Roadmap for Securing Operational Technology in NSF Scientific Research

In 2022, Trusted CI surveyed the practices of National Science Foundation (NSF) Major Facilities with respect to securing operational technology.  Operational technology (OT) encompasses broad categories of computing and communication systems that in some way interact with the physical world.  This includes devices that either have sensing elements or control elements, or some combination of the two.  We consider the term operational technology to be interchangeable with cyber-physical systems (CPS).  The two tend to be used in the same way but by different communities.  Both OT and CPS also encompass industrial control systems (ICS), supervisory control and digital acquisition (SCADA), Internet of Things (IoT), and Industrial Internet of Things (IIoT). OT typically has the capability to be networked but may or may not be actually connected to a network at all times or at all.  

Most NSF Major Facilities exist to enable the generation of new knowledge through the operation of scientific instruments at a large scale. These instruments, and the data they produce, are a core component of the NSF Major Facilities’ ability to achieve their missions. The OT that enables these instruments to function is critical to the missions of these Facilities. 

This document describes a roadmap that NSF Major Facilities and NSF might draw upon to improve the cybersecurity of their operational technology.  It also describes steps that NSF can take to provide more comprehensive and consistent guidance on OT cybersecurity in the Research Infrastructure Guide (RIG) and other documentation used by NSF Major Facilities for their design and operation. Our roadmap contains both short-term and long-term recommendations and actions.  The short-term actions are ones that have the potential to be implemented quickly — within the next 1-2 years.  Longer-term actions might take years of planning and not be possible to fully implement until a life cycle refresh of the facility. 

Note that while the intended organization to act on those recommendations is, in most cases, an NSF Major Facility (or perhaps NSF Major Facilities and Trusted CI working in concert), the audience also includes NSF itself. This is primarily for awareness but in one case we explicitly recommend action directly by the NSF.

In this roadmap we leveraged the Trusted CI Framework and referenced the NSF Research Infrastructure Guide.  In particular, we highlight the “Musts” from the Framework which are applicable to the recommendations that we are making to highlight the importance of that recommendation.