Additional updates to the "internal software" section based on the 20…

…21 Trusted CI Annual Challenge on Assurance of Scientific Software. Updates also made to Facilities, Sensors, and Control Systems based on the findings and preliminary recommendations developed in the 2022 Annual Challenge on Security of Operational Technology in Science. Also added a new "cloud computing" section.
trustedci · Oct 21, 2022 · e14f5ba · e14f5ba
1 parent 3ab302a
commit e14f5ba
Show file tree

Hide file tree

Showing 15 changed files with 32 additions and 6 deletions.
diff --git a/OSCRP.md b/OSCRP.md
@@ -39,8 +39,8 @@ title: Open Science Cyber Risk Profile
 
 This document is based on version 1.2 of the OSCRP. View [changes since 1.2](https://github.com/trustedci/OSCRP/compare/v1.2...master).
 
-Citation for v1.3.2:
- * Peisert, Sean, Von Welch, Andrew Adams, RuthAnne Bevier, Michael Dopheide, Rich LeDuc, Pascal Meunier, Steve Schwab, and Karen Stocks. Open Science Cyber Risk Profile (OSCRP), Version 1.3.2. March 2022. http://hdl.handle.net/2022/21259
+Citation for v1.3.3:
+ * Peisert, Sean, Von Welch, Andrew Adams, RuthAnne Bevier, Michael Dopheide, Rich LeDuc, Pascal Meunier, Steve Schwab, and Karen Stocks. Open Science Cyber Risk Profile (OSCRP), Version 1.3.3. October 2022. http://hdl.handle.net/2022/21259
 
 This release is dated {{ site.time | date_to_long_string }}.  The latest version of the document can be found at [*https://trustedci.github.io/OSCRP/OSCRP.html*](https://trustedci.github.io/OSCRP/OSCRP.html).  For more information about the group, please see [*https://trustedci.github.io/OSCRP/*](https://trustedci.github.io/OSCRP/).
 
@@ -315,6 +315,8 @@ In this section we list common Open Science Assets and provide a diagram for eac
 
 -   [*Servers*](assets/Servers/): Systems used to access, store, produce and/or manipulate other Assets
 
+-   [*Cloud*](assets/Cloud/): Cloud computing, including Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and Software as a Service (SaaS).
+
 -   [*Desktops*](assets/Desktops/): Systems used to access, store, produce and/or manipulate other Assets
 
 -   [*Laptops*](assets/Laptops/): Systems used to access, store, produce and/or manipulate other Assets
@@ -395,7 +397,7 @@ Trusted CI is also in the process of putting together a set of reports on specif
 - [Guidance for Trustworthy Data Management in Science Projects](https://doi.org/10.5281/zenodo.4056241)
 - [The State of the Scientific Software World: Findings of the 2021 Trusted CI Software Assurance Annual Challenge Interviews](http://hdl.handle.net/2022/26799)
 - [Guide to Securing Scientific Software](https://doi.org/10.5281/zenodo.5777646)
-
+- [Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research](https://doi.org/10.5281/zenodo.6828675)
 
 
 ## <a name="acknowledgments"></a>12. Acknowledgments

diff --git a/README.md b/README.md
@@ -17,7 +17,7 @@ For assets that are commodity IT or for which a risk profile already exists, thi
 The latest version of the OSCRP may be found at https://trustedci.github.io/OSCRP/OSCRP.html
 
 Published snapshots of the OSCRP include:
- * Peisert, Sean, Von Welch, Andrew Adams, RuthAnne Bevier, Michael Dopheide, Rich LeDuc, Pascal Meunier, Steve Schwab, and Karen Stocks. 2017. Open Science Cyber Risk Profile (OSCRP), Version 1.2. March 2017. http://hdl.handle.net/2022/21259
+ * Peisert, Sean, Von Welch, Andrew Adams, RuthAnne Bevier, Michael Dopheide, Rich LeDuc, Pascal Meunier, Steve Schwab, and Karen Stocks. Open Science Cyber Risk Profile (OSCRP), Version 1.3.3. October 2022. http://hdl.handle.net/2022/21259
 
