Announcing the Publication of v2 of the Trusted CI OT Procurement Matrix & Companion Guide

Last year, the Secure by Design team announced the publication of the first version of the Trusted CI OT (Operational Technology) Procurement Matrix. After gathering feedback from maritime operational technology practitioners and some of their vendors, we have published an updated version of the Matrix and a companion Guide to further assist the OT community.  

The Guide can be found here: https://doi.org/10.5281/zenodo.13743314

The purpose of the Matrix is to assist those in leadership roles during the procurement process. It’s meant to help formulate questions for vendors to discuss security controls on devices that will be used for maritime research. The Matrix includes a list of controls, requirements for the control, potential questions for vendors, tips, and real world examples justifying a given control.    

The updates to v2 of the Matrix includes columns for ISO/IEC 27000 family and the ISA/IEC 62443 Series of Standards.

The updated version of the Matrix can be found here: https://doi.org/10.5281/zenodo.13830599

We have already seen positive impacts from this document. “Even at our project stage of construction, where a majority of OT procurements are complete and fulfilled, we find the OT Vendor Procurement Matrix to continue to be useful," Christopher Romsos, Datapresence Systems Engineer for the Regional Class Research Vessel (RCRV) said. "Despite having contracts in place and work well underway at the time the matrix was published, we realized that the OT Vendor Procurement Matrix could be leveraged as a discovery tool to inform our Cyber Risk Management Planning needs. We're in a more informed position now for our CRMP activities because the matrix provided us with something we could easily use in the field and that was designed to assess cyber risk in OT systems,” he said.

The Secure by Design team will be moderating a panel for in-person attendees later this week at the NSF Cybersecurity Summit. The Matrix will surely come up as a discussion topic.

Cybersecurity Center of Excellence Receives Five-Year, $6M/Year Award From NSF

The U.S. National Science Foundation has awarded Trusted CI, the NSF Cybersecurity Center of Excellence, a five-year, $6-million per-year award to run through September 2029. Lawrence Berkeley National Laboratory (Berkeley Lab) will now serve as Trusted CI’s central steward.

Trusted CI empowers trustworthy discovery and innovation funded by NSF by partnering with cyberinfrastructure (CI) operators to build and maintain effective cybersecurity programs that secure the progress of NSF-funded research. The center started in 2012 and consists of a multi-institutional, cross-functional team that addresses the complex challenges facing the NSF’s cyberinfrastructure research ecosystem. 

Read more in the press release.

To learn more about the Trusted CI Framework, the NSF Cybersecurity Summit, regional Summits, and Trusted CI’s other activities and resources, please read this expanded announcement and learn more on expanded announcement.

Trusted CI Webinar: JSON Web Tokens for Science: Hands on Jupyter Notebook tutorial, Monday August 26th @10am Central

SciAuth's Jim Basney and Derek Weitzel are presenting the talk, JSON Web Tokens for Science: Hands on Jupyter Notebook tutorial, on August 26th at 10am, Central time.

Please register here.

NSF cyberinfrastructure is undergoing a security transformation: a migration from X.509 user certificates to IETF-standard JSON Web Tokens (JWTs). This migration has facilitated a re-thinking of authentication and authorization among cyberinfrastructure providers: enabling federated authentication as a core capability, improving support for attribute, role, and capability-based authorization, and reducing reliance on prior identity-based authorization methods that created security and usability problems. In this webinar, members of the SciAuth project (https://sciauth.org/ - NSF award #2114989) will provide a short, hands-on tutorial for cyberinfrastructure professionals to learn about JWTs, including SciTokens (https://scitokens.org/ - NSF award #1738962). Participants will use Jupyter Notebooks to validate the security of JWTs and experiment with JWT-based authentication and authorization. Participants will gain an understanding of JWT basics suitable for understanding their security and troubleshooting any problems with their use.

Speaker Bios: 

Dr. Jim Basney is a principal research scientist in the cybersecurity group at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. He is the Director and PI of Trusted CI. Jim received his PhD in computer sciences from the University of Wisconsin-Madison.

Dr. Derek Weitzel is a research assistant professor in the School of Computing at the University of Nebraska - Lincoln. He has been providing distributed computing solutions to the national cyberinfrastructures since 2009. He is a member of the OSG’s production operations team and leads the operations of the National Research Platform. His current areas of research involve distributed data management for shared and opportunistic storage, secure credential management, and network monitoring and analytics.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Registration is open for the 2024 NSF Cybersecurity Summit!

Registration is open for the 2024 NSF Cybersecurity Summit! Please join us at Carnegie Mellon University in Pittsburgh, PA from October 7-10. If you are unable to join in person, please register to join virtually instead. Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within the NSF Major Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities. The Summit provides a forum for National Science Foundation (NSF) funded scientists, researchers, cybersecurity, and cyberinfrastructure (CI) professionals, and stakeholders to develop a community and share best practices. The Summit will offer attendees training sessions and workshops with hands-on learning of security tools, security program development, and compliance for research. 

Please register by September 20. 

Thank you on behalf of the Program and Organizing Committees. We look forward to seeing you there!

