Trusted CI Webinar: The Operational Technology Procurement Vendor Matrix, Monday March 31st @10am Central

Trusted CI's Mark Krenz is presenting the talk, The Trusted CI Operational Technology Procurement Vendor Matrix, on Monday March 31st at 10am, Central time.

Please register here.

Operational Technology (OT), when installed on an organization's network, becomes part of the overall cyber attack surface for an organization. When procuring this OT, it is important for the purchasing organization to understand how it will integrate with the existing network and security controls as well as understand what new risks it might introduce. The Trusted CI Operational Technology Procurement Vendor Matrix (the Matrix) provides a prioritized list of questions for organizations to send to manufacturers and suppliers to try to get as much of this information as possible.

In this webinar, we will walk through what security issues impact OT, the role of procurement in mitigating security risks, our reasoning and process for developing the Matrix, and a walk through on how to use the Matrix at your organization. Questions and shared experiences with OT are encouraged.

TARGET AUDIENCE:
Organizational leadership, procurement department, IT, cybersecurity

The Matrix can be found at https://trustedci.org/ot-matrix

Speaker Bio: 

Chief Security Analyst Mark Krenz is focused on cybersecurity operations, research, and education. He has more than two decades of experience in system, network administration, programming, and system security and has spent the last decade focused on cybersecurity. He also serves as the CISO of Trusted CI.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Announcing the Publication of v2 of the Trusted CI OT Procurement Matrix & Companion Guide

Last year, the Secure by Design team announced the publication of the first version of the Trusted CI OT (Operational Technology) Procurement Matrix. After gathering feedback from maritime operational technology practitioners and some of their vendors, we have published an updated version of the Matrix and a companion Guide to further assist the OT community.  

The Guide can be found here: https://doi.org/10.5281/zenodo.13743314

The purpose of the Matrix is to assist those in leadership roles during the procurement process. It’s meant to help formulate questions for vendors to discuss security controls on devices that will be used for maritime research. The Matrix includes a list of controls, requirements for the control, potential questions for vendors, tips, and real world examples justifying a given control.    

The updates to v2 of the Matrix includes columns for ISO/IEC 27000 family and the ISA/IEC 62443 Series of Standards.

The updated version of the Matrix can be found here: https://doi.org/10.5281/zenodo.10257812

We have already seen positive impacts from this document. “Even at our project stage of construction, where a majority of OT procurements are complete and fulfilled, we find the OT Vendor Procurement Matrix to continue to be useful," Christopher Romsos, Datapresence Systems Engineer for the Regional Class Research Vessel (RCRV) said. "Despite having contracts in place and work well underway at the time the matrix was published, we realized that the OT Vendor Procurement Matrix could be leveraged as a discovery tool to inform our Cyber Risk Management Planning needs. We're in a more informed position now for our CRMP activities because the matrix provided us with something we could easily use in the field and that was designed to assess cyber risk in OT systems,” he said.

The Secure by Design team will be moderating a panel for in-person attendees later this week at the NSF Cybersecurity Summit. The Matrix will surely come up as a discussion topic.

Announcing publication of the Operational Technology Procurement Vendor Matrix

RCRV Photo: The Glosten Associates

The Trusted CI Secure by Design team has completed work on “The Operational Technology Procurement Vendor Matrix.” The purpose of this document is to assist those in leadership roles during the procurement process. It’s meant to help formulate questions for vendors to discuss security controls on devices that will be used for maritime research.

The matrix includes a list of controls, requirements for the control, potential questions for vendors, tips, and real world examples justifying a given control.

For example, Item #3 in the matrix is an inventory requirement stating that security vulnerabilities in vendor-provided software must be patched. The Threat Actor Example we cite to justify the requirement is the WannaCry vulnerability. We include an example question that could be used when discussing with the vendor. (Click the image below to see in better detail.)

The document can be viewed and downloaded here (Note: The file is available in many formats):

https://zenodo.org/doi/10.5281/zenodo.10257812

This document represents the work of many people, including critical feedback from maritime operational technology practitioners (Scripps Institution of Oceanography’s CCRV, and Oregon State University’s RCRV and OOI). We are grateful for their contributions to this effort.

Our goal is to share this matrix and continue to develop its utility after receiving feedback from the Trusted CI community. To contact us, email info@trustedci.org.

