Wednesday, February 7, 2024

Advancing the Cybersecurity of NSF Major Facilities and National Research Cyberinfrastructure: Trusted CI’s Framework Cohort Achievements in 2023


Trusted CI successfully conducted two more six-month engagements in its ongoing Cybersecurity Framework Cohort Program during 2023, mentoring 11 additional research cyberinfrastructure providers through Framework validated self-assessments and cybersecurity program strategic planning. The cohort during the first half of 2023 comprised representatives from the following NSF major facilities, mid-scale projects, and a scientific consortium:

U.S. Academic Research Fleet (ARF), an NSF major facility
IceCube Neutrino Observatory, an NSF major facility
United States Antarctic Program (USAP), an NSF major facility
Deep Soil Ecotron (DSE), an NSF mid-scale project
Network for Advanced NMR (NAN), an NSF mid-scale project
Giant Magellan Telescope Observatory Corporation (GMTO), a scientific consortium

Five of NSF’s leading high performance computing (HPC) centers composed the cohort during the second half of 2023:

The foundation of the cohort program is the Trusted CI Framework. The Framework was created as a minimum standard for cybersecurity programs. In contrast to cybersecurity guidance focused narrowly on cybersecurity controls, the Trusted CI Framework provides a more holistic and mission-focused standard for managing cybersecurity. For these organizations, the cohort was their first formal training in the Trusted CI Framework “Pillars” and “Musts” and how to apply these fundamental principles to assess their cybersecurity programs.

Cohort members entered the engagement with a commitment to adopting the Framework at their sites. They then worked closely with Trusted CI to gather site information and create validated self-assessments of their organization’s cybersecurity programs based on the Trusted CI Framework. Each site emerged from the program with a draft Cybersecurity Program Strategic Plan (CPSP) identifying priorities and directions for further refining their cybersecurity programs.

Several participants provided feedback on the value of the cohort experience to their organizations.

GMTO’s Sam Chan, IT Director and Information Security Officer, and Efren Sandoval, Cybersecurity Analyst, noted that “...the cohort collaboration process has given us a better understanding of a holistic and mission focused approach to cybersecurity. The cohort collaboration process also brought us together with colleagues from different fields and requirements with similar security controls.  Sharing our experiences amongst ourselves helped us learn different approaches to similar areas of concern.”

Michael Wilson, Infrastructure Architect at UConn Health and Cybersecurity Lead of NAN, observed: “As a result of the cohort experience, NAN was not only able to identify gaps in our original cybersecurity implementation plan and significantly advance our cybersecurity posture, but I have also personally expanded my professional network to share and discuss cybersecurity implementation ideas and lessons learned with colleagues from other NSF facilities. While the cohort program demands considerable effort, the NAN executive team found it to be a worthwhile endeavor. I heartily encourage the leadership of NSF facilities that have not yet participated in the cohort training to do so.”

Scott Sakai, Security Analyst at SDSC, found that: “Trusted CI’s Framework cohort provided a supportive environment to explore the strengths and weaknesses of the state of our cybersecurity efforts in the context of the Trusted CI Framework.  While strengths were praised, shortcomings and challenges were met with non-judgmental, matter-of-fact discussion rather than punitive shaming: a response that promotes a path to resolution and understanding.”

Mr. Sakai also noted that: “Importantly, the Trusted CI Framework, and guidance from the Trusted CI cohort team emphasize the significance of governance and mission alignment – two foundational concepts that bring together cybersecurity and leadership, and help formulate what a meaningful dialog between the two might look like. This sets it apart from other approaches to a security program that focus on policy and controls, a difference that will hopefully foster an asset that is approachable and predictable instead of a mysterious line-item expense in the budget.”

In January 2024 Trusted CI began the fifth Framework cohort engagement, whose members include:  

Trusted CI is excited to be working with these new sites to advance their understanding and implementation of cybersecurity programs and best practices!

For more information, please contact us at info@trustedci.org.


