EPICS Home EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

Format page
for printing


Search Tech-talk
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024 
<== Date ==> <== Thread ==>
Subject: Re: EPICS Software Supply Chain Risk Management (SSCRM)
From: Pierrick M Hanlet via Tech-talk <tech-talk at aps.anl.gov>
To: "tech-talk at aps.anl.gov" <tech-talk at aps.anl.gov>
Date: Mon, 10 Jul 2023 22:00:14 +0000 
Hi Richard,
  I will chime in on question 3.

There is an effort between SLAC and Osprey to address cybersecurity on a 
dual front:
authentication/authorization and securing the network.  This was 
presented at the April
collaboration meeting.  At Fermilab, we know that we will be able to 
help test when the
time comes, but we are also evaluating how we might contribute more 
directly, either
financially and/or labor, but we're very early in the process.
Cheers,
Pierrick





On 7/10/23 13:48, Evans, Richard K. (GRC-H000) via Tech-talk wrote:
> Hello,
>
> As reported at the EPICS user meeting in April [1], NASA GRC-ATF is discussing using EPICS at some of its facilities.  Not only is the option of using open-source at all still a very new idea to many of our stakeholders (how to maintain it, get support for it, etc..), but our interest in doing also coincides with a significant increase in the US Federal government's [2][3] (and therefore NASA's) policies and procedures regarding Software Supply Chain Risk Management (SSCRM) and specifically to the purpose of this question, the security controls relating to protecting an organization from the introduction of malicious through the use  of Open-Source Software (OSS).   That said, I have been working on a prepared answer to the question:
>
> "Given that EPICS is open source and used around the world, How do you know that EPICS is safe?"
>
> Our response is as follows:
>
> 1. The approach to acquiring safely and effectively developed Open Source Software is provided by the DOD.
>
> The DOD approach is shown in an FAQ document [4] developed and hosted by the US DOD's Chief Information Office (CIO) [5]. Specifically the diagram [6] shown in the answer to the question, "How is OSS typically developed?" [7], labeled "OSS Development Model".
>
> 2. With the DOD's model as our approach to evaluating the supply chain security risk related to OSS, we can evaluate any potential Open-Source Project by identifying and assessing the integrity of the "Trusted Developers" and the "Trusted Repository".
>
> For the EPICS project I have identified the DOE's Argonne National Lab (FFRDC) [8] as the Trusted Developer, and maintainer of the integrity of a corresponding Trusted Repositorys [9][10] for EPICS Distributors to use to provide to users with "safe" versions of EPICS.
>
> ---
>
> I'm posting this here because I have two (three) questions for the EPICS community:
>
> Question 1 - How does my response above to the SSCRM question sound to you? Do you agree? Am I missing something?
>
> Question 2 - Has this question been addressed by anyone previously? .. and are there any charts or papers that I can cite and/or reference when I talk with the NASA CIO folks about EPICS and SSCRM.
>
> Question 3 - Is anyone else here dealing with increased cybersecurity policy and risk questions? .. and is this topic (SSCRM) an appropriate use of this forum? Did you find my SSCRM summary of EPICS helpful?
>
> Grateful for any/all feedback.
>
> Thanks and Cheers!
> /Rich
>
> [1] https://indico.fnal.gov/event/58280/contributions/264567/
> [2] https://indico.fnal.gov/event/58280/contributions/264770/
> [3] https://urldefense.proofpoint.com/v2/url?u=https-3A__csrc.nist.gov_Projects_cyber-2Dsupply-2Dchain-2Drisk-2Dmanagement_publications&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=ixI9zaC9i5o1dY3hQl9ZrSUZynsZUzHrUVnqsV4Py0M&e=
> [4] https://urldefense.proofpoint.com/v2/url?u=https-3A__dodcio.defense.gov_open-2Dsource-2Dsoftware-2Dfaq&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=YuGdlWHC3p7zQvl6Njrrqvdmi5GrY5GjyhOwAQ7RXa8&e=
> [5] https://urldefense.proofpoint.com/v2/url?u=https-3A__dodcio.defense.gov_&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=lPqNiTkmcCz_f7vlXZltfGJZvyyqj2lFX-PF5eHu8ww&e=
> [6] https://urldefense.proofpoint.com/v2/url?u=https-3A__dodcio.defense.gov_portals_0_Images_OSSFAQ_oss-2Ddevelopment-2Dmodel.png&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=e3rdVagXc-Luzb8RgTEBGaVLoN4wROHLjuBw326gpHE&e=
> [7] https://urldefense.proofpoint.com/v2/url?u=https-3A__dodcio.defense.gov_open-2Dsource-2Dsoftware-2Dfaq_-23q-2Dhow-2Dis-2Doss-2Dtypically-2Ddeveloped&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=a3tHHfPVwibKpUv9FvFcAw771pZD7H89_c0t6htZYg0&e=
> [8] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.anl.gov_&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=nA7KDQQ7MHesV11X0CCdywdnH9MUyCzux6e1ptveBpI&e=
> [9] https://urldefense.proofpoint.com/v2/url?u=https-3A__epics-2Dcontrols.org_download_&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=4pKvBxd78akNeq9NrRFH-wzJqJnrB6u4DFZ-tUbfX3Y&e=
> [10] https://urldefense.proofpoint.com/v2/url?u=https-3A__git.launchpad.net_epics-2Dbase&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=tt_3_UO2VBZ5oFK23ASvR142dx6MlPPiTx_wngGnluc&e=
>
> - Richard Evans, NASA GRC - Armstrong Test Facility
>    Data and Information Systems Management
>    Public URI: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_rkevans&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=L-xNpzltdq15FGm0u5xN5I7S3ibZ7mTqRF_nFwJIQfo&e=
>    Agency URI: https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.grc.nasa.gov_pbgeneral_User-3ARkevans&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=ih6yr9UYQFTNvfN4hGX9P8V-OBFYyud52fWfl5dC2_8&e=
>

-- 
Pierrick Hanlet
Fermi National Accelerator
Accelerator Front End Controls
+1-630-840-5555 -- lab
+1-312-687-4980 -- mobile

"Whether you think you can or think you can't, you're right" -- Henry Ford
References:
EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
Navigate by Date:
Prev: EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
Next: Re: EPICS Software Supply Chain Risk Management (SSCRM) Jonathan Jacky via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024 
Navigate by Thread:
Prev: EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
Next: Re: EPICS Software Supply Chain Risk Management (SSCRM) Jonathan Jacky via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024 
ANJ, 10 Jul 2023 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·