Monday, January 11, 2021

Trusted CI Webinar: SciTokens: Federated Authorization for Distributed Scientific Computing Mon Jan 25 @11am Eastern

Members of SciTokens are presenting the talk,
SciTokens: Federated Authorization for Distributed Scientific Computing
on Monday January 25th at 11am (Eastern)

Please register here. Be sure to check spam/junk folder for registration confirmation email.

SciTokens (https://scitokens.org/), an NSF CICI project, works to advance the use of bearer tokens and capabilities in distributed scientific infrastructures. It applies the JSON Web Token (JWT) and OAuth standards to the needs of scientific cyberinfrastructure, where widely-distributed computing, data, instruments, and software services are harnessed for scientific workflows, requiring an authorization mechanism that itself is distributed. Typically, JWTs are used in a single web application, with a single token issuer and verifier and OAuth2 deployment scenarios support only one or a few token issuers, using opaque tokens that must be validated by a callback to the corresponding issuer. In contrast, SciTokens supports many token issuers, with signing keys, policies, and endpoint URLs published via OAuth Authorization Server Metadata, using self-describing JWTs rather than opaque tokens, so the tokens can be independently verified by distributed services without requiring a callback to the token issuer.

The use of JWTs with OAuth is now a draft profile of the IETF OAuth working group. OAuth token refresh enables long-lived scientific workflows, and OAuth Token Exchange enables workflow systems to reduce token privileges, effectively implementing least-privilege delegation across the cyberinfrastructure ecosystem.

In this webinar, members of the SciTokens project will discuss progress since their 2019 NSF Summit presentation, including the project's latest open source software releases, interoperability with the WLCG Common JWT Profiles, updates from Fermilab, LIGO, XSEDE, and WLCG (presented at the recent TAGPMA Workshop on Token-Based Authentication and Authorization), and support for SciTokens in CILogon and HTCondor.

Speaker Bios: Jim Basney is a Principal Research Scientist in NCSA's Cybersecurity Division, Brian Bockelman is an Investigator at Morgridge Institute for Research, Todd Tannenbaum is a Researcher in Distributed Computing at University of Wisconsin-Madison, and Derek Weitzel is a Research Assistant Professor at University of Nebraska-Lincoln.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

 

Monday, January 4, 2021

Cyberinfrastructure Vulnerabilities 2020 Annual Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available to all by subscribing to Trusted CI’s mailing lists (see below).


We monitor a number of sources for software vulnerabilities of interest, then determine which ones are of the most critical interest to the community. While it’s easy to identify issues that have piqued the public news cycle, we strive to alert on issues that affect the CI community in particular. These are identified using the following criteria: the affected technology’s or software’s pervasiveness in the CI community; the technology’s or software’s importance to the CI community; type and severity of potential threat, e.g., remote code execution; the threat’s ability to be remotely triggered; the threat’s ability to affect critical core functions; and if mitigation is available. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE, Open Science Grid (OSG), the NSF supercomputing centers, and the ResearchSOC on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Some of the sources we monitor for possible threats to CI include:


OpenSSL and OpenSSH

US-CERT advisories

XSEDE announcements

RHEL/EPEL advisories

REN-ISAC Alerts and Advisories

Social media, such as Twitter, and Reddit (/r/netsec and /r/security)

News sources, such as The Hacker News, Threatpost, The Register, Naked Security, Slashdot, Krebs, SANS Internet Storm Center and Schneier


In 2020 the Cyberinfrastructure Vulnerabilities team discussed 50 vulnerabilities and issued 22 alerts to 158 subscribers.  Additionally, the team solicited the community with a survey to gauge the team’s impact; 87% of the respondents said that the alerts were relevant to their science mission, would recommend the services to peers, and all participants thought the alerts were concise.


If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available at https://list.iu.edu/sympa/arc/cv-announce-l.


If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Friday, December 18, 2020

Southern Ocean Carbon and Climate Observations and Modeling (SOCCOM) and Global Ocean Biogeochemistry Array (GO-BGC) Complete Trusted CI CyberCheckup

The Southern Ocean Carbon and Climate Observations and Modeling (SOCCOM) project is a $21 million NSF-funded project (OPP 1425989 and OPP 1936222) to instrument the Southern Ocean and make data publicly available.  SOCCOM has deployed nearly 200 robotic profiling floats in the Southern Ocean (south of 30°S). These floats are part of the international Argo network and collect physical, chemical, and biological sensor data from the upper 2000 m of the water column every 10 days. The data are transmitted to shore via the Iridium satellite system. The data are then passed through a series of institutional servers, where the data are fully processed and quality controlled. The resulting science quality data and the raw observations are made available within 24 hours with no restrictions. The data set has been used in more than 100 publications to assess physical, chemical, and biological processes in the Southern Ocean. 