Updates on Trusted CI’s Efforts in Cybersecurity by Design of NSF Academic Maritime Facilities

As part of its “Annual Challenge” in 2023, Trusted CI has been engaging with current and future NSF Major Facilities undergoing design or construction with the goal of building security into those Facilities from the outset.  To date, this effort has focused on working with cyberinfrastructure operators in the the academic maritime domain, and has included support of the cybersecurity aspects of the acceptance testing process of the NSF-funded Research Class Research Vessels (RCRVs) at Oregon State University as well as Scripps Institution of Oceanography’s design of the California Coastal Research Vessel (CCRV).  These vessels are all expected to eventually become a part of the U.S. Academic Research Fleet (ARF).

In 2022, Trusted CI studied cybersecurity issues in operational technology (OT) in science and produced a roadmap to help lead to greater security of such systems, and thus Trusted CI’s efforts with security by design of Major Facilities this year are seeking to both refine and apply OT insights gained previously.  The U.S. Antarctic Program (USAP)’s design of the Antarctic Research Vessel (ARV) has also been contributing to Trusted CI’s understanding of cybersecurity issues in operational technology  Trusted CI has also benefited from insights from numerous conversations with domain experts in the academic maritime domain across a variety of ARF institutions, including IT personnel, marine technicians, oceanographers, ship captains, project leadership, and NSF Program Managers.

One of the highlights of this year's security-by-design efforts has been site visits to ships and facilities. The team has made site visits to the R/V Sally Ride and Oregon State University’s Hatfield Marine Science Center in Newport, Oregon, where the R/V Taani — one of the initial three RCRVs being constructed — will be based upon completion of its construction.  These in-person visits, including extensive discussion with personnel involved with the facilities, have provided invaluable insight to supporting Trusted CI’s efforts.

In the second half of 2023, Trusted CI will continue working on security by design with the aforementioned organizations and will also be working with the NSF Ocean Observatories Initiative (OOI) Major Facility, which is in the process of planning a refresh of its autonomous underwater vehicle (AUD) and glider fleets.

Recent site visit photographs:

Trusted CI’s Sean Peisert, left, in a crawlspace on the R/V Sally Ride examining operational technology systems.

The R/V Sally Ride, docked in Alameda, CA.

Trusted CI’s Dan Arnold, left, conferring with marine technicians on the R/V Sally Ride.

Trusted CI’s John Zage, left, looks on as RCRV’s Chris Romsos, right, explains some of the scientific instruments that will be part of the newly constructed ships at the RCRV’s offices at OSU, Corvallis, OR.

Trusted CI’s John Zage left, and RCRV’s Chris Romsos, right, view part of the expansive warehouse of items and gear to outfit the new ships under construction. OSU, Corvallis, OR.  

Announcing the 2023 Trusted CI Annual Challenge: Building Security Into NSF Major Facilities By Design

The Trusted CI Annual Challenge is a year-long project focusing on a cybersecurity topic of importance for scientific computing environments.  In its first year, the Trusted CI Annual Challenge focused on improving trustworthy data for open science.  In its second year, the Annual Challenge focused on software assurance in scientific computing.  In its third year, 2022, the Annual Challenge focused on the security of operational technology in science.  

The 2022 Annual Challenge on the Security of Operational Technology in NSF Scientific Research reinforced the notion that NSF Major Facilities, once constructed, can deploy operational technology that can have an operational lifetime of 15-30 years.  However, there are typically no cybersecurity requirements during acquisition and design.  In the 2023 Annual Challenge, Trusted CI staff will engage with NSF Major Facilities undergoing construction or refreshes in a hands-on way to build security into those Facilities from the outset.  Trusted CI will directly support the planning for facility refreshes and construction with respect to operational technology and will particularly focus on the academic maritime domain, including supporting the acceptance testing of the NSF-funded Research Class Research Vessels (RCRVs) at Oregon State University, supporting the U.S. Antarctic Program (USAP)’s design of the Antarctic Research Vessel (ARV), and Scripps Institution of Oceanography’s design of the California Coastal Research Vessel (CCRV).

