Thursday, March 22, 2018

New name, same mission

Dear friends of CTSC,

We're writing to announce that the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is becoming Trusted CI, the NSF Cybersecurity Center of Excellence.

Why are we making this change? While it clearly conveyed our mission, our initial name was a mouthful -- and, with the added CCoE designation, we found that people struggled to remember it. Trusted CI will build better name recognition, through consistent branding across our website ( and social media (@TrustedCI). 

The new name still emphasizes what we're about: Achieving the NSF goal of creating high-quality, trusted cyberinfrastructure (CI) that supports high-quality, trusted science. It will also make it easier for you to remember how to get help for your NSF CI projects: Email (be sure to identify which NSF project your query relates to). 
As we roll out the new branding this spring, we'd like to extend an active invitation to engage our services. From quick questions to collaborative engagements lasting months, Trusted CI tackles challenges of all sizes. 

We're happy to assist with anything related to cybersecurity for NSF CI projects, and we're focused on tailored solutions that impact your work as little as possible. And now all you have to remember is Trusted CI!

Monday, March 12, 2018

Trusted CI Webinar Mar. 26th at 11am ET: Data Quality and Security Evaluation Framework

Rochester Institute of Technology's Leon Reznik and Igor Khokhlov are presenting the talk "Data quality and security evaluation framework development" on March 26th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
In this talk, we are presenting our work on building a data quality and security (DQS) framework, which integrates cybersecurity with other diverse metrics, such as accuracy, reliability, timeliness, and safety into a single methodological and technological framework. This innovation has a high potential to enable a significant improvement in a wide spectrum of science and technology applications as it will create new opportunities for optimizing data structures, data processing and fusion procedures based on a new quality and security information application. While the developed evaluation techniques may cover a wide range of data sources, the current framework’s implementation concentrates on using an ordinary user’s owned mobile devices and Android-based smartphones in particular.  
After discussing a motivation and general concepts of data quality evaluation, we will present preliminary results. As the framework integrates various metrics from accuracy to security and privacy, we will show examples of cyberinfrastructure elements from those areas developed so far. The security evaluation aspect of the framework is introduced with the Android applications that evaluate a smartphone security, gives a comprehensive score, and advises how the smartphone security can be improved. Two applications that are already available on Google Play will be presented and discussed. In addition, we will show some examples of the framework’s user interface designed for data quality metrics assignment and demonstrate its visualization capabilities. 
The data privacy evaluation is presented with the investigation of the colluded application vulnerability in Android OS devices. We will discuss and analyze the results achieved in this domain.
We believe that DQS evaluation framework will stimulate further improvement of the quality of the whole cyberinfrastructure and, in particular, cybersecurity. We will discuss possible further developments and seek the feedback and advice on the further DQS evaluation research directions. In particular, we are looking for a collaboration in the development of our framework applications in various science and technology domains.

Leon Reznik is a Professor of Computer Science (primary affiliation) and Computing Security (secondary affiliation) at the Rochester Institute of Technology. His current research concentrates on data quality and security evaluation and assurance; cognitive sensor networks and systems; intelligent intrusion detection and big data analytics.

Igor Khokhlov is a Ph.D. candidate at the Rochester Institute of Technology. He conducts research on data quality and value evaluation for sensor-originated data. Igor’s fields of interest include Android OS, cyber-security, and AI.
Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, March 2, 2018

NRAO and Trusted CI Launch Engagement

Trusted CI is pleased to announce the start of an engagement with the National Radio Astronomy Observatory (NRAO), an NSF Large Facility supported in part by NSF Award # 1647378. This engagement is expected to continue through the end of June. Our shared goal for this engagement is to assess and facilitate the continued maturation of NRAO’s information security program, as well as to positively impact its adaptiveness and longevity. We will accomplish this by evaluating their existing policies, practices, and documentation, and providing recommendations for opportunities to strengthen these within the overarching framework of the four pillars of cybersecurity: mission, governance, resources, and controls.