Wednesday, January 24, 2024

2023 Summit Report Available, Save the Date for 2024 Summit

The report of the 2023 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure is now available on Zenodo for your review.

Mark your calendar for the 2024 NSF Cybersecurity Summit, which will be held for four full days from October 7-10, 2024, at Carnegie Mellon University in Pittsburgh, PA.

Like last year, Trusted CI is inviting other groups to schedule full-day training on Monday, October 7, that may interest our community. Tuesday through Thursday will include a mix of plenary and shorter training sessions and workshops. If your organization is interested in providing a full-day training session on October 7, please contact the Summit organizers at summit@trustedci.org and include "full-day training" in the subject line.

To stay updated and receive more information about the Summit, please check our website, 2024 NSF Cybersecurity Summit, follow the Trusted CI blog, or subscribe to our announcement email.

If you have any questions, please don't hesitate to contact us at summit@trustedci.org.

Thank you, and we look forward to seeing you at the Summit!


Thursday, January 4, 2024

Cyberinfrastructure Vulnerabilities 2023 Annual Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available by subscribing to Trusted CI's mailing list (see below).

We monitor a number of sources for vulnerabilities, then determine which ones are of critical interest to the CI community. While there are many cybersecurity issues reported in the news, we strive to alert on issues that affect the CI community in particular. These issues are identified using the following criteria:

  • the affected technology's or software's pervasiveness in the CI community
  • the technology's or software's importance to the CI community
  • the type and severity of a potential threat, e.g., remote code execution (RCE)
  • the threat's ability to be triggered remotely
  • the threat's ability to affect critical core functions
  • the availability of mitigations

For issues that warrant alerts to the Trusted CI mailing list, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with ACCESS, Open Science Grid (OSG), and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Sources we monitor for possible threats to CI include the following:

In 2023 the Cyberinfrastructure Vulnerabilities team discussed 43 vulnerabilities and issued 26 alerts to 187 subscribers.

You can subscribe to Trusted CI's Cyberinfrastructure Vulnerability Alerts mailing list by sending email to cv-announce+subscribe@trustedci.org. This mailing list is public and its archives are available at https://groups.google.com/a/trustedci.org/g/cv-announce.

If you have information on a cyberinfrastructure vulnerability, let us know by sending email to alerts@trustedci.org.

Friday, December 15, 2023

Trusted CI Webinar Series: Planning for 2024, review of 2023

The 2023 season of the Trusted CI Webinar series has concluded and we are looking forward to the presentations scheduled in the next year. 

We are currently booking the 2024 season.  See our call for presentations to submit a request to present.


In case you missed them, here are the webinars from 2023: 

  • January ‘23: Real-Time Operating System and Network Security for Scientific Middleware with Gedare Bloom (NSF Award #2001789) (Video)(Slides) 
  • February ‘23: Security Program for the NIH’s Common Fund Data Ecosystem with Rick Wagner (Video)(Slides)
  • March ‘23: Mutually Agreed Norms for Routing Security (MANRS) with Steven Wallace (Video)(Slides)
  • April ’23: Advanced Cyberinfrastructure Coordination Ecosystem: Services and Support (ACCESS) with Derek Simmel (NSF Award #2138296) (Video)(Slides)
  • May ’23: Deception Awareness and Resilience Training (DART) with Anita Nikolich (NSF Award #2230494) (Video)(Slides)
  • June ‘23: SecureMyResearch with Will Drake, Tim Daniel, and Anurag Shankar (Video)(Slides) 
  • July ‘23: The Technical Landscape of Ransomware: Threat Models and Defense Models with Barton Miller and Elisa Heymann (Video)(Slides) 
  • August ‘23: Leveraging Adaptive Framework for Open Source Data Access Solutions with Jeremy Grieshop (Video)(Slides) 
  • September ‘23: Improving the Privacy and Security of Data for Wastewater-based Epidemiology with Ni Trieu (NSF Award #2115075) (Video)(Slides)
  • December 4th: Enhancing Integrity and Confidentiality for Secure Distributed Data Sharing (Open Science Chain) with Subhashini Sivagnanam (NSF Award #2114202) (Video)(Slides)

Join Trusted CI's announcements mailing list for information about upcoming events. Our complete catalog of webinars and other presentations are available on our YouTube channel. See our call for presentations to submit a request to present. For questions or feedback, email us at webinars@trustedci.org.

