EPICS Cyber Security References

["White, Greg via Tech-talk" <tech-talk at aps.anl.gov>]

Colleagues

Please find two documents regarding EPICS Cyber Security at the URLs referenced: 

1. EPICS Security Architecture [1] (Rev 8, 9-Sept-24). This is a whitepaper which
describes analysis and design to upgrade EPICS cyber security by addition of Transport
Layer Security and accompanying certificate management, EPICS network configuration and
integration with likely EPICS site authentication services.
    The document includes background on the many operational impacts, and EPICS management
questions, brought up by the protocol and infrastructure design proposed.

2. EPICS Security Key Decisions [2]. This is basically an RFC of key decision points in
the design. It includes nominal choice selections, though final choices are subject to
further review, and your own comments.

Both documents are at the status of Public Working Draft; that is, are subject to change,
may not reflect present thinking in all aspects, but published to help interested people
engage with the issues. Please direct comments to tech-talk. 

For attendees of the Cyber workshop of the EPICS Collaboration meeting in Oak Ridge on
Friday this week, the whitepaper is a good primary reference work. The agenda will
concentrate on open questions, particularly the relationship between available
authentication systems and certificate management. 

Status:

Software implementations are being developed in PVXS and Phoebus, so far. These are draft
working prototypes. They're very much subject to change in function and design according
to recommendations, scaling, rigorous performance benchmarking, and interoperability with
site authentication infrastructures. These matters will be the focus of FY25.

The work so far is a collaboration of SLAC, Osprey, and SNS; work of SLAC and Osprey
funded by a DOE / Executive Office grant for 2 years, and we are approximately 1 year in.
Essentially, it has gone to plan and budget. The FY24 deliverables have been completed
(though being refined), appart from the last for FY24 - site software prototype test. If
you would like to join the collaboration, please contact me, Greg White
(greg at slac.stanford.edu).

Best Regards,
Greg White, George McIntyre, Michael Davidsaver, Kay Kasemir, Bob Dalesio.

[1] EPICS Security Architecture, ver 8, 9-Sept-2024,
https://urldefense.us/v3/__https://s3df.slac.stanford.edu/groups/ad/static/docs/EPICS_Security_Architecture_20240909.pdf__;!!G_uCfscf7eWS!Ylj3VSy49bh1m4a3CV1dSsbBE5PWqhEk4iaGV8JoY8mtplgryuTIR8Or08v9rSFaphlK44H0v7Ipo7P0b-MhAhE8$ 

[2] EPICS Security Key Decisions, ver 2, 29th July 2024, 
https://urldefense.us/v3/__https://s3df.slac.stanford.edu/groups/ad/static/docs/EPICS_Security_Key_Decisions_V2_20240729.pdf__;!!G_uCfscf7eWS!Ylj3VSy49bh1m4a3CV1dSsbBE5PWqhEk4iaGV8JoY8mtplgryuTIR8Or08v9rSFaphlK44H0v7Ipo7P0bzBlQX1B$