 ## What is an asset?
 “Assets” are computing systems, data storage systems, networking, digital sensors, scientific and other advanced instruments, scientific data, personnel, and an interoperable suite of software services and tools, including data repositories, visualization environments, and analytic environments. Assets also include the computer-controlled, network-connected elements of physical plants responsible for the safety and security of these systems, such as power and HVAC.

diff --git a/assets/Cloud/readme.md b/assets/Cloud/readme.md
@@ -0,0 +1,18 @@
+---
+layout: default
+title: Cloud
+permalink: assets/Cloud/
+---
+
+# Servers
+
+*Asset Type:*  Cloud
+
+Cloud infrastructure is now widely used in science.  This infrastructure is typically broken down into Software as a Service (SaaS),
+Platform as a Service (PaaS), Infrastructure as a Service (IaaS).  Examples of SaaS include Dropbox, GitHub, Google Apps, and Salesforce.  Examples of PaaS include AWS Elastic Beanstalk, Google App Engine, Microsoft Windows Azure, and Red Hat OpenShift. Examples of IaaS include Amazon Web Services, Google Cloud Platform, and Microsoft Azure.
+
+A benefit of all of these services, at least on the major cloud platforms, includes typically very high robustness against network denial of service attacks, very high server reliability and uptime, and much less concern about physical security of the systems.
+
+At the same time, each of these types of infrastructure has different security properties.  While all rely on the security of the underlying system being run, and also on proper access controls and authentication, IaaS involves running an entire operating system, and so therefore requires substantially more security of the installation and configuration of that operating system
+
+![Cloud](../../diagrams/Cloud.png)
diff --git a/assets/Network-connected-scientific-control-systems/readme.md b/assets/Network-connected-scientific-control-systems/readme.md
@@ -6,4 +6,8 @@ permalink: assets/Network-connected-scientific-control-systems/
 
 # Network-connected scientific control systems (e.g., microscopes, telescopes, light sources, particle accelerators)
 
-![Cyber-Physical-Control-System](../../diagrams/Cyber-Physical%20Control%20System.png)
+![Cyber-Physical-Control-System](../../diagrams/Cyber-Physical%20Control%20System.png)
+
+For additional Trusted CI information on operational technology (OT) security, please see:
+
+Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, and John Zage, "[Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research](https://doi.org/10.5281/zenodo.6828675)," Trusted CI Report, July 13, 2022.
diff --git a/assets/Sensors/readme.md b/assets/Sensors/readme.md
@@ -10,4 +10,6 @@ permalink: assets/Sensors/
 
 Hardware or systems designed to collect raw data.  These can include standalone, as well as network-connected devicees.
 
-![Sensors](../../diagrams/Sensors.png)
+![Sensors](../../diagrams/Sensors.png)
+
+Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, and John Zage, "[Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research](https://doi.org/10.5281/zenodo.6828675)," Trusted CI Report, July 13, 2022.
diff --git a/diagrams/Cloud.graffle b/diagrams/Cloud.graffle
diff --git a/diagrams/Cloud.png b/diagrams/Cloud.png
diff --git a/diagrams/Cyber-Physical Control System.graffle b/diagrams/Cyber-Physical Control System.graffle
diff --git a/diagrams/Cyber-Physical Control System.png b/diagrams/Cyber-Physical Control System.png
diff --git a/diagrams/Facilities.graffle b/diagrams/Facilities.graffle
diff --git a/diagrams/Facilities.png b/diagrams/Facilities.png
diff --git a/diagrams/Internal-software.graffle b/diagrams/Internal-software.graffle
diff --git a/diagrams/Internal-software.png b/diagrams/Internal-software.png
diff --git a/diagrams/Sensors.graffle b/diagrams/Sensors.graffle
diff --git a/diagrams/Sensors.png b/diagrams/Sensors.png