Safely Steering Scientific Progress on the High Seas

Modern cars are like computers on wheels. From the dashboard displays to the steering wheel and even your car keys, a complex dance of computer parts and mechanical components work together to keep you safe and on the road. Today’s maritime ships are a similar blend of machinery and software. From computers to networks and satellites, the modern ship purrs with an electronic hum, but also includes more mechanical tools like winches, cranes, engines, and bilge pumps. But the very same seamless systems that help ships run smoothly can be compromised. Like cars, ships must be protected against potential hackers and other malicious actors. 

The R/V Sally Ride, docked in Alameda, CA in 2024.

Trusted CI, the NSF Cybersecurity Center for Excellence, has been working with operators of research vessels across the United States to defend ships from cyberattacks. They have been supporting ships before construction on "secure by design" approaches as well as cybersecurity in research vessel operations. Research vessels are floating laboratories and instruments for landlocked researchers to gather information about what lies beneath the waves. The U.S. Academic Research Fleet includes 17 vessels, which are built with the finest electronics and observational instrumentation. They depend upon strict safety protocols to keep them safe.

But as Sean Peisert, the director of Trusted CI explains, “There are the experiments and equipment that are brought onboard, many of which also have digital and computing elements in them, making them potentially vulnerable to cybersecurity issues.”  The consequences of a successful cyberattack could range from loss of data in a scientific experiment to a ship being dead in the water without propulsion, with the implications ranging from loss of time and funding to dangers of the safety of those on board.

Trusted CI’s Sean Peisert prepares for an inspection of the R/V Sally Ride in 2024.

Cybersecurity for a ship isn’t easy. It’s hard enough just keeping a ship running without thinking about computers. Case in point, Trusted CI had plans to join a training cruise in 2024 that was cancelled due to weather conditions. These are the kinds of real-world issues that research vessel operators have to deal with on top of all of the computers and science equipment that makes research vessels so special and distinctive.

In 2023, Trusted CI worked with experts in maritime operational technology at Scripps Institution of Oceanography and Oregon State University to develop “The Operational Technology Procurement Vendor Matrix,” a guide to ensure protection against cyberattacks by a proactive procurement process. Additionally, Trusted CI’s staff has been involved in visiting ships to better understand just how technology operates in real-world conditions.  Most recently, Trusted CI's visits have also included observation of ship inspections, which happen at regular intervals by the National Science Foundation, the U.S. Coast Guard, and the U.S. Navy.

What happens during one of these ship inspections? Peisert says that when he visited the Office of Naval Research’s R/V Sally Ride for a National Science Foundation and US Navy / INSURV inspection, they examined the vessel’s in-port and onboard elements. The inspection of the ship involved evaluating its performance while underway, including its engines, navigation equipment, and crew procedures, and verifying that it met Coast Guard requirements for communication and navigation, including a range of traditional and modern systems. A man-overboard drill was also conducted, including communications between the ship and the recovery team. 

Trusted CI’s Dan Arnold, left, conferring with marine technicians on the R/V Sally Ride in 2023.

The inspection wasn’t just limited to computer systems; inspectors also checked the state of the vessel's physical assets. “It may be interesting to know that Coast Guard rules require not just satellite, modern GPS, and digital, topological navigation charts,” Peisert observes, “but that ships must also carry HF radios that can propagate for thousands of miles, as well as paper charts, and even a sextant for determining latitude.” Inspectors even conducted visual inspections of the ship’s overboard handling system (“A-Frame”) to check the metal for potentially corrosive rust.  

So far, the Trusted CI team has visited the Office of Naval Research’s R/V Sally Ride and Oregon State University’s Hatfield Marine Science Center in Newport, Oregon, the future home port of the R/V Taani. Team members Mike Simpson and Mikeal Jones were present for the Office of Naval Research’s R/V Thomas G. Thompson inspection in September 2024. The Trusted CI team was also involved at the RVTEC 2024 Meeting hosted by the University of New Hampshire in October 2024.

The Trusted CI team is currently preparing for upcoming collaborations with research vessel teams. Simpson and Jones will be present in October for the National Science Foundation Inspection of the R/V Atlantic Explorer in Bermuda.  Another Trusted CI team member, Ishan Abhinit will be involved in the National Science Foundation inspection of the R/V Rachel Carson this November. Finally, Mike Simpson will be involved in the National Science Foundation inspection of the Office of Naval Research’s R/V Armstrong in December 2025.

