1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 <2023> 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 <2023> 2024 |
<== Date ==> | <== Thread ==> |
---|
Subject: | Re: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM) |
From: | Joshua Einstein-Curtis via Tech-talk <tech-talk at aps.anl.gov> |
To: | "tech-talk at aps.anl.gov" <tech-talk at aps.anl.gov> |
Date: | Tue, 11 Jul 2023 11:47:24 -0700 |
Hi Shen,
Oh, yes. We’ll do all those things too as appropriate for each system if that time comes. As I mentioned to Jonathan, my aim in this post was only to share what the NASA GRC-ATF rationale is for getting EPICS on the agency’s “Assessed and Cleared” list. This has nothing to do with how well suited it is for any specific use but rather is focused on it explaining why we have confidence that it won’t be a source of malware from a development point-of-view (hence the whole Trusted Developer/Trusted Repository model).
In other words, we have to show that it is safe for the Agency to install at all before we can even begin to discuss if it is capable of being used to mitigate/control a given hazard inherent in the system that needs to be controlled. That said, I’m encouraged by your response here.. It sounds like if/when we get to that point there is indeed a path for using it in situations that require safety critical controls.
Thank you!
/Rich
From: Shen, Guobao <gshen at anl.gov>
Sent: Tuesday, July 11, 2023 8:41 AM
To: Evans, Richard K. (GRC-H000) <richard.k.evans at nasa.gov>; Jonathan Jacky <jon.p.jacky at gmail.com>
Cc: tech-talk at aps.anl.gov; S Banerian <banerian at uw.edu>
Subject: Re: [EXTERNAL] Re: EPICS Software Supply Chain Risk Management (SSCRM)
Rich,
To be compliant with the cybersecurity requirement, you might also consider to design the system as a whole together with your IT infrastructure.
For example, deploying a firewall dedicated to your instrument control to isolate your whole system from the public network, from your campus network, and from your office network in case you have dedicated firewall for that; or further adopt other method (e.g., MFA) to restrict access to your facility instrument control network which could reduce the risk.
Together with the other technical solutions mentioned, you might be able to satisfy the needs.
Thanks,
Guobao