Initially established in 1956, the National Radio Astronomy Observatory is operated under cooperative agreement by Associated Universities, Inc. (AUI). NRAO provides state-of-the-art radio telescope facilities for use by the international scientific community, open to all astronomers regardless of institutional or national affiliation. NRAO also provides both formal and informal programs in education and public outreach for teachers, students, the general public, and the media. Their instruments include the Jansky Very Large Array in New Mexico and the North American component of the Atacama Large Millimeter/submillimeter Array in Chile.

With its latest renewal, NRAO’s mandate is to improve not only the accessibility of its scientific instruments, but also the accessibility of its multi-petabytes of archived observational data for re-processing and re-use beyond the initial intent and audience. NRAO’s revised mission seeks to extend beyond the traditional radio astronomy community into the fields of general scientific endeavor looking at complex molecules in space, real-time events, and the explanation of origins of life, planets, solar systems, galaxies, and the universe.

Wednesday, February 14, 2018

CTSC Begins Engagement with GenApp

GenApp (NSF OAC-1740097) is a tool for rapidly generating science gateways. The goal of GenApp is to provide a graphical frontend for command line scientific applications. This is accomplished by creating JSON configuration files which specify input and output parameters for the scientific application, as well as parameters for the GUI elements of the resulting graphical frontend.

The most used GenApp-generated science gateway (SASSIE2), which is focused on the small-angle scattering field, has over 500 registered users and 11K jobs submitted through the gateway in 2017. GenApp-generated gateways are running on dedicated local resources as well as cloud resources, primarily NSF Jetstream at this time, but such functionality has also been tested on AWS.

As vulnerabilities present in GenApp may lead to vulnerabilities in the generated gateway applications, it is imperative to address any security issues which may be in the GenApp framework, to protect the integrity of the gateway applications and the computing platforms they use. CTSC will review GenApp's design and architecture in attempt to identify potential security issues and recommend remediations. CTSC will also use code analysis tools and web-based scanning tools on both the GenApp frontend-generation engine as well as the several web frontends created by the GenApp framework.

The CTSC-GenApp engagement began January 2018 and is scheduled to conclude by the end of June 2018.

Monday, February 12, 2018

CCoE Webinar Feb. 26th at 11am ET: SmartProvenance

The University of Texas at Dallas's Dr. Murat Kantarcioglu is presenting the talk "SmartProvenance: A Distributed, Blockchain Based Data Provenance" on February 26th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Blockchain technology has evolved from being an immutable ledger of transactions for cryptocurrencies to a programmable interactive environment for building distributed reliable applications. Although the blockchain technology has been used to address various challenges, to our knowledge none of the previous work focused on using Blockchain to develop a secure and immutable scientific data provenance management framework that automatically verifies the provenance records using off-chain techniques. In this talk, we discuss how we leverage Blockchain as a platform to facilitate trustworthy data provenance collection, verification, and management. The developed system utilizes smart contracts and open provenance model (OPM) to record immutable data trails. We show that our proposed framework can securely capture and validate provenance data that prevents any malicious modification to the captured data as long as the majority of the participants are honest.

Dr. Kantarcioglu is a Professor in the Computer Science Department and Director of the Data Security and Privacy Lab at The University of Texas at Dallas (UTD). Dr. Kantarcioglu’s research focuses on the integration of cyber security and data science.Presentations are recorded and include time for questions with the audience.
Join CTSC's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, February 9, 2018

Deadline extended for REU student applications at IU.

The application deadline for undergraduate students at IU interested it working on software security research with CTSC has been extended to February 18th.

Please see the original post for more details.

Tuesday, February 6, 2018

Apply for an Engagement with the NSF Cybersecurity Center of Excellence (applications due April 6)

We are accepting applications for one-on-one engagements to be executed in July - December 2018.  Applications are due April 6, 2018. (Slots are limited and in demand, so this is a hard deadline!)