Announcing publication of the Operational Technology Procurement Vendor Matrix

RCRV Photo: The Glosten Associates

The Trusted CI Secure by Design team has completed work on “The Operational Technology Procurement Vendor Matrix.” The purpose of this document is to assist those in leadership roles during the procurement process. It’s meant to help formulate questions for vendors to discuss security controls on devices that will be used for maritime research.

The matrix includes a list of controls, requirements for the control, potential questions for vendors, tips, and real world examples justifying a given control.

For example, Item #3 in the matrix is an inventory requirement stating that security vulnerabilities in vendor-provided software must be patched. The Threat Actor Example we cite to justify the requirement is the WannaCry vulnerability. We include an example question that could be used when discussing with the vendor. (Click the image below to see in better detail.)

The document can be viewed and downloaded here (Note: The file is available in many formats):

https://zenodo.org/doi/10.5281/zenodo.10257812

This document represents the work of many people, including critical feedback from maritime operational technology practitioners (Scripps Institution of Oceanography’s CCRV, and Oregon State University’s RCRV and OOI). We are grateful for their contributions to this effort.

Our goal is to share this matrix and continue to develop its utility after receiving feedback from the Trusted CI community. To contact us, email info@trustedci.org.

Wednesday, December 6, 2023

Student Program at the 2023 NSF Cybersecurity Summit

In October, we hosted our annual NSF Cybersecurity Summit, which was a hybrid event hosted at Berkeley Lab. Our student program welcomed nine students to attend the in-person training sessions, present posters, network with fellow attendees, and introduce themselves to our community. We also matched students with mentors to help facilitate networking opportunities.

We give special thanks to our mentors: Ishan Abhinit, Jim Basney, Phuong Cao, Eric Cross, Wei Feinstein, Mark Krenz, Jim Marsteller, Sean Peisert, Kelli Shute, and Susan Sons.

We asked the students to share their thoughts on their experiences at the Summit. Below are their responses. These statements have been lightly edited for clarity.

Chad Callegari, University of South Alabama:
My experience at the 2023 Trusted CI Cybersecurity Summit completely exceeded my expectations in the best ways possible. I had never before attended a conference before this event, and as a student it was initially intimidating to be in a new environment with professionals from the field. I quickly learned just how inviting everyone at the event was, and everyone quickly made the environment one that I could feel comfortable in. I was able to learn so many new things from the trainings that were put on, and meet so many great people both other students and professionals. The event allowed me to learn about the different opportunities that I had not ever known about before and I was also able to talk with many of these professionals about potential opportunities for the future. The event was a great success for me and I hope to participate in other Trusted CI events in the future!

Matheu Fletcher, University of Illinois at Urbana-Champaign:
The summit was a great experience as my first real conference. My biggest personal takeaway was the friendliness and helpful nature of the community present. Similarly, the biggest technical aspect I learned from the event was gaining a better understanding of Zeek, along with various development tools I heard discussed that I can make use of to be more efficient in both work and personal projects. Additionally, I gained a better understanding of the ever-changing balance between creating and detecting AI generated texts.

Robert Johnson, The University of Tennessee at Chattanooga:
I thoroughly enjoyed my experience at the NSF Summit cybersecurity conference held at UC Berkeley. Not only were the surroundings gorgeous, but the organizers and attendees were extremely inviting. The more experienced members went out of their way to speak to first-time attendees providing networking opportunities. I believe it is important for students to familiarize themselves with the experience of attending a professional development conference. I enjoyed many of the talks and remained engaged despite the topics being niche and specific to different areas of cybersecurity. I am grateful to be able to speak with people from a variety of institutions, businesses, and countries and exchange knowledge.

