Tuesday, August 9, 2016

Situational Awareness

As part of its service to the NSF cybersecurity community, CTSC provides situational awareness of current cybersecurity threats to the cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to CTSC’s mailing lists.

CTSC staff members monitor several sources for possible threats to CI, including:

CTSC staff filter these sources for software vulnerabilities which we believe may be of interest to CI operators and software developers. For those issues which warrant notification to the CTSC mailing lists, we also attempt to provide guidance on how operators and developers can reduce risks and mitigate threats.

CTSC cannot provide a one-size-fits-all severity rating and response recommendation for all NSF CI. Please contact us at http://trustedci.org/help for assistance with assessing the potential impact of a vulnerability in your environment or to provide feedback on our service (for example, on the sources we monitor or on the software of interest to your CI).

Monday, August 8, 2016

CCoE Webinar August 22nd 11am EDT: The Science DMZ as a Security Architecture

Energy Science Network's (ESnet) Michael Sinatra will be presenting the webinar, "The Science DMZ as a Security Architecture," on August 22nd at 11am (EDT). This webinar is an encore presentation of a talk that Sinatra will be presenting at the NSF Cybersecurity Summit earlier in the month. If you are unable to attend the summit, here is your opportunity to see one of the talks.

Please register here.

The Science DMZ architecture proposes a novel method of design for network segments optimized for large­ scale data transfer (LSDT) functionality. LSDT has special requirements, both in the security and functional arenas. Attempts to incorporate LSDT functionality into a more traditional perimeter security model can cause problems both with LSDT functionality, as well as weaken overall campus security. The Science DMZ attempts to solve this problem by segmenting the LSDT function away from the traditional campus security perimeter. However, insufficient attention has been paid thus far as to how the Science DMZ fits into a larger strategy of risk­-based segmentation and functional maximization of campus networks.
This presentation examines typical risk­ and control­-based security approaches and proposes a framework in which the Science DMZ, combined with a larger segmentation approach, actually improves the security of valuable campus information assets, while still maximizing LSDT function and security. It concludes with some examples as to how the security of the research enterprise can be vastly improved with a Science DMZ deployment that is carefully aligned with a segmentation strategy.

More information about this presentation and speaker bio are on the event page.

Presentations will be recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

Monday, August 1, 2016

CTSC Collaboration with Science Gateways Community Institute

On Friday, NSF announced $35 million in funding for two new Software Institutes to improve scientific software. We are excited that CTSC already has a collaboration established with one of the two institutes, the Science Gateway Community Institute (SGCI).

SGCI and CTSC are jointly funding one half of an analyst who will work as part of CTSC on security issues for the science gateway community and play a key consulting role in SGCI’s Incubator program by advising gateway developers on cybersecurity issues and providing security reviews for existing gateways.

Science gateways are used by a large portion of the science community and CTSC’s ability to impact cybersecurity for this key cyberinfrastructure component will allow us to increase the trustworthiness of a broad segment of science. We applaud SGCI’s leadership in cybersecurity by engaging with us when they wrote their proposal.

Congratulations to both of the new software institutes! We look forward to our collaboration with SGCI and also stand ready to help the Molecular Science Software Institute as we would any other NSF project through our application process.

You can read more about CTSC’s involvement in SGCI in the IU press release for the SGCI.

Tuesday, July 19, 2016

Apply for an Engagement with CTSC (applications due Sep 16)

Conducting one-on-one engagements with NSF projects and facilities is one of CTSC’s core activities.  To manage scheduling and learn about prospective engagees, we have instituted an engagement application process.  

To complete the application form and learn more about the process visit our site:  http://trustedci.org/application 

Applications for engagements to be executed in January - July 2017 are due September 16, 2017.  (Slots are limited, so this is a hard deadline for early 2017 engagements!)

In its first 3.5 years, CTSC has conducted more than 20 one-on-one engagements with NSF-funded projects and Large Facilities representing the full range of science missions.  We provide a variety of engagement types including: assistance in developing, improving, or evaluating your information security program; software assurance-focused efforts; technology or architectural evaluation; training for staff; and more. 

Monday, July 11, 2016

CCoE Webinar July 25 11am EDT: XSEDE Information Sharing

CTSC's James Marsteller will be presenting the webinar, "XSEDE Information Sharing," on July 25th at 11am (EDT).

Please register here.

The Extreme Science and Engineering Discovery Environment (XSEDE) is the most advanced, powerful, and robust collection of integrated advanced digital resources and services in the world. It is a single virtual system that scientists can use to interactively share computing resources, data, and expertise. This session will provide an overview of the XSEDE information security program used to protect information and assets for the $121 million dollar project. Focus areas will include information sharing, policies and procedures, incident response and security awareness training.

