Tuesday, December 11, 2018

CCoE Webinar Series: Looking toward 2019, review of 2018

The 2018 season of the Trusted CI Webinar series has concluded and we are looking forward to the presentations scheduled in the next year.

The following topics and speakers have been booked in 2019:
(Webinars are scheduled the 4th Monday of the month at 11am Eastern time.)
  • January 28th: The Research Security Operations Center (ResearchSOC with Von Welch and RSOC leadership team
  • March 25th: SecureCloud with Casimer DeCusatis
  • April 22nd:  Supporting Controlled Unclassified Information with a Campus Awareness and Risk Management Framework with Justin Yang and colleagues
  • May 27th: Robust and Secure Internet Infrastructure for Scientific Collaboration with Amir Herzberg
  • June 24th: The Trusted CI Framework: An Architecture for Cybersecurity Programs with Trusted CI
  • July 22nd: Campus Infrastructure for Microscale, Privacy-Conscious, Data-Driven Planning with Jason Waterman
  • August 26th: Pegasus and IRIS with Anirban Mandal
  • December 9th: The DDIDD project with John Heidemann and colleagues
We still have openings for the months of February, September, and October.  See our call for presentations for more information.

In case you missed them, here are the webinars from 2018:
  • February: SMARTDATA Blockchain with Murat Kantarcioglu (Video)(Slides
  • March: Data Quality & Security Evaluation Framework Dev. with Leon Reznik & Igor Khokhlov (Video)(Slides)
  • April: Toward Security-Managed Virtual Science Networks with Jeff Chase and Paul Ruth (Video)(Slides)
  • May: General Data Protection Regulation (GDPR) with Scott Russell (Video)(Slides)
  • June: Security Program at LSST with Alex Withers (Video)(Slides
  • July: Trustworthy Computing for Scientific Workflows with Mayank Varia and Andrei Lapets (Video)(Slides)
  • August: NIST 800-171 Compliance Program at University of Connecticut with Jason Pufahl (Video)(Slides)
  • September: SCI Trust Framework with David Kelsey (Video)(Slides)
  • October: Urgent Problems and (Mostly) Open Solutions with Jeff Spies (Video)(Slides)
  • December: December ’18: Best Practices for Academic Cloud Service Providers with Rion Dooley (Video)(Slides)
Join CTSC's announcements mailing list for information about upcoming events. Our complete catalog of webinars and other presentations are available on our YouTube channel.

Wednesday, November 28, 2018

Trusted CI Webinar December 10th at 11am ET: Security Best Practices for Academic Cloud Service Providers with Rion Dooley

Rion Dooley is presenting the talk "Security Best Practices for Academic Cloud Service Providers" on Monday December 10th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
A “cloud resource” provides a hosted, self-service means for users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. Virtual machines or container images can be curated and provided by the cloud resource operator, provided by the user, or provided by third parties.

Operating a cloud resource involves addressing security requirements of multiple stakeholders: those of the resource operator and those of the resource user.  These parties may have different incentives related to security as well as different levels of acumen. Operators may at times run images whose trustworthiness is not established and grant users privileged access within their running image that would be uncommon on non-virtualized computing resources.  Moreover, users, with their elevated privileges, can misconfigure services, expose sensitive data or choose protocols/solutions that offer less security for the sake of installation or operating costs. These factors can lead to an environment that, by its nature, is difficult to secure.

A community consisting of The Agave Platform, Cornell University Center for Advanced Computing, CyVerse, Jetstream and Trusted CI collaborated in authoring a set of Security Best Practices for developing in, and operating an academic cloud resource.  
In this webinar, we will discuss the nine use cases they deemed most important to academic cloud services.

This webinar will be relevant to cloud users, evangelists, and providers. All are encouraged to join and contribute to the conversation.

The full white paper is available online at http://hdl.handle.net/2022/22123.

Speaker Bio:
Rion Dooley is the Director of Platform Services and Solutions at Data Machines Corp. He has 15 years experience integrating emerging tech with HCP environments to build solutions that make it easier to conduct open, digital science. His prior research includes projects in the areas of cloud computing and security. He serves as PI for the Agave Project, and is active in the Open Source community.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, October 17, 2018

Trusted CI Extended through 2019, Trusted CI Expansion, ResearchSOC, and Hiring!

