2026-04-10 –, Track 2
Attendees will leave able to ask more informed, stronger questions of suppliers, read assurance claims with appropriate scepticism, and make more defensible decisions about OT risk in the real world. They will gain a better understanding of where control sits in OT environments, how supplier relationships and commercial structures shape security outcomes, and why many common assumptions and frameworks around ownership, responsibility, and governance collapse in practice.
The talk explores common myths around ownership: that asset owners control patching and change, that contracts offer meaningful protection, that assurance means security, and that responsibility aligns with authority. It examines how dependency, inertia, lifecycle constraints, vendor power, and incentives often dictate security posture far more than policy or wishful thinking, and offers practical ways to reframe discussions and challenge supplier narratives.
You'll leave this session better equipped to examine supplier claims, make sense of assurance artifacts, and reason more clearly about OT supply chain risk.
We'll examine ownership myths in OT environments: ideas like "well we can just patch it", "the contract protects us", or "we've done our due diligence". It looks at how real-world constraints from vendor dependency to long system lifecycles often shape outcomes far more than frameworks or policy.
Instead of yet another checklist of controls, we'll focus on building a more realistic model of how OT ecosystems actually function, so you can ask better questions, assess suppliers more effectively, and make stronger decisions.
James Bore is a security consultant, speaker, and writer with a particular interest in risk, systems, and how security works (or fails) in practice. His work spans cyber security, critical infrastructure, and supply chain risk, and he is known for taking a sceptical, systems-focused approach rather than a checklist-driven one.
He regularly speaks at community events including BSides, writes on security and risk, and spends an unreasonable amount of time designing tiny board games.