As for Trusted CI Director Peisert, he will join the crew of the R/V Sikulaq, operated by University of Alaska, Fairbanks, on a transit from Seward, Alaska to Nome, Alaska.  While on board, he will participate in a cyber-incident drill that will take place during the transit to exercise the crew's skills and procedures in responding to simulated cybersecurity threats while at sea. Peisert says, “Trusted CI looks forward to more of these visits going forward as it continues its ongoing support of the U.S. Academic Research Fleet to ensure that the vessels' cybersecurity programs are as robust as possible for ensuring ship safety and the progress of the ocean science being conducted on the vessels.” 

Stay tuned for more information about Trusted CI’s maritime activities. Want to check out the activities happening on land this fall? We are hosting a ‘birds of a feather’ session at the NSF Cybersecurity Summit and we will be presenting during Cyber Monday at RVTEC this November. 

Announcing the 2025 Trusted CI Fellowship!

Trusted CI, the NSF Cybersecurity Center of Excellence, is proud to announce the 2025 Trusted CI Fellowship recipients!

We have selected ten individuals with professional interests in cybersecurity from a competitive national pool. These Fellows represent a wide range of institutions, disciplines, and experiences, united by a shared commitment to advancing cybersecurity in their communities in support of trustworthy open science. Throughout their Fellowship year, the Fellows will receive: * Recognition for their contributions to cybersecurity in the open science community. * Professional development opportunities, including specialized training. * Full travel support to participate in the 2025 NSF Cybersecurity Summit in Boulder, CO (October 20-23). Trusted CI looks forward to supporting their journey and seeing the impact they will make in strengthening the security of scientific cyberinfrastructure. Please join us in congratulating the 2025 Trusted CI Fellows! Learn more about our Fellows on our website: https://www.trustedci.org/2025-fellows

 

NSF Cybersecurity Summit | Extended Hotel Block Deadlines – Book Now!

Planning to attend this year's NSF Cybersecurity Summit in Boulder, CO? 

Great news — the hotel room block deadlines have been extended!

 Boulder Marriott & Residence Inn
 Book by Tomorrow, September 23, to secure your group discount.

 Hilton Garden Inn
 Book by Friday, September 26, to secure your group discount.

Trusted CI Webinar: No Harness, No Problem: Extending Fuzzing’s Reach via Oracle-guided Harness Generation, Monday September 22nd @ 10am Central

University of Utah's Stefan Nagy is presenting the talk, No Harness, No Problem: Extending Fuzzing’s Reach via Oracle-guided Harness Generation, on Monday September 22nd at 10am, Central time.

Please register here.

As NIST estimates that today's software contains up to 25 bugs per 1,000 lines of code, the prompt discovery of exploitable flaws is now crucial to mitigating the next big cyberattack. Over the last decade, the software industry mitigated increasing complexity by turning to a lightweight approach known as fuzzing: automated testing that uncovers program bugs through repeated injection of randomly-mutated test cases. Academia and industry have extensively studied fuzzing's three main challenges—input generation, program feedback collection, and, most critically, code harnessing—accelerating fuzzing to find many more vulnerabilities in less time. However, the critical nature of scientific computing—multi-purpose software toolkits, bespoke APIs, and high-performance environments—demands analogous advances in the vetting of scientific cyberinfrastructure. 

In this talk, I will showcase my group's research on automatic code harnessing, a key step toward making fuzzing scalable to today's complex scientific libraries. First, I will introduce our core approach Oracle-guided Harnessing: a technique that mutationally constructs and refines fuzzing harnesses using only library headers, validated through correctness oracles spanning compilation, execution, and coverage. Next, I will discuss our extensions of this approach to the C and Python library ecosystems, where it has uncovered over 70 previously-unknown security vulnerabilities and logical bugs across widely-used codebases. Finally, I will outline my vision for synergistic harnessing techniques that combine emergent large-language-model–driven methods with our Oracle-guided strategies, charting a path toward fully automatic, broadly applicable, and error-free harnessing.

Speaker Bio: 

Dr. Stefan Nagy is an Assistant Professor in the Kahlert School of Computing at the University of Utah, where he directs the FuTURES³ Lab. His work lies at the intersection of software engineering, computer systems, and security, with a focus on making automated vetting of software and systems more effective and efficient irrespective of kernel, architecture, and source code. His research frequently appears at top venues such as ICSE, USENIX Security, and ACM CCS, and has led to the discovery of more than 200 previously-unknown software bugs and security vulnerabilities (futures.cs.utah.edu/bugs). He holds a PhD from Virginia Tech and a BS from the University of Illinois at Urbana-Champaign.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Secure Your Hotel Room for the NSF Cybersecurity Summit Before September 19

 

Time is running out to book your hotel room for this year's NSF Cybersecurity Summit in Boulder, CO!