Dear Trusted CI community,

I’m writing to share a number of pieces of Trusted CI news, starting with the great news that Trusted CI, through the funding of a supplemental proposal from NSF, has been extended through 2019. This funding is also going to expand Trusted CI’s team and activities in a number of important ways:

  • Dr. Dana Brunson of Oklahoma State is joining Trusted CI to lead a new Fellows Program. This will broaden Trusted CI’s impact to underrepresented groups, NSF Ten Big Ideas, and across NSF directorates.

  • Florence Hudson has joined Trusted CI to lead efforts to foster transitioning cybersecurity research to practice. She has already been in touch with a number of you in identifying cybersecurity gaps in our community that research could fill. If you have ideas in this area, please share them to ttp@trustedci.org.

  • Dr. Sean Peisert of Lawrence Berkeley National Laboratory will be joining Trusted CI to advance the Open Science Cyber Risk Profile and integrate it with the new Trusted CI Framework.

I shared some additional details on this expansion as well as Trusted CIs accomplishments on a recent NSF OAC webinar.

I’m also excited to announce the funding of the ResearchSOC. Funded as a collaborative security response center under NSF CICI 18-547, ResearchSOC will be led by myself, and my Trusted CI co-PI Jim Marsteller, along with colleagues from Duke, Indiana University, and the University of California San Diego. ResearchSOC and Trusted CI will be closely coordinated in delivering cybersecurity leadership and operational services respectively. For more details on the ResearchSOC, please see my recent presentation at the CICI PI meeting.

I also want to congratulate Trusted CI co-PI Craig Jackson on his new project, PACT, supported by $2m of funding from the Department of Defense to undertake assessments for the DoD community. On a bittersweet note, this means he will be reducing his time on Trusted CI and stepping down as a co-PI. Craig has been instrumental in that role in Trusted CI’s success and I thank him for his contributions and leadership. This project will be piloting assessments soon with an open call, so check out that unique opportunity for an in-depth cybersecurity assessment.

Finally, if Trusted CI or ResearchSOC sounds like something you would enjoy being a part of it, we have multiple positions open at Indiana University to be part of the CACR team and contribute to Trusted CI and our other activities. Please consider applying and sharing with those who may be interested.

Thanks to all the community for their support that makes Trusted CI possible. We look forward to continuing to serve you in meeting the cybersecurity needs of your trusted science.

Von Welch
Director and PI, Trusted CI, the NSF Cybersecurity Center of Excellence
Director, Indiana University Center for Applied Cybersecurity Research

Tuesday, October 9, 2018

Trusted CI Webinar October 22nd at 11am ET: Urgent Problems and (Mostly) Open Solutions with Jeff Spies

Jeffrey Spies is presenting the talk "Urgent Problems and (Mostly) Open Solutions" on Monday October 22nd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
We're at an important stage in the history of science. The internet has dramatically accelerated the pace and scale of communication and collaboration. We have the computational resources to mine and discover complex relationships within massive datasets from diverse sources. This will usher in a new era of knowledge discovery that will undoubtedly lead to life-saving innovation, and access to content is paramount. But how do we balance transparency and privacy or transparency and IP concerns? How do we protect data from being selectively deleted? How do we decide what to make accessible with limited resources? How do we go from accessible to reusable and then to an ecosystem that fosters inclusivity and diversity?

And what if we no longer own the content we'd like to be made accessible? Such is the case with most journal articles. Skewed incentives have developed around centuries-old publishing practices that reward what is publishable rather than what is rigorous, reproducible, replicable, and reusable. In exchange for publications, we assign our copyrights to publishers, who then lease access back to us and our institutions at ever-increasing prices. And now publishers are turning their eyes--and very large profit margins--towards capturing the rest of the research workflow, including data and analytics. In contrast to the societal-level change that could occur if this research content were in an environment that maximized innovation and reuse, this is very dangerous.

