An approach to prioritizing OT components for testing that incorporates key factors including operational impact, prevalence, and national security interest. This approach provides a strategic, transparent rationale for testing components that optimizes security impact.
Standardized Testing Process
DOE has developed and refined a standardized approach to enumerating and vulnerability testing firmware and software subcomponents. Standardization ensures consistency, repeatability, and comparability of results, to scale up testing and automation across Labs and partners.
Standardized Reporting and Repository
CyTRICS captures testing results in a standard, bill of materials format that captures granular “digital ingredients” to the subcomponent level, to rapidly identify embedded high-risk components and subcomponents. The program features a central repository of testing results for comprehensive, sector-wide analysis of systemic risks and vulnerabilities.
CyTRICS partners with top manufacturers and utilities in the sector to sign participation Agreements to frame mutual cooperation prior to conducting testing. The standard agreement establishes types of software and firmware testing to be performed, timely disclosure of vulnerabilities identified during testing, and coordinated disclosure of vulnerability information with impacted asset owners, federal agencies, and energy sector stakeholder.