Friday, February 19, 2016

Gemini Observatory-CTSC Engagement a High Point for Both Organizations.

Gemini Observatory and CTSC have wrapped up an intensive engagement that both trudged through the trenches of policy development and literally took CTSC personnel to new heights.  In the late Fall and early Winter of 2015/2016, CTSC and Gemini executed an engagement plan focused on core policy processes and documentation, as well as a close unified look at ICS/SCADA, technical, and physical controls at Gemini North.
The engagement’s policy work focused on initiating a draft Policy Development Protocol, and updating Gemini’s core policy documentation (e.g., beginning a Master Information Security Policy and revising Gemini’s AUP).  CTSC gave feedback on existing documentation, advice on the policy development lifecycle, and guidance on how best to utilize CTSC’s policy templates.  Gemini developed a priority list and timeline for the development/revision and implementation of these and additional policies.
CTSC staff performed a site visit to the Gemini North facility to inform detailed recommendations for improving the physical security and technical security of instrument and industrial control / SCADA systems critical for Gemini’s scientific mission. The visit included inspection tours of the base facility in Hilo, the mid-point facility at Hale Pohaku, and the actual telescope atop Maunakea at 14,000 feet. CTSC interviewed eight Gemini staff members concerning IT support, physical security, ICS/SCADA systems, MS Windows security, web application development, and operational application support. CTSC conducted a physical penetration test of the Base facility, which was thwarted an attentive Gemini staffer. The depth and breadth of this fact-finding mission enabled CTSC to produce a report providing detailed recommendations for enhancements to both physical security and cybersecurity from an on-the-ground point of view.
Gemini’s openness and commitment to this engagement made this a huge learning experience for CTSC.  We were able to closely observe how a facility can effectively incorporate security initiatives into long term project management processes. The site visit enabled fact gathering at a level of detail that allowed CTSC to produce one of its most specific, tailored reports to date.  We’ve learned a great deal from all our Large Facility engagements; this was a truly special hand’s on, collaborative experience.
The CTSC team deeply appreciates the time and effort Tim Minick and Chris Morrison dedicated to this engagement, as well as the welcoming and forthcoming attitudes of all the Gemini staffers who met with our team at Gemini North.

Friday, February 5, 2016

CTSC Collaboration with CICI Projects

NSF has released the 2016 Cybersecurity Innovation for Cyberinfrastructure (CICI) solicitation. As the Cybersecurity Center of Excellence (CCoE) funded under the 2015 CICI solicitation, CTSC is undertaking the following activities on which we invite current and proposed CICI projects to collaborate:

  • Situational Awareness: As a CCoE, we will formalize the community notification process we have already begun under CTSC and provide a Cybersecurity Situational Awareness service for the NSF community. We will distribute vulnerability and other cybersecurity information to the NSF community, tailored for cyberinfrastructure, and CICI projects are welcome to disseminate our notifications to their communities and contribute to the information.
  • Cybersecurity Program Guide: The Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects is available to help guide you in working with NSF projects in establishing cybersecurity programs.
  • Training: CTSC has developed training materials tailored for the NSF community that we encourage you to use. We can also provide training ourselves as our schedule and travel budget allows.
  • Monthly Online Webinars and Chats: As a CCoE, we will host monthly online webinars and chats (similar to the IAM Online series hosted by InCommon). We are happy to invite CICI awardees to present their work.
  • Best practices on Reviews and Engagements: For Regional Cybersecurity Collaborations we are happy to share our experiences and lessons learned in collaborating with NSF projects to address their cybersecurity challenges. Lessons to-date can be found in our reports to NSF.
If you have questions on these topics or other suggestions for collaboration with your existing or proposed CICI project, please contact us.