This year’s Annual Challenge is supported by a stellar team of Trusted CI staff, including Andrew Adams (Pittsburgh Supercomputing Center), Daniel Gunter (Berkeley Lab), Ryan Kiser (Indiana University), Mark Krenz (Indiana University), Michael Simpson (Indiana University), John Zage (University of Illinois, Urbana-Champaign), and Sean Peisert (Berkeley Lab; 2023 Annual Challenge Project Lead).

2022 NSF Cybersecurity Summit Report now available

NSF scientists, researchers, cybersecurity, and cyberinfrastructure professionals and stakeholders gathered once again for the 2022 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure. Trusted CI, NSF’s Cybersecurity Center of Excellence, celebrated the 10th anniversary of hosting the Summit. 

The 2022 Summit was held October 18-20 in person in Bloomington, IN with a virtual option available for Plenary 1 and 2. The 2022 Summit hosted 224 attendees, including 17 students, and 12 of 17 NSF Large Facilities. Framework adoption, Operational Technology, and preparing for AI were important themes at the Summit. 

The Trusted CI team looks forward to an in-person Summit in Berkeley, CA, October 23-27, 2023, along with a virtual attendance option, so we can continue to advance the mission of the NSF science community.

Click here to see the 2022 Summit report. 

Publication of the Trusted CI Roadmap for Securing Operational Technology in NSF Scientific Research

Trusted CI is pleased to announce the publication of its Roadmap for Securing Operational Technology in NSF Scientific Research.  

In 2022, Trusted CI conducted a year-long effort examining the security of operational technology in science. Operational technology (OT) encompasses broad categories of computing and communication systems that in some way interact with the physical world.  This includes devices that either have sensing elements or control elements, or some combination of the two, and can include both bespoke scientific instrumentation as well as commercially-produced OT.  In both cases, networked sensors and control systems are increasingly important in the context of science as they are critical in operating Major Facilities.  

Trusted CI’s approach to this effort was to spend the first half of 2022 engaging with NSF personnel and operators of OT at NSF Major Facilities to understand the range of operational practices and evaluate potential deficiencies that lead to vulnerabilities and compromises.  In the second half of 2022, leveraged our insights from the first half to develop a roadmap of solutions to sustainably advance security of scientific operational technology.  The audiences for this roadmap include NSF, NSF Major Facilities, and Trusted CI itself.

In July 2022, Trusted CI published its findings from its study of the security of operational technology in science, conducted in the first half of 2022.  

Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, andJohn Zage. “Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research,” July 13, 2022. DOI: 10.5281/zenodo.6828675 https://doi.org/10.5281/zenodo.6828675

Now, with the publication of this roadmap, Trusted CI aims to help NSF operational technology in cyberinfrastructure advance toward solutions.  The full citation for the solutions roadmap is as follows:

Andrew Adams, Emily K. Adams, Dan Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, and John Zage. “Roadmap for Securing Operational Technology in NSF Scientific Research,” November 16 2022. DOI: 10.5281/zenodo.7327987 https://doi.org/10.5281/zenodo.7327987

Trusted CI gratefully acknowledges the many individuals from NSF as well as the following NSF Major Facilities that contributed to the year-long effort that has led to this roadmap: IceCube Neutrino Observatory, NOIRLab, Ocean Observatories Initiative, United States Academic Research Fleet, and the United States Antarctic Program.

In 2023, Trusted CI will turn its focus toward working closely with several maritime-centric NSF Major Facilities and Major Research Equipment and Facilities Construction (MREFC) projects to offer guidance and recommendations  for integrating operational technology security into those facilities for planning, design, and construction of new and refreshed facilities and instrumentation therein.

Open Science Cyber Risk Profile (OSCRP) Updated with Science DMZ, Software Assurance, Operational Technology, and Cloud Computing Elements

 Trusted CI has released an updated version of the Open Science Cyber Risk Profile (OSCRP), with additions based on insights from its 2021 study of scientific software assurance:

Andrew Adams, Kay Avila, Elisa Heymann, Mark Krenz, Jason R. Lee, Barton Miller, and Sean Peisert. “The State of the Scientific Software World: Findings of the 2021 Trusted CI Software Assurance Annual Challenge Interviews,” September 2021.  https://hdl.handle.net/2022/26799

Andrew Adams, Kay Avila, Elisa Heymann, Mark Krenz, Jason R. Lee, Barton Miller, and Sean Peisert. “Guide to Securing Scientific Software,” December 2021. DOI: 10.5281/zenodo.5777646

