Announcing publication of the Operational Technology Procurement Vendor Matrix

RCRV Photo: The Glosten Associates

The Trusted CI Secure by Design team has completed work on “The Operational Technology Procurement Vendor Matrix.” The purpose of this document is to assist those in leadership roles during the procurement process. It’s meant to help formulate questions for vendors to discuss security controls on devices that will be used for maritime research.

The matrix includes a list of controls, requirements for the control, potential questions for vendors, tips, and real world examples justifying a given control.

For example, Item #3 in the matrix is an inventory requirement stating that security vulnerabilities in vendor-provided software must be patched. The Threat Actor Example we cite to justify the requirement is the WannaCry vulnerability. We include an example question that could be used when discussing with the vendor. (Click the image below to see in better detail.)

The document can be viewed and downloaded here (Note: The file is available in many formats):

https://zenodo.org/doi/10.5281/zenodo.10257812

This document represents the work of many people, including critical feedback from maritime operational technology practitioners (Scripps Institution of Oceanography’s CCRV, and Oregon State University’s RCRV and OOI). We are grateful for their contributions to this effort.

Our goal is to share this matrix and continue to develop its utility after receiving feedback from the Trusted CI community. To contact us, email info@trustedci.org.

Updates on Trusted CI’s Efforts in Cybersecurity by Design of NSF Academic Maritime Facilities

As part of its “Annual Challenge” in 2023, Trusted CI has been engaging with current and future NSF Major Facilities undergoing design or construction with the goal of building security into those Facilities from the outset.  To date, this effort has focused on working with cyberinfrastructure operators in the the academic maritime domain, and has included support of the cybersecurity aspects of the acceptance testing process of the NSF-funded Research Class Research Vessels (RCRVs) at Oregon State University as well as Scripps Institution of Oceanography’s design of the California Coastal Research Vessel (CCRV).  These vessels are all expected to eventually become a part of the U.S. Academic Research Fleet (ARF).

In 2022, Trusted CI studied cybersecurity issues in operational technology (OT) in science and produced a roadmap to help lead to greater security of such systems, and thus Trusted CI’s efforts with security by design of Major Facilities this year are seeking to both refine and apply OT insights gained previously.  The U.S. Antarctic Program (USAP)’s design of the Antarctic Research Vessel (ARV) has also been contributing to Trusted CI’s understanding of cybersecurity issues in operational technology  Trusted CI has also benefited from insights from numerous conversations with domain experts in the academic maritime domain across a variety of ARF institutions, including IT personnel, marine technicians, oceanographers, ship captains, project leadership, and NSF Program Managers.

One of the highlights of this year's security-by-design efforts has been site visits to ships and facilities. The team has made site visits to the R/V Sally Ride and Oregon State University’s Hatfield Marine Science Center in Newport, Oregon, where the R/V Taani — one of the initial three RCRVs being constructed — will be based upon completion of its construction.  These in-person visits, including extensive discussion with personnel involved with the facilities, have provided invaluable insight to supporting Trusted CI’s efforts.

In the second half of 2023, Trusted CI will continue working on security by design with the aforementioned organizations and will also be working with the NSF Ocean Observatories Initiative (OOI) Major Facility, which is in the process of planning a refresh of its autonomous underwater vehicle (AUD) and glider fleets.

Recent site visit photographs:

Trusted CI’s Sean Peisert, left, in a crawlspace on the R/V Sally Ride examining operational technology systems.

The R/V Sally Ride, docked in Alameda, CA.

Trusted CI’s Dan Arnold, left, conferring with marine technicians on the R/V Sally Ride.

Trusted CI’s John Zage, left, looks on as RCRV’s Chris Romsos, right, explains some of the scientific instruments that will be part of the newly constructed ships at the RCRV’s offices at OSU, Corvallis, OR.

Trusted CI’s John Zage left, and RCRV’s Chris Romsos, right, view part of the expansive warehouse of items and gear to outfit the new ships under construction. OSU, Corvallis, OR.  

Announcing the 2023 Trusted CI Annual Challenge: Building Security Into NSF Major Facilities By Design

The Trusted CI Annual Challenge is a year-long project focusing on a cybersecurity topic of importance for scientific computing environments.  In its first year, the Trusted CI Annual Challenge focused on improving trustworthy data for open science.  In its second year, the Annual Challenge focused on software assurance in scientific computing.  In its third year, 2022, the Annual Challenge focused on the security of operational technology in science.  

The 2022 Annual Challenge on the Security of Operational Technology in NSF Scientific Research reinforced the notion that NSF Major Facilities, once constructed, can deploy operational technology that can have an operational lifetime of 15-30 years.  However, there are typically no cybersecurity requirements during acquisition and design.  In the 2023 Annual Challenge, Trusted CI staff will engage with NSF Major Facilities undergoing construction or refreshes in a hands-on way to build security into those Facilities from the outset.  Trusted CI will directly support the planning for facility refreshes and construction with respect to operational technology and will particularly focus on the academic maritime domain, including supporting the acceptance testing of the NSF-funded Research Class Research Vessels (RCRVs) at Oregon State University, supporting the U.S. Antarctic Program (USAP)’s design of the Antarctic Research Vessel (ARV), and Scripps Institution of Oceanography’s design of the California Coastal Research Vessel (CCRV).

This year’s Annual Challenge is supported by a stellar team of Trusted CI staff, including Andrew Adams (Pittsburgh Supercomputing Center), Daniel Gunter (Berkeley Lab), Ryan Kiser (Indiana University), Mark Krenz (Indiana University), Michael Simpson (Indiana University), John Zage (University of Illinois, Urbana-Champaign), and Sean Peisert (Berkeley Lab; 2023 Annual Challenge Project Lead).

