Through the First OpenC2 Plugfest - Towards Standardization

This article reports from the first OpenC2 PlugFest, which took place in Columbia, MD, on 27 & 28 January 2020. The Plugfest was hosted at the UMBC Training Center and attracted multiple organizations, government bodies, and universities intending to test their OpenC2-enabled products. For many participants it was also an opportunity to learn more about the OpenC2 effort and to see implementations (proofs-of-concept) in practice. Approximately 50 people participated from 28 companies/organizations and three countries (Norway, UK, USA).

Image may contain: Text, Logo, Font, Brand, Line.

Plugfest  is a meeting place and a playground for engineers of software and electronic equipment where their systems and devices are tested for interoperability with emerging standards. If the standards are well-designed and the tested products are standards-compliant, then the products should function as expected when plugged together. If not, there may be deficiencies with the standards, with the implementations, or both. Organizing a Plugfest is the best way to find out.

OpenC2  is developed within the OASIS international standards body. OpenC2 defines a standardized language for the command and control of cyber defense components and systems in a manner that is agnostic of the underlying technologies utilized or of any other aspect of the implementations  [1] . The goal of OpenC2 is to enable coordinated defense in cyber-relevant time between decoupled blocks that perform cyber defense functions. The assumption that underlies the design of OpenC2 is that the sensing and analytics for sense-making have been provisioned, and the decision to act has been made. 

The OpenC2 Technical Committee has developed and published three specifications.

1. The OpenC2 Language Specification  [2]

2. The Stateless Packet Filtering (SLPF) Actuator Profile  [3]

3. The Specification for Transfer of OpenC2 Messages via HTTPS  [4]

The OpenC2 language is used in conjunction with OpenC2 Actuator Profiles which extend the language in the context of particular cyber defense functions, as well as with OpenC2 Transfer Specifications which provide guidance on how OpenC2 messages should be transferred over specific transport protocols. The OpenC2 language formalizes the most common actions and targets applicable to cyber defense functions. In addition, OpenC2 defines command arguments for granularity, elaborates on the available target and data types, includes a JSON serialization of Commands and Responses as well as encoding requirements, and the procedure for extending the language.

The PlugFest in January 2020 included numerous implementations, with some already OpenC2 actuator profile compliant and ready to interoperate, while others demonstrated use cases where OpenC2 commands were used for controlling particular actuators / consumers. For example, some of the participants demonstrated how the same OpenC2 command could be used to check a file on VirusTotal as well as on BlueVector's AI-based malware engine to identify whether the file is malicious or not, followed by getting back the results as part of the OpenC2 response. Also of interest was to see a use case, work in progress, that included orchestration in terms of sequential and follow-up actions of unmanned aerial vehicles (drones).

The OpenC2 GitHub page collects all the use cases and implementations presented at the OpenC2 Plugfest and references the repositories with publicly available code  [5] .

One collaborative use case demonstrated interoperability among different packet filters. The implementers (University of Oslo  [6] , University of North Carolina CH  [7] , AT&T, and NEC / CDI  [8] ) had all created interfaces (not native) for particular systems with packed filtering capability. The use case demonstrated the robustness of the first published actuator profile (SLPF), and also identified minor issues that will be addressed shortly (extensions and more granularity are needed). A high-level diagram of the implementation is shown below. 

No alt text provided for this image

If you are interested in participating in OpenC2 please visit the Official TC page  [OpenC2].


Author: Vasileios Mavroeidis

The article is available at:

Published Feb. 6, 2020 3:08 PM - Last modified Feb. 6, 2020 3:11 PM