This talk will discuss these urgent problems and the psychology that makes fixing them easier said than done as well as propose a practical, incremental approach to solving them via decentralized technologies, policy, and respect for researcher workflow.

Speaker Bio:
Jeffrey Spies is the founder of 221B LLC, a strategic consulting firm combining expertise in research technology, methodology, and workflow to accelerate projects across higher-ed. Previously, he co-founded and served as the CTO of the Center for Open Science, a non-profit formed to maintain his Open Science Framework. Jeff has a Ph.D. in Quantitative Psychology from the University of Virginia.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Thursday, October 4, 2018

An Open Science Cybersecurity Program Framework

In 2014, Trusted CI published a “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects,” also known simply as “the Guide”. Since its creation, Trusted CI has received tremendous community feedback attesting to its usefulness, including half of the respondents in the most recent Community Survey adopting it as a form of guidance for shaping their cybersecurity programs. As we observed the open science community’s interaction with the original document, it became apparent that improvements and revisions could make it more maintainable and thus more readily kept up-to-date, more applicable to a wider range of science projects, and more approachable to scientists and PIs, all without losing any of its technical value.
Based on our experience interacting with engagements, lively training sessions, the Summit, and the benchmarking survey, we knew we needed to spell out the basic realities of building a cyber program in a way that addressed the variability we’ve observed in the community. During a substantial revision of the training on the Guide for PEARC’18, it became clear that what was needed was not just a guide, but a framework for establishing and maintaining an open science cybersecurity program at any project scale and stage in a project’s lifecycle. Such a framework would be useful even for projects having significant compliance requirements (e.g., FISMA, HIPAA, NIST SP 800-171) in that it provides a starting point for evolving a cybersecurity program rather than hundreds of pages dense with unprioritized requirements. Work on revising the Guide into a framework and addressing the above goals began in earnest earlier this year and builds on efforts assisting NSF in drafting a cybersecurity section for the Large Facilities Manual. The current schedule calls for a first draft to be available in November 2018, and version 0.9 to be available in January 2019, with the publication of version 1.0 in March 2019. An additional blog posting and announcement will be made at those milestones and community feedback is strongly encouraged. We need your feedback to help us get this right!

Preview of the Framework

Trusted CI’s framework is built around four pillars: Mission Alignment, Governance, Resources, and Controls. Like the pillars supporting any structure, all are vital and required for an efficient and effective cybersecurity program.

Mission Alignment:

Cybersecurity programs ultimately exist to improve productivity by protecting the interests of the project’s mission. The program must center on appropriate protection for the information assets vital to the project’s mission. The information assets that are critical will change over a project’s life cycle, so the accuracy of the information asset inventory is a basic requirement. To simplify understanding the protection requirements of the information assets, an information classification scheme allows for conceptually grouping assets by the kind of protection required. External requirements may also play a role in the level and type of protection.


Cybersecurity is not just the responsibility of a few but involves project leadership, administrators responsible for information assets, project personnel, and external users. Policies must clearly define the roles and responsibilities for all these contributors to the cybersecurity program. Additional policies are required to address a range of issues from appropriate use to incident handling. Periodic evaluation of the cybersecurity program is necessary to validate that the allocation of resources to controls is effective and efficient for the appropriate protection of project information resources.


People, budgets, tools, and services are all required to operate a cybersecurity program. Finding and retaining people with cybersecurity expertise can be challenging. In addition to technical skills, important traits include the abilities to teach, communicate, and negotiate. Smaller, stand-alone projects without a supporting infrastructure typically spend a higher percentage of the IT budget on cybersecurity due to economies of scale. The actual money might be in a separate cybersecurity budget, but often it is part of some other organizational budget (e.g., the IT budget). Tools and third-party services can help fill gaps in the program but have to be used with care since they can easily place additional strain on both the budget and the need for experienced personnel to effectively use them.


Controls are the safeguards and countermeasures to ensure the appropriate protection of an information asset according to the asset’s information classification. Control selection and implementation are ongoing processes in any cybersecurity program due to technical or organizational changes and the dynamic nature of threats and vulnerabilities. The Center for Information Security (CIS) Controls are widely regarded as an authoritative, reasonable, and prioritized. The first six of these controls are the basic, minimal set that each project must either provide or ensure are provided by a supporting infrastructure. Additional controls enhance the protection for mission-critical systems and data, and systems or data requiring specialized controls (e.g., SCADA systems, software repositories, critical or high-speed scientific data flows).