Cyberinfrastructure Vulnerabilities 2024 Annual Report

Since 2014, Trusted CI (formerly the Center for Trustworthy Scientific Cyberinfrastructure, a.k.a., CTSC) has delivered concise announcements on critical vulnerabilities that affect the software and cyberinfrastructure (CI) of higher education and scientific research communities. The alerting service began informally in 2014 at Indiana University with the creation of two mailing lists specific to software and infrastructure vulnerabilities. In 2016, the process was formalized by the NSF solicitation for the Cybersecurity Center of Excellence (CCoE) which called for "situational awareness of the current cyber threats to the research and education environment, including those that impact scientific instruments." The two mailing lists were merged and a more formalized process of monitoring external information sources for potential threats was established. These information sources included:

• US-CERT advisories
• RHEL/EPEL advisories
• REN-ISAC Alerts and Advisories
• Security announcements from open source projects such as OpenSSL and OpenSSH
• Announcements from CI projects such as XSEDE, ACCESS CI, Globus, and OSG
• Social media sites such as X/Twitter and Reddit (/r/netsec and /r/cybersecurity)
• News sources such as The Hacker News, Threatpost, The Register, Naked Security, Slashdot, Krebs on Security, SANS Internet Storm Center, and Schneier on Security

The Trusted CI team monitored these sources for vulnerabilities, then determined which ones were of critical interest to the CI community. While there were many cybersecurity issues reported in the news, we strove to alert on issues that affected the CI community in particular. For issues that warranted alerts to the Trusted CI mailing list, we provided guidance on how operators and developers could reduce risks and mitigate threats.

In April of 2024, the Cyberinfrastructure Vulnerabilities alerting service was replaced by the OmniSOC Community Advisory. This semi-monthly newsletter highlights current events and information security news aimed at the research cyberinfrastructure community. We encourage the Trusted CI community to subscribe to the OmniSOC newsletter by sending email to omnisoc-community-advisory-l-subscribe@iu.edu . Additionally, users are encouraged to subscribe to other CVE/vulnerability announcement lists, including:

• CISA
• SANS
• NIST National Vulnerability Database
• OpenCVE

In the first quarter of 2024, the Cyberinfrastructure Vulnerabilities team discussed 11 vulnerabilities and issued 4 alerts to 188 subscribers. Since 2014, the team has issued nearly 200 alerts to the community. 

The archives of alerts issued since 2017 are available here and here.

Trusted CI helps FABRIC build secure scientific infrastructure

Trusted CI has posted a new success story on its collaboration with FABRIC, a national-scale testbed that is providing a new research infrastructure enabling scientists to share massive amounts of data. As FABRIC was being built in 2021, project leaders turned to Trusted CI, the NSF Cybersecurity Center of Excellence, to ensure they designed security into the project from the beginning. FABRIC continues its involvement with Trusted CI as a member of the Research Infrastructure Security Community. The cohort offers an opportunity to share challenges and solutions with others in the same research space. 

Advancing the Cybersecurity of NSF Cyberinfrastructure: Trusted CI Graduates its Fifth Framework Cohort

Trusted CI’s fifth Framework Cohort, “Echo”, successfully completed the six-month program of training and workshop engagement focused on learning and applying the Trusted CI Framework. Cohort members entered the engagement with a commitment to adopting the Framework at their organizations. They then worked closely with Trusted CI to gather site information and create validated self-assessments of their facility’s cybersecurity programs based on the Framework. Each organization also emerged with a draft Cybersecurity Program Strategic Plan (CPSP) identifying priorities and directions for further refining their cybersecurity programs. Echo cohort included the following research cyberinfrastructure providers:

Advanced Simons Observatory (ASO)
Compact X-ray Free Electron Laser (CXFEL)
Inter-university Consortium for Political and Social Research (ICPSR)
National High Magnetic Field Laboratory
Security and Privacy Heterogeneous Environment for Reproducible Experimentation (SPHERE)
Thirty Meter Telescope International Observatory (TIO)

The foundation of the cohort program is the Trusted CI Framework. The Framework was created as a minimum standard for cybersecurity programs. In contrast to cybersecurity guidance focused narrowly on cybersecurity controls, the Trusted CI Framework provides a more holistic and mission-focused standard for managing cybersecurity. For these organizations, the cohort was their first formal training in the Trusted CI Framework “Pillars” and “Musts” and how to apply these fundamental principles to assess their cybersecurity programs.

Feedback on the program from cohort participants has been strongly positive.

Jim Berhalter, Director of IT for the National High Magnetic Field Laboratory at Florida State University, said: “The Trusted CI cohort has been invaluable to our organization and I would highly suggest participating.  While some of it can be daunting, it was a comprehensive way to structure a cybersecurity plan for our organization and made me think about things I would’ve never thought about for our cybersecurity infrastructure.”

Joe Saul, Privacy and Security Officer, Adjunct Research Assistant Professor for ICPSR at University of Michigan, said: “Participating in the Trusted CI cohort was a rare opportunity. You get to learn from others who are facing some of the same challenges you are, and share your own experiences. You get to work with the Trusted CI team, who have talked to a LOT of other groups in similar situations, and hear their read on how you’re doing. Maybe most importantly, they help you take a step back and evaluate your own program and where you’re going. All of this for free. If you get the chance, jump at it. It’s a lot of work, but you aren’t going to get this anywhere else. And certainly not for free.”

Concurrent with leading Echo, Trusted CI continued quarterly engagement with graduates of the four previous Framework cohorts through the Research Infrastructure Security Community (RISC). Trusted CI established RISC as a community of practice to provide a forum for cohort graduates to exchange cybersecurity experience, best practices, challenges, etc., within the NSF research cyberinfrastructure community.

Trusted CI plans to use the second half of 2024 to implement a number of cohort program improvements based on participant feedback and lessons learned during the previous five cohort engagements. The Framework Team plans to implement improvements that enhance cohort participants' experience and increase potential impacts.

For more information, please contact us at info@trustedci.org.

Labels: cybersecurity programs, framework, major facilities