To learn more about the process and criteria, and to complete the application form, visit our site:

During CTSC’s first 5 years, we’ve conducted more than 20 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

As the NSF Cybersecurity Center of Excellence, CTSC’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

CTSC Engages with Community to Develop Academic Cloud Provider Best Practices

A community of academic cloud service providers in collaboration with CTSC intend to identify and document a set of security best practices for both operators and software developers of academic cloud service providers.  The community that will spearhead this thrust is comprised of various R&E cloud service provider initiatives, including: Agave Platform (TACC - NSF OCA-SS2-SSI-1450437), Cornell University Center for Advanced Computing (NSF CI-1541215), CyVerse (UA - NSF DBI-0735191, DBI-1265383), and Jetstream (IU - NSF 1445604).

A “cloud resource” within an academic institution provides a means for R&E users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. Additionally, virtual machines or container images can be curated and provided by the cloud resource operator, they can be provided by the user, or they can be provided by a third party.  This presents a number of challenges in the domain of cloud cybersecurity, e.g., users’ images are run with privileged access, images can be from unknown provenances, controls to reduce the risk an image may cause to both operator and other guests are limited, and managing security updates to images is cumbersome.

To address these issues, this engagement will, (i) identify issues and concerns geared for academic cloud operators and those developing software for cloud resource operators, (ii) survey existing security recommendations that govern generic cloud computing, (iii) aggregate those principals found in (ii) for the issues and concerns affecting academic cloud service providers or develop new principles for secure operation of a cloud resource, including specific measures to achieve those principles, and (iv) disseminate the set of principles to the NSF community to maximize its impact.

The overarching goal of this engagement is to improve cybersecurity for operators and users of academic clouds.

Wednesday, January 31, 2018

DEADLINE EXTENDED: Undergraduate Research Opportunity at IU

UPDATE:  We've extended the application deadline to February 18, 2018.  Please direct any questions to .

The NSF Cybersecurity Center of Excellence (CTSC) is seeking an undergraduate research assistant at Indiana University Bloomington to aid in the development of a software engineering security guide for NSF-funded science and research projects. The student will work under the supervision of Chief Security Analyst Susan Sons to through data on unusually high-impact vulnerabilities across many types of software, as well as on which vulnerabilities most commonly have impact, to and in drawing and explaining conclusions about which types of software weaknesses or development problems should be focused on in developer education and in the first security evaluations on software in an unknown security state.

The student’s work would be comprised of about 60% mining existing databases on software weaknesses and vulnerability reports, about 20% writing up results on that process, with a focus on the top vulnerabilities, and about 20% fleshing out the teaching materials by integrating feedback from outside reviewers and information gained from testing various software tools’ abilities to identify these selected top vulnerabilities.

The student will be appropriately credited, based on work completed, in the final publication.

Schedule and Compensation:

Work will commence in mid February (schedule flexible) with conclusion in May 2018. The student will be expected to work 20 hours per week on a flexible schedule for a $300/week stipend for up to 22 weeks. Primary place of work is the IU Innovation Center at 2719 E Tenth Street, with remote work possible.

Required skills:
  • Experience using an appropriate programming language (e.g. Python or Perl) to search text and database records for information.
  • Ability to take on moderately-sized technical writing tasks.
  • Excellent task management skills: ability to take on tasks or projects, keep track of relevant information, ask for help when needed, and provide consistent feedback on project status with attention to quality and deadlines.
  • Interest in cybersecurity (experience a plus but not required).

Application Process:

Applications will be reviewed by a committee from CTSC, with a decision to be made by February 9th. Candidates should email the following information to Susan Sons,, by 5pm Eastern on February 18th, 2018:
  1. University Transcripts
  2. Letter of Recommendation from a faculty member
  3. A 250-300 word essay answering “How will this experience benefit me?”
  4. A 250-300 word essay answering “What are my expectations for this experience?”
Applications will be reviewed by a panel of CTSC Analysts.

Tuesday, January 30, 2018

SGCI Webinar Feb. 14th at 1pm ET: Cybersecurity for the Modern Science Gateway.