The deadline to reserve your room at the discounted group rate is September 19th, and availability is limited.

Reserve your hotel room

This annual Summit brings together cybersecurity practitioners, technical leaders, and risk managers from the NSF Major Facilities and Cyberinfrastructure community. Attendees will also include key stakeholders and thought leaders from across the scientific and cybersecurity landscapes.

There is still time to register for this year's Summit—the deadline is October 6. If you have any questions or need assistance, please reach out to us.

Register for this year's Summit

We hope to see you in Boulder!

Summit Organizing and Program Committee

Trusted CI Celebrates Sixth Cohort Graduation & Opens Call for 2026 Engagement

Trusted CI’s sixth Framework Cohort, “Foxtrot”, successfully completed the six-month program of training and workshop engagement focused on learning and applying the Trusted CI Framework. The Cohort members entered the engagement with a commitment to adopting the Framework at their organizations. They then worked closely with Trusted CI to gather facility information and create validated self-assessments of their cybersecurity programs based on the Framework. Each organization also emerged with a draft Cybersecurity Program Strategic Plan (CPSP) identifying priorities and directions for further refining their cybersecurity programs. Foxtrot cohort included the following research-oriented organizations:

 ALMA  |  DERConnect  |  UC Davis  |  US ATLAS  |  ZEUS

The foundation of the cohort program is the Trusted CI Framework. The Framework was created as a minimum standard for cybersecurity programs. In contrast to cybersecurity guidance focused narrowly on cybersecurity controls, the Trusted CI Framework provides a more holistic and mission-focused standard for managing cybersecurity. For these organizations, the cohort was their first formal training in the Trusted CI Framework “Pillars” and “Musts” and how to apply these fundamental principles to assess their cybersecurity programs.

Feedback on the program from cohort participants has been strongly positive:

"Participating in the Trusted CI Cohort was an excellent experience and brought significant value to our team. As a research group working at the intersection of the power grid and renewable energy, cybersecurity is critical for both our daily operations and the broader transition to smarter, more connected technologies. The cohort facilitators provided expert guidance and a practical framework that helped us clarify our cybersecurity risks, baseline controls, stakeholder responsibilities, and more. Through their collaborative and thorough approach, we developed an actionable, strategic plan and gained a holistic understanding of our security posture. With this training, we feel empowered and better prepared to implement a robust cybersecurity program, strengthening both our research and industry collaborations."

 - Keaton Chia, R&D Engineer and Project Manager, DERConnect 

 

 2026 Framework Cohort Call for Participation Open

Trusted CI has a few spots left for the 2026 Framework Cohort engagement (starting January 2026). To learn more or to submit the interest form for your organization, visit trustedci.org/framework/cohort-participation. 

Engagement with RISC

Concurrent with leading Foxtrot, Trusted CI continued quarterly engagement with graduates of the five previous Framework cohorts through the Research Infrastructure Security Community (RISC). Trusted CI established RISC as a community of practice to provide a forum for cohort graduates to expand their cybersecurity knowledge, share experiences, and build relationships within the NSF research cyberinfrastructure community.

For more information, please contact us at framework@trustedci.org.

Registration now open: 2025 NSF Cybersecurity Summit – October 20–23 in Boulder, CO

We’re excited to announce that registration is now open for the 2025 NSF Cybersecurity Summit, taking place October 20–23, 2025, at the UCAR Center Green Campus and NSF NCAR in Boulder, Colorado.

This annual Summit brings together cybersecurity practitioners, technical leaders, and risk managers from the NSF Major Facilities and Cyberinfrastructure community. Attendees will also include key stakeholders and thought leaders from across the scientific and cybersecurity landscapes.

🔹 Explore the 2025 Program
Check out this year’s engaging sessions and speakers.

🔹 Register to Attend
Please complete your registration by October 6, 2025.

🔹 Plan Your Stay
Trusted CI has secured hotel accommodations for Summit attendees.

If you have any questions, please don’t hesitate to reach out. Please send an email to summit@trustedci.org

We look forward to seeing you in Boulder this October!