Publication of the Trusted CI Roadmap for Securing Operational Technology in NSF Scientific Research

Trusted CI is pleased to announce the publication of its Roadmap for Securing Operational Technology in NSF Scientific Research.  

In 2022, Trusted CI conducted a year-long effort examining the security of operational technology in science. Operational technology (OT) encompasses broad categories of computing and communication systems that in some way interact with the physical world.  This includes devices that either have sensing elements or control elements, or some combination of the two, and can include both bespoke scientific instrumentation as well as commercially-produced OT.  In both cases, networked sensors and control systems are increasingly important in the context of science as they are critical in operating Major Facilities.  

Trusted CI’s approach to this effort was to spend the first half of 2022 engaging with NSF personnel and operators of OT at NSF Major Facilities to understand the range of operational practices and evaluate potential deficiencies that lead to vulnerabilities and compromises.  In the second half of 2022, leveraged our insights from the first half to develop a roadmap of solutions to sustainably advance security of scientific operational technology.  The audiences for this roadmap include NSF, NSF Major Facilities, and Trusted CI itself.

In July 2022, Trusted CI published its findings from its study of the security of operational technology in science, conducted in the first half of 2022.  

Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, andJohn Zage. “Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research,” July 13, 2022. DOI: 10.5281/zenodo.6828675 https://doi.org/10.5281/zenodo.6828675

Now, with the publication of this roadmap, Trusted CI aims to help NSF operational technology in cyberinfrastructure advance toward solutions.  The full citation for the solutions roadmap is as follows:

Andrew Adams, Emily K. Adams, Dan Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, and John Zage. “Roadmap for Securing Operational Technology in NSF Scientific Research,” November 16 2022. DOI: 10.5281/zenodo.7327987 https://doi.org/10.5281/zenodo.7327987

Trusted CI gratefully acknowledges the many individuals from NSF as well as the following NSF Major Facilities that contributed to the year-long effort that has led to this roadmap: IceCube Neutrino Observatory, NOIRLab, Ocean Observatories Initiative, United States Academic Research Fleet, and the United States Antarctic Program.

In 2023, Trusted CI will turn its focus toward working closely with several maritime-centric NSF Major Facilities and Major Research Equipment and Facilities Construction (MREFC) projects to offer guidance and recommendations  for integrating operational technology security into those facilities for planning, design, and construction of new and refreshed facilities and instrumentation therein.

Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research

This year, Trusted CI is conducting a year-long effort on the security of operational technology in science. Operational technology (OT) encompasses broad categories of computing and communication systems that in some way interact with the physical world.  This includes devices that either have sensing elements or control elements, or some combination of the two.  Networked sensors and control systems are increasingly important in the context of science as they are critical in  operating scientific instruments.  Trusted CI is pleased to share its findings from this study, published in the following report:

Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, and John Zage. “Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research,” July 13, 2022. DOI: 10.5281/zenodo.6828675  https://doi.org/10.5281/zenodo.6828675

In support of this study, Trusted CI gratefully acknowledges the many individuals from the following NSF Major Facilities that contributed to this effort: IceCube Neutrino Observatory, NOIRLab, Ocean Observatories Initiative, and the United States Academic Research Fleet.

Now that Trusted CI has finished its examination of the current state of the security of OT in science, it will turn its focus to developing a roadmap of solutions to sustainably advance security of scientific operational technology, which will be published in late 2022.

Trusted CI Begins Engagement with OOI

The Ocean Observatories Initiative (OOI), funded by the NSF OCE Division of Ocean Sciences #1743430, is a science-driven ocean observing network that delivers real-time data from more than 800 instruments to address critical science questions regarding the world’s oceans. OOI data are freely available online to anyone with an Internet connection. 

The OOI provides an exponential increase in the scope and timescale of observations of the world’s oceans. Present and future educators, scientists, and researchers will draw conclusions about climatological and environmental processes based on these measurements, which sets a requirement for the data to be accurate, with a flawless pedigree. As a result, the OOI has a requirement to protect its data from being altered by any external agent.

To this end, OOI-CI (OOI Cyberinfrastructure) is seeking consultation from Trusted CI on evaluation of their current security program, along with guidance on reviewing and evaluating potential alternatives for an enhanced security posture. Through a kick-off meeting, Trusted CI and OOI discussed their concerns, questions, and goals, including: penetration testing; system and software vulnerability scanning and remediation; gaps in current policies and procedures; developing periodic security tasks; and identifying ‘unknowns’. These topics were refined and prioritized based on their needs using a subset of tasks outlining the goals of the engagement, specifically:

1. Perform a review of OOI’s cyberinfrastructure using the Trusted CI Security Program Evaluation worksheet in order to assess the current state and target level of their cybersecurity.
2. Review the 2015 Engagement final report and recommendations (covering OOI @Rutgers University) with the goal to see if any recommendations made at that time are still applicable and warranted.
3. Using information documented in step 1., take initial steps towards adopting the Trusted CI Framework by developing a ‘master information security policies and procedures’ document (MISPP).
4. Discuss and document missing policies and procedures from the Framework, including questions and concerns raised by OOI, and also unknowns discovered in above exercises.  
5. Provide guidance on creating an asset inventory, applying a control set, and creating and maintaining a risk registry.

Additionally, broader impacts from this engagement can be realized as the OOI-CI is connected to several locations around the country. Lessons learned and recommendations from the engagement will be implemented at the other sites, which consist of Woods Hole Oceanographic Institute (WHOI) administration, and the three MIO’s (Marine Implementing Organizations) that provide data from Oregon State University, University of Washington, and WHOI.

The engagement will run from September 2021 to December 2021.