The biogeochemical float array in the Southern Ocean is now expanding to the world ocean with a new NSF sponsored project, the Global Ocean Biogeochemistry (GO-BGC) Array (OCE  1946578).  GO-BGC will deploy 500 robotic profiling floats throughout the ocean.  GO-BGC is funded by a $52.9 million grant from the Mid-scale Research Infrastructure-2 program.  Institutional float operators expand from the University of Washington (UW) in SOCCOM to include Scripps Institution of Oceanography (SIO) and Woods Hole Oceanographic Institution (WHOI).  The Monterey Bay Aquarium Research Institute (MBARI) will maintain the biogeochemical data processing center for both programs.

SOCCOM and GO-BGC staff first used Trusted CI's "Securing Commodity IT in Scientific CI Projects" spreadsheet to evaluate four of their participating institutions, MBARI, UW, SIO, and WHOI. SOCCOM and GO-BGC staff next completed Trusted CI's "Information Security Program Evaluation" questionnaire. This document was used to capture the current state of each of the participant’s information security programs as well as find potential security policy gaps. The output from these two documents will be used by SOCCOM and GO-BGC to better secure their project. In addition to the CyberCheckup, Trusted CI staff walked project members through the use of Trusted CI’s guide to developing cybersecurity programs and the upcoming Trusted CI framework for putting together a comprehensive cybersecurity program.

The SOCCOM data system includes servers at UW, which handle float communications through the Iridium system, data processing for the physical variables (temperature, salinity, and pressure), and transmission of the physical data to the Argo Data Assembly Center in Miami, which is maintained by NOAA.  The UW system also links to the network at MBARI, where all of the biogeochemical data is processed and then transmitted to the Argo Data Assembly Center, where it is merged with the physical data.  The GO-BGC data system (including float communications, raw data acquisitions, data processing and quality control, and data dissemination and archiving) is more complicated with networks at UW, WHOI, and SIO communicating with floats and distributing data to MBARI for processing.   SOCCOM and GO-BGC performed a Trusted CI CyberCheckup to look at their needs for a comprehensive cybersecurity program.  The Cybercheckup is an engagee-driven, self-evaluation of a project’s cybersecurity readiness.  Trusted CI staff provided templates to be used for the CyberCheckup as well as assistance in reviewing the templates. 

The multi-institutional SOCCOM and GO-BGC projects create a cybersecurity challenge because of the mix of institutional assets, policies, and infrastructure.  To accommodate the multi-institutional nature of the project, a two-tiered approach to cybersecurity will be implemented, which incorporates the practices outlined in the Trusted CI review.  A project level CyberSecurity Team will encompass representatives of each institution.  This team will be led by a CyberSecurity Coordinator from the science staff.   

Each of the institutional members directly involved in the flow of project data will then implement a local team.  These local teams will include a cyber security professional from the information systems group at each location, a SOCCOM or GO-BGC science team representative, and a member from the SOCCOM or GO-BGC technical staff at the location.  The diverse membership of the local teams has the objective of ensuring professional cybersecurity capabilities, a vision of the scientific requirements for data availability and protection, and a code-level view of the project infrastructure.  The local CyberSecurity Teams are responsible for developing a cybersecurity plan that is adapted to their local infrastructure and policies.  

The Project CyberSecurity Team coordinates communications between the local teams and ensures that a system-wide review of security and vulnerabilities is conducted.  They ensure that the project-wide data system is functional, meets the broader community needs, and is capable of rapid recovery from a cyber attack. The Project CyberSecurity Team will conduct periodic reviews and tests (“fire drills”) of the local plans.  

As noted by Ken Johnson, the GO-BGC PI at MBARI, “The Trusted CI CyberCheckUp has been a really important mechanism for us to review a critical path that often gets overlooked.  Our program will be a lot stronger as a result of the review.”

Now available: An “early look” at three additional chapters from the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators

Following the earlier release of the Must 15 v0.9, Trusted CI has released additional v0.9 chapters from the forthcoming Trusted CI Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators (RCOs). The chapters are:


Must 3: Organizations must establish and maintain documentation of information assets. 

 

Must 4: Organizations must establish and implement a structure for classifying information assets as it relates to the organization’s mission. 

 

Must 16: Organizations must select and deploy additional and alternate controls as warranted. 


These chapters provide RCOs with roadmaps and advice on addressing fundamental steps toward establishing a mature cybersecurity program. The chapters are the result of Trusted CI’s years of accumulated experience conducting research, training, assessments, consultations, and collaborating closely with the research community. They have been reviewed and vetted by the Framework Advisory Board. 


Trusted CI will publish v1.0 of the complete FIG on March 1, 2021.


Read on to learn more. For the latest information about the Framework, please see https://www.trustedci.org/framework and consider subscribing to Trusted CI’s announce email list. For inquiries, please contact info@trustedci.org


About the Trusted CI Framework


The Trusted CI Framework is a tool to help organizations establish cybersecurity programs. In response to an abundance of guidance focused narrowly on cybersecurity controls, Trusted CI set out to develop a framework that would empower organizations to confront their own cybersecurity challenges from a mission-oriented and full organizational lifecycle perspective. Within Trusted CI’s mission is to lead the development of an NSF Cybersecurity Ecosystem that enables trustworthy science: the Framework fills a gap in emphasizing programmatic fundamentals.