Cyberinfrastructure Vulnerabilities 2018 Q3 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists (see below).

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.Some of the sources we monitor for possible threats to CI include:

In 3Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 4 vulnerability alerts to 91 subscribers:

If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available at https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Thursday, September 27, 2018

Student Program at the 2018 NSF Cybersecurity Summit

In August we hosted our annual NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure in Alexandria, VA. The Summit included training workshops, plenary talks, and networking opportunities for members of NSF Large Facilities and the CI community.

As Summit attendance and funding grows so has our ability to provide learning opportunities for new members to the community. Last year we launched a student scholarship program to follow through on our goals of outreach and broadening impact. Students apply to the program by sharing their resumes and a brief essay sharing their security interests and what they hope to gain from attending the Summit.

This year we were able to fund the attendance of six students to the Summit. Their names and schools they attend are listed below (see: photo, left to right):
  • Emily Dillon; Master of Science student at Capella University
  • Sanchari Das; PhD student at Indiana University
  • Grant Allard; PhD student at Clemson University
  • Preston Ruff; Bachelor of Science student at New Mexico Institute of Mining and Technology
  • Maggie Ahern; Bachelor of Science student at Lehigh University
  • Leah Dorman; Bachelor of Science student at University of Maine Augusta
We also paired the students with volunteer mentors. We thank them for helping make the students feel welcome at the Summit. Their names and organizations are listed below:
  • Florence Hudson; Trusted CI and Northeast Big Data Innovation Hub
  • Mark Krenz; Trusted CI and Indiana University's CACR
  • Steve Barnet; Wisconsin IceCube Particle Astrophysics Center
  • Susan Sons; Trusted CI and Indiana University's CACR
  • Susan Ramsey; National Center for Atmospheric Research
  • Elisa Heymann; Trusted CI and University of Wisconsin
We asked the students to share some insights into their Summit experience. Their comments are quoted below.

Sanchari Das:

My name is Sanchari and I am a doctoral student in the School of Informatics, Computing, and Engineering at Indiana University Bloomington, specializing in Usable Privacy and Security. I think this summit was a great opportunity to meet researchers and practitioners from other organizations. I thoroughly enjoyed their perspective, and insights in the discipline of cybersecurity and gathered knowledge to pave my future research directions. Given the diverse research areas which was covered, this truly was a golden opportunity to broaden a graduate student's vision, such as myself, understanding more about usable privacy and security.

The NSF cybersecurity summit provided the perfect blend of academicians and those working in industry, who do and preach cybersecurity practices and direct their research accordingly. Given the workshops and talks that was conducted in the summit, it was not limited to discuss cybersecurity infrastructure, but also discussed about the users who are a major part, are affected, and contribute to follow cybersecurity practices. It was one of the gathering where practitioners from the industry likewise joined to discuss around the applications of such research.

As a student I learned about the current challenges in the field of cybersecurity, how usable security and privacy is slowly but surely making its marking where we all aim in not keeping the humans out of the loop but making them aware through simple but informative tools. I also learned how people from different field such as, law (policy makers), software developers, security engineers, academicians can all work together to help build a secure environment to protect data of an organization or individual.

Apart from interesting ideas, I would particularly like to thank my mentor Mark Krenz and Jeannette Dopheide, who made the process smooth and helped me throughout my stay and helped me interact with eminent researchers and practitioners in my field. I enjoyed the workshops I was involved in as well, Susan Son’s insights on the different version controls and monitoring old patches to find loopholes which can be played further was interesting.

I would also like to thank Von Welch, the director of Indiana University’s Center for Applied Cybersecurity Research who is extremely approachable and helps every student to achieve their best in this field through such initiatives.

