Experimental Physics and Industrial Control System
Hi Richard,
I will chime in on question 3.
There is an effort between SLAC and Osprey to address cybersecurity on a
dual front:
authentication/authorization and securing the network. This was
presented at the April
collaboration meeting. At Fermilab, we know that we will be able to
help test when the
time comes, but we are also evaluating how we might contribute more
directly, either
financially and/or labor, but we're very early in the process.
Cheers,
Pierrick
On 7/10/23 13:48, Evans, Richard K. (GRC-H000) via Tech-talk wrote:
> Hello,
>
> As reported at the EPICS user meeting in April [1], NASA GRC-ATF is discussing using EPICS at some of its facilities. Not only is the option of using open-source at all still a very new idea to many of our stakeholders (how to maintain it, get support for it, etc..), but our interest in doing also coincides with a significant increase in the US Federal government's [2][3] (and therefore NASA's) policies and procedures regarding Software Supply Chain Risk Management (SSCRM) and specifically to the purpose of this question, the security controls relating to protecting an organization from the introduction of malicious through the use of Open-Source Software (OSS). That said, I have been working on a prepared answer to the question:
>
> "Given that EPICS is open source and used around the world, How do you know that EPICS is safe?"
>
> Our response is as follows:
>
> 1. The approach to acquiring safely and effectively developed Open Source Software is provided by the DOD.
>
> The DOD approach is shown in an FAQ document [4] developed and hosted by the US DOD's Chief Information Office (CIO) [5]. Specifically the diagram [6] shown in the answer to the question, "How is OSS typically developed?" [7], labeled "OSS Development Model".
>
> 2. With the DOD's model as our approach to evaluating the supply chain security risk related to OSS, we can evaluate any potential Open-Source Project by identifying and assessing the integrity of the "Trusted Developers" and the "Trusted Repository".
>
> For the EPICS project I have identified the DOE's Argonne National Lab (FFRDC) [8] as the Trusted Developer, and maintainer of the integrity of a corresponding Trusted Repositorys [9][10] for EPICS Distributors to use to provide to users with "safe" versions of EPICS.
>
> ---
>
> I'm posting this here because I have two (three) questions for the EPICS community:
>
> Question 1 - How does my response above to the SSCRM question sound to you? Do you agree? Am I missing something?
>
> Question 2 - Has this question been addressed by anyone previously? .. and are there any charts or papers that I can cite and/or reference when I talk with the NASA CIO folks about EPICS and SSCRM.
>
> Question 3 - Is anyone else here dealing with increased cybersecurity policy and risk questions? .. and is this topic (SSCRM) an appropriate use of this forum? Did you find my SSCRM summary of EPICS helpful?
>
> Grateful for any/all feedback.
>
> Thanks and Cheers!
> /Rich
>
> [1] https://indico.fnal.gov/event/58280/contributions/264567/
> [2] https://indico.fnal.gov/event/58280/contributions/264770/
> [3] https://urldefense.proofpoint.com/v2/url?u=https-3A__csrc.nist.gov_Projects_cyber-2Dsupply-2Dchain-2Drisk-2Dmanagement_publications&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=ixI9zaC9i5o1dY3hQl9ZrSUZynsZUzHrUVnqsV4Py0M&e=
> [4] https://urldefense.proofpoint.com/v2/url?u=https-3A__dodcio.defense.gov_open-2Dsource-2Dsoftware-2Dfaq&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=YuGdlWHC3p7zQvl6Njrrqvdmi5GrY5GjyhOwAQ7RXa8&e=
> [5] https://urldefense.proofpoint.com/v2/url?u=https-3A__dodcio.defense.gov_&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=lPqNiTkmcCz_f7vlXZltfGJZvyyqj2lFX-PF5eHu8ww&e=
> [6] https://urldefense.proofpoint.com/v2/url?u=https-3A__dodcio.defense.gov_portals_0_Images_OSSFAQ_oss-2Ddevelopment-2Dmodel.png&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=e3rdVagXc-Luzb8RgTEBGaVLoN4wROHLjuBw326gpHE&e=
> [7] https://urldefense.proofpoint.com/v2/url?u=https-3A__dodcio.defense.gov_open-2Dsource-2Dsoftware-2Dfaq_-23q-2Dhow-2Dis-2Doss-2Dtypically-2Ddeveloped&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=a3tHHfPVwibKpUv9FvFcAw771pZD7H89_c0t6htZYg0&e=
> [8] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.anl.gov_&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=nA7KDQQ7MHesV11X0CCdywdnH9MUyCzux6e1ptveBpI&e=
> [9] https://urldefense.proofpoint.com/v2/url?u=https-3A__epics-2Dcontrols.org_download_&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=4pKvBxd78akNeq9NrRFH-wzJqJnrB6u4DFZ-tUbfX3Y&e=
> [10] https://urldefense.proofpoint.com/v2/url?u=https-3A__git.launchpad.net_epics-2Dbase&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=tt_3_UO2VBZ5oFK23ASvR142dx6MlPPiTx_wngGnluc&e=
>
> - Richard Evans, NASA GRC - Armstrong Test Facility
> Data and Information Systems Management
> Public URI: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_rkevans&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=L-xNpzltdq15FGm0u5xN5I7S3ibZ7mTqRF_nFwJIQfo&e=
> Agency URI: https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.grc.nasa.gov_pbgeneral_User-3ARkevans&d=DwIFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=lWgMUJ9IIDH_eCcPLDGLwQ&m=9SFhCBSEwx1y5ItuwnHaXyYPzpTCBsQ2vT1PwnWV_OA9B-GjFu-rZAT5wSVxQ36K&s=ih6yr9UYQFTNvfN4hGX9P8V-OBFYyud52fWfl5dC2_8&e=
>
--
Pierrick Hanlet
Fermi National Accelerator
Accelerator Front End Controls
+1-630-840-5555 -- lab
+1-312-687-4980 -- mobile
"Whether you think you can or think you can't, you're right" -- Henry Ford
- References:
- EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
- Navigate by Date:
- Prev:
EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
- Next:
Re: EPICS Software Supply Chain Risk Management (SSCRM) Jonathan Jacky via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
<2023>
2024
- Navigate by Thread:
- Prev:
EPICS Software Supply Chain Risk Management (SSCRM) Evans, Richard K. (GRC-H000) via Tech-talk
- Next:
Re: EPICS Software Supply Chain Risk Management (SSCRM) Jonathan Jacky via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
<2023>
2024