RCRV Photo: The Glosten Associates |
The Trusted CI Secure by Design team has completed work on “The Operational Technology Procurement Vendor Matrix.” The purpose of this document is to assist those in leadership roles during the procurement process. It’s meant to help formulate questions for vendors to discuss security controls on devices that will be used for maritime research.
The matrix includes a list of controls, requirements for the control, potential questions for vendors, tips, and real world examples justifying a given control.
For example, Item #3 in the matrix is an inventory requirement stating that security vulnerabilities in vendor-provided software must be patched. The Threat Actor Example we cite to justify the requirement is the WannaCry vulnerability. We include an example question that could be used when discussing with the vendor. (Click the image below to see in better detail.)
The document can be viewed and downloaded here (Note: The file is available in many formats):
https://zenodo.org/doi/10.5281/zenodo.10257812
This document represents the work of many people, including critical feedback from maritime operational technology practitioners (Scripps Institution of Oceanography’s CCRV, and Oregon State University’s RCRV and OOI). We are grateful for their contributions to this effort.
Our goal is to share this matrix and continue to develop its utility after receiving feedback from the Trusted CI community. To contact us, email info@trustedci.org.