Grant Allard:

The Trusted CI/NSF 2018 Cybersecurity Summit provides an outstanding opportunity to professionally and scholastically improve my understanding of the key issues in scientific cyberinfrastructure. The Trusted CI leadership team makes you, as a student, feel welcome and helps you to explore the pressing challenges facing the scientific cyberinfrastructure community today. The mentoring initiative associated with the student program is a superb educational tool that helped me put my experience in context and learn from one of the leaders of this field. One of my big takeaways from the week together is the importance that we as students will play to the scientific cyberinfrastructure community as we enter the scientific workforce: cybersecurity is not only a concern for CISOs but for the entire scientific community. The academic community owes a huge debt of gratitude to our CISOs for helping us keep our data secure, accessible, and integral.

I am taking what I learned from this conference and using it to develop a white paper and I identify how I, as an aspiring scholar of public policy, can contribute to the community. This conference also has given me multiple opportunities at my university to meet new people and contribute to new efforts. This experience was exactly how a student program should be--in my opinion--and I highly recommend it to students of all levels or to advisors who are looking to promote their students' growth." 

Preston Ruff:

I enjoyed the close-knit, friendly, and informative experience of the NSF summit. There I was able to test my text parsing skills in a log analysis workshop and I was exposed to the mystery of industrial control systems. Thank you to everyone at Trusted CI for hosting the event. I'm grateful to have met such brilliant people who work to create the cybersecurity systems and policy of tomorrow.

Maggie Ahern:

Attending the NSF 2018 Cybersecurity Summit was a fantastic learning experience. I have always been interested in cybersecurity, but this summit gave insight into the field that I had never been exposed to before. Some of the highlights include Software Engineering Best Practices and Legal Policy on Cybersecurity. I also particularly enjoyed the breakout session we had during lunch where we could discuss different topics of interest. I sat at a table that discussed books with the theme of cybersecurity and I went home with a few recommendations. The Student Program also connected us with a mentor for the duration of the conference. My mentor was incredibly understanding, knowledgeable, and inspiring. She is someone that I really admire and strive to live up to one day. Without this opportunity I probably would not have gotten to meet her, or all the other amazing individuals that I was able to interact with during the summit. All in all, I am incredibly grateful that I was given this opportunity to learn more about this subject and meet new individuals passionate about cybersecurity.

Leah Dorman:

At the NSF Cybersecurity conference, I immediately noticed a coherent understanding of cybersecurity's crucial role in science as well as a collaborative effort to produce trustworthy technology.  The Trusted CI program committee did an excellent job putting on this event and as a student I felt very welcomed and was provided with the information and resources needed to enhance my cybersecurity knowledge and research skills.  The first day was a training day.  I attended Automated Assessment Tools – Theory & Practice which was about injection attacks (one of the most common vulnerabilities) and had hands-on training using source code analysis tools to find code errors and flaws.  Then I attended Security Log Analysis Training which included ideas to improve security logging & monitoring as well as command examples that you can customize on your own logs and how to analyze data and look for patterns.  This hands-on training provided me with valuable experience that would only improve my cybersecurity skills.
The next two days there were several presenters that covered topics such as
  • Security Best Practices for Academic Cloud Service Providers (a big one I took away from this was Identity Access Management-aware Continuous Integration/Continuous Delivery Services)
  • Involving Students in Cybersecurity for CI
  • Silent Librarian (series of phishing attacks)
  • Responding to advanced threats as a global community (building a trust relationship in cybersecurity community)
  • XSEDE lessons learned (importance of multi-factor authentication)
  • Incident Response Communications
  • Password Adventures for a VO
  • A case study on implementing crowdsourced threat intel and active response
Overall, the focus was on being Proactive vs being Reactive; changing the focus of cybersecurity from protecting (specifically against malicious attacks) to enabling - moving beyond the fear of data breach and focusing on how to better enable end users to deal with data theft and how to be ready to respond to events like that.

I am very thankful for the knowledge I gained at this conference. Thank you, Trusted CI, for allowing me to participate as a student and for the engaging conversations and presentations that challenged and enhanced the way I think about cybersecurity.
We were more than impressed with the Student Program this year. Their participation and enthusiasm was a rewarding affirmation of our commitment to community building. We look forward to seeing where their careers take them and sponsoring more students in future.