More information about this presentation and speaker bio are on the event page.

Presentations will be recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

And, we want to remind the community that CTSC is hosting The 2016 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure on August 16th - 18th in Arlington, VA. For more information, see the summit event page.

Tuesday, July 5, 2016

IU, NCSA Cybersecurity Position Openings

The IU Center for Applied Cybersecurity Research and the Cybersecurity Directorate at the National Center for Supercomputing Applications have the following opportunities for people to join their teams and work on cybersecurity for CTSC and other endeavors to help science. Please apply using the processes as described on the web pages. Inclusivity is a goal of both organizations and all qualified applicants are encouraged to apply.

Wednesday, June 22, 2016

NSF Cybersecurity Center of Excellence, ESnet Organize Working Group on Open Science Threats

Managing the security risks to scientific instruments, data and cyberinfrastructure is a priority for creating a trustworthy environment for science. Assessing and managing the risks to the integrity and availability of science, and sometimes also privacy issues, involves making judgments on the likelihood and consequences of threats. Deep experience in understanding  cybersecurity and the science being supported is needed to achieve these goals. As a result, ESnet and the NSF Cybersecurity Center of Excellence are collaborating with research and education community leaders to develop a threat profile for open science to formally capture and benchmark this expertise, allowing other organizations to apply these best practices more broadly.

“Finding the expertise and experience to do risk assessments in the context of science is difficult for many open science projects,” said Von Welch, director of the NSF Cybersecurity Center of Excellence.“  We believe this collaboration will be a valuable, and more importantly, a scalable asset for the community as they look to apply appropriate cybersecurity measures at their science facilities and institutions.”

Organized by Sean Peisert and Michael Dopheide from ESnet and Von Welch and Susan Sons from the NSF Cybersecurity Center of Excellence, a working group of nine scientists and cybersecurity leaders from across the country has been formed to tackle developing the threat profile: Ilkay Altintas (San Diego Supercomputer Center), RuthAnne Bevier (Caltech), James Cuff (Harvard), Rich LeDuc (Northwestern), Pascal Meunier (HUBzero), Reagan Moore (iRods), Stephen Schwab (USC Information Sciences Institute) and Karen Stocks (Scripps Institution of Oceanography).

“Several government and academic organizations involved in cybersecurity policy have built a solid foundation for risk management, but it still takes expert judgment to assess risks for the assets found in the open science community,” said Sean Peisert. “The goal of this effort is to provide tailored guidance to the science community on the threats to science assets and the consequences of those threats to the science mission. This information will provide a basic knowledge framework to expedite managing those threats for the wide portfolio  of open science projects.”

The need for a threat profile is a key component of the NSF solicitation which recently funded the NSF’s Cybersecurity Center of Excellence. “Cybersecurity for science is different than in many other domains. For example, integrity is as important to scientific datasets as confidentiality,” said Anita Nikolich, cybersecurity program director at the NSF's advanced cyberinfrastructure division. “Having a shared, documented understanding of these threats will be a substantial step forward for the NSF community.”

“As the Department of Energy’s network for research and collaboration, ESnet connects so many large DOE experimental and HPC facilities which are producing the datasets that researchers around the world need access to for their research,” Peisert said. “We believe it is a moral imperative to be a part of this effort so the community can have greater assurance that their data and network-connected scientific instruments are secure.”

More information about the working group can be found at http://trustedci.github.io/OSCTP/ or you can follow http://blog.trustedci.org/ for updates.

About the NSF Cybersecurity Center of Excellence • trustedci.org

The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is funded as the National Science Foundation’s Cybersecurity Center of Excellence. The mission of CTSC is to improve the cybersecurity of NSF science and engineering projects, allowing those projects to focus on their science endeavors. This mission is accomplished through one-on-one engagements with projects to address their specific challenges; education, outreach, and training to raise the state of security practice across the scientific enterprise; and leadership on bringing the best and most relevant cybersecurity research to bear on the NSF cyberinfrastructure research community.

About ESnet • www.es.net

The Energy Sciences Network (ESnet) is an international, high-performance, unclassified network built to support scientific research. Funded by the U.S. Department of Energy’s Office of Science (SC) and managed by Lawrence Berkeley National Laboratory, ESnet provides services to more than 40 DOE research sites, including the entire National Laboratory system, its supercomputing facilities, and its major scientific instruments. ESnet also connects to over 140 research and commercial networks, permitting DOE-funded scientists to collaborate productively with partners around the world.