Last year, the Secure by Design team announced the publication of the first version of the Trusted CI OT (Operational Technology) Procurement Matrix. After gathering feedback from maritime operational technology practitioners and some of their vendors, we have published an updated version of the Matrix and a companion Guide to further assist the OT community.
The Guide can be found here: https://doi.org/10.5281/zenodo.13743314
The purpose of the Matrix is to assist those in leadership roles during the procurement process. It’s meant to help formulate questions for vendors to discuss security controls on devices that will be used for maritime research. The Matrix includes a list of controls, requirements for the control, potential questions for vendors, tips, and real world examples justifying a given control.
The updates to v2 of the Matrix includes columns for ISO/IEC 27000 family and the ISA/IEC 62443 Series of Standards.
The updated version of the Matrix can be found here: https://doi.org/10.5281/zenodo.13830599
We have already seen positive impacts from this document. “Even at our project stage of construction, where a majority of OT procurements are complete and fulfilled, we find the OT Vendor Procurement Matrix to continue to be useful," Christopher Romsos, Datapresence Systems Engineer for the Regional Class Research Vessel (RCRV) said. "Despite having contracts in place and work well underway at the time the matrix was published, we realized that the OT Vendor Procurement Matrix could be leveraged as a discovery tool to inform our Cyber Risk Management Planning needs. We're in a more informed position now for our CRMP activities because the matrix provided us with something we could easily use in the field and that was designed to assess cyber risk in OT systems,” he said.
The Secure by Design team will be moderating a panel for in-person attendees later this week at the NSF Cybersecurity Summit. The Matrix will surely come up as a discussion topic.