Kaneesha Moore, Mississippi State University:
As a rather curious yet reserved individual, I was delighted to have TrustedCI’s 2023 NSF Cybersecurity Summit as my first professional conference. The atmosphere felt welcoming and inviting, and one could feel the passion for cybersecurity in the air – as cliché as it sounds. The workshops were intriguing and encouraged hands-on participation from other attendees which reinforced the topics discussed during the sessions. It is hard to choose a favorite, but I really enjoyed the workshops on artificial intelligence/machine learning and intrusion detection topics – Zeek, deep machine learning intrusion detection for SCADA (and similar) systems, and tutorials on detecting deepfake messages. It felt like an educational getaway with like-minded individuals who wanted to share and gain knowledge. I thoroughly enjoyed my time, and I hope to attend next year’s conference!

Ololade Odunsi, University of New Haven:
Attending the 2023 NSF Cybersecurity Summit was one of the best decisions I have ever made. I had the opportunity to meet industry professionals who were open to speaking with students and peers about topics they were interested in. From being paired with a mentor, to learning hands-on cybersecurity workshops and listening to seminars - the summit could not have been more value packed. I especially enjoyed the opportunity to present my poster on my background and projects I have worked on to the attendees, who were attentive and supportive.

Henry Schmidt, University of Arkansas:
I had a great experience at the Trusted CI NSF Cybersecurity Summit. It was fantastic to see and talk to the wide array of individuals who came to the conference. There was a considerable variety of seminars, talks, and workshops to attend. I liked in particular the talk on deep learning IDS by Dr. Ismail from Tennessee Tech as well as the security log analysis workshop by Mark Krenz, Ishan Abhinit, and Phuong Cao. It was a pleasure to talk with the other students and professionals from around the world at the conference. Everyone was genuinely interested in the work other people were doing in the cybersecurity space. Thank you to everyone that stopped by my poster to talk with me about the work that CyberHogs is doing with RazorHack Cyber Challenge at the University of Arkansas! I look forward to reaching out to everyone and carrying these connections with me as I move forward in my academic and professional career.

The Student Program has continued to be a very rewarding experience for us. If you are interested in becoming a mentor next year, please contact us at summit@trustedci.org.

Monday, November 20, 2023

Trusted CI Webinar: Open Science Chain, Dec. 4th @11am Eastern

San Diego Supercomputer Center's Subhashini Sivagnanam is presenting the talk, Open Science Chain - Enabling Integrity and Metadata Provenance for Research Artifacts Using Open Science Chain, on December 4th at 11am Eastern time.

Please register here.

The envisioned advantage of sharing research data lies in its potential for reuse. Although many scientific disciplines are embracing data sharing, some face constraints on the data they can share and with whom. It becomes crucial to establish a secure method that efficiently facilitates sharing and verification of data and metadata while upholding privacy restrictions to enable the reuse of scientific data. This presentation highlights our NSF-funded Open Science Chain (OSC) project, accessible at https://www.opensciencechain.org. Developed using blockchain technologies, the OSC project aims to address challenges related to the integrity and provenance of research artifacts. The project establishes an API-based data integrity verification management service for data-driven research platforms and hubs, aiming to minimize data information loss and provide support for managing diverse metadata standards and access controls.

Speaker Bio:

Subhashini Sivagnanam is the manager of the Cyberinfrastructure Services and Solutions (CISS) group at the San Diego Supercomputer Center/ UCSD. Her research interests predominantly lie in distributed computing, cyberinfrastructure development, scientific data management, and reproducible science. She serves as the PI/Co-PI on various NSF/NIH projects related to scientific data integrity and developing cyberinfrastructure software.  Furthermore, she oversees the management of UC San Diego’s campus research cluster known as the Triton Shared Computing Cluster.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."