…and its 2022 study on scientific operational technology:

Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, and John Zage. “Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research,” July 13, 2022. DOI: 10.5281/zenodo.6828675

A new section on risk profiling of  cloud computing was also added.  The full reference for the OSCRP is:

Sean Peisert, Von Welch, Andrew Adams, RuthAnne Bevier, Michael Dopheide, Rich LeDuc, Pascal Meunier, Steve Schwab, and Karen Stocks. Open Science Cyber Risk Profile (OSCRP), Version 1.3.3. October 2022. DOI: 10.5281/zenodo.7268749

The OSCRP is a document, initially released in 2017, designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. The OSCRP was the culmination of extensive discussions with research and education community leaders, and has since become a widely-used resource, including numerous references in recent National Science Foundation (NSF) solicitations.

The OSCRP is a living document and will continue to be refreshed as technology and threats change, and as new insights are acquired.

Comments, questions, and suggestions about this post, and both documents are always welcome at info@trustedci.org.

Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research

This year, Trusted CI is conducting a year-long effort on the security of operational technology in science. Operational technology (OT) encompasses broad categories of computing and communication systems that in some way interact with the physical world.  This includes devices that either have sensing elements or control elements, or some combination of the two.  Networked sensors and control systems are increasingly important in the context of science as they are critical in  operating scientific instruments.  Trusted CI is pleased to share its findings from this study, published in the following report:

Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, and John Zage. “Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research,” July 13, 2022. DOI: 10.5281/zenodo.6828675  https://doi.org/10.5281/zenodo.6828675

In support of this study, Trusted CI gratefully acknowledges the many individuals from the following NSF Major Facilities that contributed to this effort: IceCube Neutrino Observatory, NOIRLab, Ocean Observatories Initiative, and the United States Academic Research Fleet.

Now that Trusted CI has finished its examination of the current state of the security of OT in science, it will turn its focus to developing a roadmap of solutions to sustainably advance security of scientific operational technology, which will be published in late 2022.

Announcing the 2022 Trusted CI Annual Challenge on Scientific OT/CPS Security

 The Trusted CI Annual Challenge is a year-long project focusing on a cybersecurity topic of importance for scientific computing environments.  In its first year, the Trusted CI Annual Challenge focused on improving trustworthy data for open science.  In its second year, the Annual Challenge focused on software assurance in scientific computing.  Now in its third year, the Annual Challenge is focusing on the security of “operational technology” or “cyber-physical systems” in science.

Operational technology (OT) or cyber-physical systems (CPS) are networked systems connected to computing systems on one side and to either controls or sensors of physical systems on the other side.  Networked sensors and control systems are increasingly important in the context of science as they are critical in  operating scientific instruments like telescopes,biological and chemical reactors, and even  vehicles used in scientific discovery.  Given their increasing importance in the process of scientific discovery, disruption of networked instruments therefore also increasingly can have negative consequences to the scientific mission.  And, like OT/CPS everywhere, including commercial, off the shelf (COTS) OT/IoT, by definition, any control system can also have physical consequences in the real world, including equipment damage and loss of life. Indeed, NSF's recent update to the Research Infrastructure Guide (formerly known as the Major Facilities Guide) further clarified that OT is within the scope of information assets to be protected by the facilities' cybersecurity programs (see Sections 6.3.3.2 and 6.3.6.1).

Trusted CI has a long history in addressing the security of operational technology through its engagements with facilities that operate such equipment.  The 2022 Annual Challenge seeks to gain both broader and deeper insights into the security of these important and specialized systems.  To accomplish this, in the first half of the year, we plan to have conversations with personnel involved with IT security and OT operations at a variety of NSF Major Research Facilities.  In the second half of the year, we will leverage this insight to develop a multi-year roadmap of solutions to advance the security of scientific operational technology. This guidance will offer security recommendations in a way most relevant to NSF facilities, rather than existing guides that have different foci and audiences with different priorities and resources.  

This year’s Annual Challenge is supported by a stellar team of Trusted CI staff, including Emily K. Adams (Indiana University), Ryan Kiser (Indiana University), Drew Paine (Berkeley Lab), Susan Sons (Indiana University), John Zage (University of Illinois, Urbana-Champaign), and Sean Peisert (Berkeley Lab; 2022 Annual Challenge Project Lead).