EPICS Home EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

Format page
for printing


Search Tech-talk
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024 
<== Date ==> <== Thread ==>
Subject: Re: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM)
From: "Shen, Guobao via Tech-talk" <tech-talk at aps.anl.gov>
To: "Evans, Richard K. (GRC-H000)" <richard.k.evans at nasa.gov>, Jonathan Jacky <jon.p.jacky at gmail.com>
Cc: S Banerian <banerian at uw.edu>, "tech-talk at aps.anl.gov" <tech-talk at aps.anl.gov>
Date: Tue, 11 Jul 2023 12:40:47 +0000

Rich,

To be compliant with the cybersecurity requirement, you might also consider to design the system as a whole together with your IT infrastructure.

For example, deploying a firewall dedicated to your instrument control to isolate your whole system from the public network, from your campus network, and from your office network in case you have dedicated firewall for that; or further adopt other method (e.g., MFA) to restrict access to your facility instrument control network which could reduce the risk.

 

Together with the other technical solutions mentioned, you might be able to satisfy the needs.

 

Thanks,

Guobao

 

From: Tech-talk <tech-talk-bounces at aps.anl.gov> on behalf of Evans, Richard K. (GRC-H000) via Tech-talk <tech-talk at aps.anl.gov>
Date: Monday, July 10, 2023 at 6:58 PM
To: Jonathan Jacky <jon.p.jacky at gmail.com>
Cc: tech-talk at aps.anl.gov <tech-talk at aps.anl.gov>, S Banerian <banerian at uw.edu>
Subject: Re: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM)

Jonathan, 

 

Thank you so much for your response. I must confess that my intent in this post was originally only to talk about software safety in the (NIST) context of safe from “vulnerabilities” due to “malicious code” from “bad actors” and such as Open Source Software, but your work on showing how EPICS can also be used in safety critical applications to mitigate what we would call “hazardous” operations is equally important topic to us as well.

 

Is it your position that any software that has been demonstrated to be “safe” for use in mitigating risks to personnel health and safety is also safe from external vulnerabilities due to the development process? That seems logical to me. However the verification process you are referring to seems like it is highly dependent on the specific application and specific integration of otherwise established code. My goal today is only to get feedback on the (NIST) trustworthiness of the developer (ANL) and repository as (NIST) safe for use at NASA in non-safety critical applications. 



That said, thanks again.. I’m saving your reply for after we’ve solved the supply chain reliability question and are working on using EPICS in safety critical applications to mitigate hazardous operations. 



Cheers!

/Rich



 

 

 

I’m eager to establish a process for using EPICS in 

From: Jonathan Jacky <jon.p.jacky at gmail.com>
Sent: Monday, July 10, 2023 6:27:27 PM
To: Evans, Richard K. (GRC-H000) <richard.k.evans at nasa.gov>
Cc: S Banerian <banerian at uw.edu>; tech-talk at aps.anl.gov <tech-talk at aps.anl.gov>
Subject: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM)

 

CAUTION: This email originated from outside of NASA.  Please take care when clicking links or opening attachments.  Use the "Report Message" button to report suspicious messages to the NASA SOC.



> "Given that EPICS is open source and used around the world, How do you know that EPICS is safe?"

 

> Question 2 - Has this question been addressed by anyone previously? .. and are there any charts or papers that I can cite and/or reference when I talk with the NASA CIO folks about EPICS and SSCRM.

 

Several years ago, staff at the University of Washington Medical Cyclotron Facility, and faculty and staff at the University of Washington Department of Computer Science and Engineering, did a multi-year project to apply modern formal verification methods and technology both to the EPICS core and an EPICS application program (an EPICS database on an IOC).  

 

The project and its results were reported at the 2017 ICALEPS meeting.    The slides give a quick overview of the project:

 

 

 

- Jonathan Jacky

Replies:
RE: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
References:
Re: EPICS Software Supply Chain Risk Management (SSCRM) Jonathan Jacky via Tech-talk
Re: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
Navigate by Date:
Prev: Re: Question on Accessing Data in Custom PV Structures Maren Purves via Tech-talk
Next: RE: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024 
Navigate by Thread:
Prev: Re: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
Next: RE: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024 
ANJ, 11 Jul 2023 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·