishnaduttpanchagnula/vulnerability-identification-of-images-and-files-using-sbom-with-trivy-23e1a4a5eea4