In December, NSF published its newly-renamed Research Infrastructure Guide (RIG) (f.k.a. Major Facilities Guide). [1] During the public comment period, Trusted CI suggested updates, particularly considering our March 2021 publication of the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators (FIG).
Alignment to the Trusted CI Framework
We are very pleased to see that NSF made many changes to the Research Infrastructure Guide, bringing it even more closely in line with the Trusted CI Framework, and pointing research infrastructure to the FIG as a resource.
Those changes are captured in the cybersecurity section (6.3), as well as in the Competency Requirements for Major Facility Management (4.6.6.3), where knowledge of the Framework’s Four Pillars (Mission Alignment, Governance, Resources, and Controls) is an information technology competency.
Operational Technology Clarification
Moreover, we applaud NSF’s clarification that operational technology [2] falls within the RIG’s definition of and scope for cybersecurity. Trusted CI advocated for this clarification. [3]
Background
Beginning in 2014, Trusted CI partnered with the NSF Large Facilities Office in providing draft material for what became the first cybersecurity section for the then-titled Large Facilities Manual. Our work drew broadly from our cybersecurity experience and expertise, and specifically from our collaborations with the Major Facilities themselves. Since that original section’s publication, we have used the public comment process to suggest refinements.
Endnotes
[1] The name change reflects the fact that the document applies to mid-scale projects as well as Major Facilities. (See, p.i.)
[2] Operational technology (OT) / cyber physical systems (CPS) is the focus of Trusted CI’s 2022 annual challenge. Read more here.
[3] We submitted the following rationale to NSF:
“While the MFG references controls for ICS and SCADA systems in Section 6.3.5.3, a clarification of the scope of “information systems” is warranted. Our work with Large/Major Facilities since 2013 suggests that some community stakeholders believe cybersecurity and related responsibilities are scoped only to traditional IT, and do not include OT.
“If reflected in the scoping and resourcing of their cybersecurity programs, this misunderstanding and exclusion of OT cybersecurity considerations poses a serious risk to facility research missions. These missions frequently rely heavily on operational technology. The availability, functionality, and efficacy of scientific instruments (e.g., telescopes) frequently depend on both operational technologies and traditional information technologies. These technologies are increasingly architected as interconnected systems of systems composed of both traditional IT and OT. Cyberthreats to these operational technologies are real [FN1] and attacks that impact them can be executed both directly and through connected traditional IT systems. The gravity and impact of cyberthreats to OT is recognized at the federal level and action to address these threats is called out explicitly as a priority. [FN2,FN3,FN4]
“This addition also will help clarify that NSF’s guidance is aligned with the federal definition of cybersecurity. [FN5]”
[FN2] See, e.g., NATIONAL SECURITY AGENCY CYBERSECURITY REPORT: NSA/CSS Technical Cyber Threat Framework v2, p.2. Available at https://media.defense.gov/2019/Jul/16/2002158108/-1/-1/0/CTR_NSA-CSS-TECHNICAL-CYBER-THREAT-FRAMEWORK_V2.PDF.
[FN3] See also, NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems - Alert (AA20-205A), Original release date: July 23, 2020. Available at https://us-cert.cisa.gov/ncas/alerts/aa20-205a.
[FN4] See also, NSA press release, “Protect Operational Technologies and Control Systems against Cyber Attacks.” Available at https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2285423/protect-operational-technologies-and-control-systems-against-cyber-attacks/