CTSC's Von Welch and Mark Krenz are presenting the talk "Cybersecurity for the Modern Science Gateway" on February 14th at 1pm (Eastern) for the Science Gateway Community Institute's (SGCI) February Webinar.

Please register here.

  Science Gateways may be varied in their individual design and purpose, but can all benefit from a commonly used approach to Cybersecurity. Join security experts from the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) as they present an easy to follow overview of the resources available to start or improve your gateway's cybersecurity program. From this presentation you will learn the three key cybersecurity aspects that science gateways share as well as the three goals your program should strive to achieve in cybersecurity program. An overview of techniques and tools will be shown to provide guidance to those not focused on cybersecurity, but wishing to address it's challenges.

This talk is presented by Von Welch and Mark Krenz. Von Welch is the Director and PI of the Center for Trustworthy Scientific Cyberinfrastructure and Director of the Center for Applied Cybersecurity Research at Indiana University. Mark Krenz is the Lead Security Analyst for the Center for Applied Cybersecurity Research at Indiana University.

Thursday, January 25, 2018

Cyberinfrastructure Vulnerabilities 2017 Q4 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to CTSC's mailing lists.

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the CTSC mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.

Some of the sources we monitor for possible threats to CI include:

In 4Q2017 the Cyberinfrastructure Vulnerabilities team issued the following 3 vulnerability alerts to 87 subscribers:

If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through This mailing list is public and the archives are available through

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at

Monday, January 15, 2018

CCoE Webinar Jan. 29th at 11am ET: Security Program at LSST

NCSA's Alex Withers is presenting the talk "Security Program at LSST" on January 29th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The concept behind the Large Synoptic Survey Telescope (LSST) is simple: conduct a digital image-based survey over an enormous area of the sky and build an extensive astronomical catalogue over the course of ten years. LSST’s astronomical data is the ultimate deliverable to its users. This unique scientific computing environment presents many cyber security challenges. LSST has in place a cyber security program to facilitate its scientific mission: to protect its data access requirements and rights. We will discuss the beginnings of LSST’s cyber security program, adoption and experience with its risk management framework, existing and planned security operations at LSST sites, including the observatory site in Chile and the National Center for Supercomputing Operations (NCSA).

This talk is presented by Alex Withers. Alex is a Senior Cybersecurity Engineer at the National Center for Supercomputing Applications (NCSA). He is the Information Security Officer for the Large Synoptic Survey Telescope (LSST). He is also a PI and co-PI for a number of NSF-funded cybersecurity projects.
Presentations are recorded and include time for questions with the audience.

Join CTSC's announcments mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Thursday, January 4, 2018

CTSC Collaboration with NSF Campus Cyberinfrastructure and CyberTraining Projects

CTSC's Warren Raquel and Mark Krenz at the Great Plains Network & Greater Western Library Alliance training in June 2017
NSF's 2018 solicitation for Campus Cyberinfrastructure (CC*) projects states that the "Campus CI plan should address the campus-wide approach to cybersecurity in the scientific research and education infrastructure," and NSF's 2018 solicitation for CyberTraining projects highlights the need for "training and certification of CI Professionals in cybersecurity technology and management for advanced CI-enabled research."

CTSC resources and staff are available to assist Campus Cyberinfrastructure and CyberTraining projects with cybersecurity plans and training, via one-on-one engagements and other CTSC activities. For example, CTSC recently engaged with the University of New Hampshire Research Computing Center (funded in part by the NSF CC*DNI program).

Our cybersecurity program guide provides recommendations and templates for establishing and maintaining cybersecurity programs. Our online training materials and webinars cover many cybersecurity topics tailored to the NSF CI community. CTSC staff are available to participate in training events as our schedule and travel budget allows. We can also assist with disseminating announcements about training events and training materials to the community. Our annual cybersecurity summit provides a venue for training sessions for cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community.

If you are preparing a Campus Cyberinfrastructure or CyberTraining proposal to address cybersecurity needs, please see our guidance on including CTSC in a proposal and don't hesitate to contact us to discuss how CTSC can help.