Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research

Our study surveyed the practices of National Science Foundation (NSF) Major Facilities with respect to securing operational technology.  Operational technology (OT) encompasses broad categories of computing and communication systems that in some way interact with the physical world.  This includes devices that either have sensing elements or control elements, or some combination of the two.  OT typically has the capability to be networked but may or may not be actually connected to a network at all times or at all.  

As recently indicated by NIST: “OT is critical to the operation of U.S. critical infrastructure.”  Furthermore, there have been numerous incidents in recent years that have exposed significant security weaknesses in this often overlooked component of that critical infrastructure.  In NSF Major Facilities, OT includes the same types of sensing and control devices used in critical infrastructure but also includes bespoke scientific instruments. NSF Major Facilities often exist to operate scientific cyberinfrastructure and would not be able to perform their funded activities without these assets.  

We observed that Major Facilities took safety engineering extremely seriously.  Likewise, all of the Major Facilities that we spoke with also took IT cybersecurity seriously as well.  At the same time, we observed numerous places where OT security for those Major Facilities could be improved.  When asked if there was one element of their organization that they could change, every facility we interviewed indicated that it would be that funding for at least one full-time employee (FTE) dedicated to IT and/or OT cybersecurity, independent of other responsibilities be made available. We believe this indicates a major concern regarding resources allocated to OT security.

In addition, we observed that while OT devices often have an operational lifetime of 15-30 years, there are often no cybersecurity requirements during the device acquisition process.  This, despite the fact that much of the newer OT — that is, that which has been acquired in the past five years — is increasingly “software defined” and therefore containing exactly the same vulnerabilities as traditional IT systems.  We also observed low amounts of documentation and little or no use of OT-related security policies once OT devices were installed or services reliant upon OT were in production use.  

Many Major Facilities represent sole-source U.S. capacity for certain scientific disciplines.  However, despite the outsized risks posed to the missions of Major Facilities by cyber attacks against operational technology, the portions of Major Facilities that operate operational technology are often disconnected from IT security. There tends to be a lack of communication between the teams that operate OT systems and the teams that provide IT systems and cybersecurity.  This communication gap is not due to lack of interest in cross-team communication, but most often comes up due to the personnel structure, siloing those teams in different parts of an organization, and barriers presented by not fully understanding each other’s technical domains.  These challenges are amplified when teams managing OT deployments are geographically distributed or federated across multiple organizations.  

Finally, we observed that Major Facilities rely a great deal on isolation (e.g., a physical air gap) for securing OT, rather than a defense-in-depth strategy.  As a result, security protections can succeed or fail with the efficacy of that isolation.  In practice, there are times when the devices need to be connected to the network for updates and removed from an isolated state.  There is a perception that only periodic reconnection keeps these systems secure, but that periodic reconnection can leave that equipment vulnerable while connected.