Control Systems Cyber Security Reference Architecture (RA) for Critical Infrastructure: Healthcare and Hospital Vertical Example

A reference architecture (RA) provides a common frame of reference with a common vocabulary, reusable designs, and principles that may be applied to future architectures. It can promote re‐use of best practices, improve interoperability, and improve awareness of a system under development of the same mindset. The next version of the Department of Defense (DoD) Chief Information Officer (CIO) Cyber Security Reference Architecture (CSRA) will include an appendix for control systems. It provides a frame of reference for cybersecurity implementations based on generalizations of common principles that can provide a starting point for an organization's architecture effort, inform decision‐making, suggest governance, and help define future policy decisions for control systems. The appendix is based on the outcome of the MOSIACS Joint Capability Technology Demonstration (JCTD), which provides the initial cyber defensive capability framework for integrations of Commercial‐Off‐The‐Shelf (COTS) and Government‐Off‐The‐Shelf (GOTS) components to form a control system cyber defensive solution. The MOSAICS capability was successfully demonstrated in the energy sector critical infrastructure vertical on a power system in August 2021. Its applicability embodied delivery methods for technologies in other essential infrastructure sectors, repeatable playbooks for automated Courses of Action (COA), best practices, and templates for cyber security requirements for control systems. The advantages of the RA are to enable better decision‐making and policy‐making support about cybersecurity for control systems. This paper demonstrates the RA used in the Healthcare and Public Health sector's critical infrastructure vertical to evaluate concepts such as Zero Trust (ZT) and Defense‐in‐Depth (DiD) architecture principles related to policymaking.