As industrial environments face mounting software supply chain risks, operators and OEMs are under increasing pressure—from both regulators and industry best practices—to generate accurate and actionable Software Bills of Materials (SBOMs). Yet in ICS and OT environments, especially those reliant on embedded C/C++ code, generating meaningful SBOMs remains a significant technical challenge.

This session will explore the practical realities of SBOM generation for C/C++ systems used in OT. It will break down the core approaches, including source-based, build-time, and binary analysis, and highlight the strengths, limitations, and suitability of each approach for different operational contexts. Attendees will learn how decisions around timing, tooling, and data granularity directly affect vulnerability identification, regulatory compliance, and system safety.

The discussion will provide a framework for evaluating trade-offs based on your environment, toolchain maturity, and risk tolerance. With industrial software supply chains under increasing scrutiny, this session aims to move SBOMs from theory to practice without losing sight of the complexity inherent to C/C++ and embedded system development.

Learning Objectives:
1) Understand the primary methods for SBOM generation in C/C++ embedded systems and their respective trade-offs
2) Learn how SBOM strategies intersect with emerging regulatory requirements and software assurance best practices
3) Identify key constraints in OT environments, such as legacy systems and lack of source access, and how different SBOM approaches can address them
4) Gain insights on how SBOM quality impacts downstream vulnerability identification and risk mitigation