The Trusted CI Framework is structured around 4 “Pillars” which make up the foundation of a competent cybersecurity program: Mission Alignment, Governance, Resources, and Controls


Within these pillars are 16 “Musts” that identify the concrete, critical elements required for running a competent cybersecurity program. The 4 Pillars and the 16 Musts combined make up the “Framework Core,” which is designed to be applicable in any environment and for any organization and which is unlikely to change significantly over time.


About the forthcoming Framework Implementation Guide


A “Framework Implementation Guide” (FIG) is an audience-specific deep dive into how an organization would begin implementing the 16 Musts. FIGs provide detailed guidance and recommendations and are expected to be updated much more frequently than the Framework Core.


This Framework Implementation Guide is designed for direct use by research cyberinfrastructure operators. We define RCOs as organizations that operate on-premises, cloud-based, or hybrid computational and data/information management systems, instruments, visualization environments, networks, and/or other technologies that enable knowledge breakthroughs and discoveries. These include, but are not limited to, major research facilities, research computing centers within research institutions, and major computational resources that support research computing.


About the Framework Advisory Board (FAB)


As a product ultimately designed for use in the Research and Higher Education communities, this Framework Implementation Guide is being developed with significant input from stakeholders that represent a cross-section of the target audience. The Framework Advisory Board (FAB) includes 19 stakeholders with diverse interests and roles in the research and education communities. Over the course of 2020, Trusted CI’s Framework project team is engaging the FAB on a monthly basis, and the group is providing substantial inputs on the draft material. 


The Framework Advisory Board is:


Kay Avila (NCSA); Steve Barnet (IceCube); Tom Barton (University of Chicago); Jim Basney (NCSA); Jerry Brower (NOIRLab, Gemini Observatory); Jose Castilleja (NCAR / UCAR); Shafaq Chaudhry (UCF); Eric Cross (NSO); Carolyn Ellis (Purdue U.); Terry Fleury (NCSA); Paul Howell (Internet2); Tim Hudson (NEON / Battelle / Arctic); David Kelsey (UKRI/WISE); Tolgay Kizilelma (UC Merced); Nick Multari (PNNL); Adam Slagell (ESnet); Susan Sons (IU CACR); Alex Withers (NCSA / XSEDE); Melissa Woo (Michigan State U.)


Tuesday, December 8, 2020

Report on the Trusted CI 2020 NSF Cybersecurity Summit is now available

The Report of the 2020 NSF Cybersecurity Summit for Cyberinfrastructure and Large Facilities is now available at http://hdl.handle.net/2142/108907. The report summarizes the eighth annual Summit, the first to be held entirely online, which took place September 22-24, 2020. The annual Summit provides a valuable opportunity for cybersecurity training and information exchange among members of the cybersecurity, cyberinfrastructure, and research communities who support NSF science projects. This sharing of challenges and experiences raises the level of cybersecurity awareness and gives Trusted CI important insights into current and evolving issues within the constituent communities.
 
This year’s Summit training and plenary sessions reiterated some observations from previous years such as the high value of community member interaction and knowledge share. Several presentations again noted the value of federated identity management in facilitating project collaboration. Also emphasized was the importance of workforce development but with a new highlight on the strength that diversity brings to teams. Other emerging trends that were noted among this year’s presentations included the threat presented by the rapid spread of misinformation and disinformation and a broadening of the focus on data confidentiality to include the value of data integrity 
 
Day 1 of the Summit was dedicated to half-day and full-day training sessions. Days 2 and 3 comprised plenary presentations, panels, and keynotes that focused on the security of cyberinfrastructure projects and NSF Large Facilities. Recordings of many of the Summit sessions are available on YouTube. Slides from a subset of the presentations are also available.
 
With 2020’s no-cost virtual format, this year’s attendance totaled 287 (up from 143 in-person attendees in 2019), representing 142 NSF projects and 16 of the 20 NSF Large Facilities. The total attendance includes a significant increase in student participation, with 27 students attending, up from ten in 2019. For more information on the 2020 Summit student attendees, please see the Trusted CI blog post Student Program at the 2020 NSF Cybersecurity Summit. Evaluation and feedback on the 2020 Summit were very positive, with many requests to continue offering a virtual attendance option in the future. As we begin planning for the 2021 Summit, we will be mindful of the conditions and options to determine meeting formats that we think will best serve the community’s needs at that time.

Monday, December 7, 2020

Trusted CI Webinar Series: Planning for 2021, review of 2020

The 2020 season of the Trusted CI Webinar series has concluded and we are looking forward to the presentations scheduled in the next year.

The following topics and have been booked in 2021:

  • January: SciTokens
  • February: Cyberattacks & the social sciences
  • March:  REED+ ecosystem
  • April: OSN and MGHPCC
  • May: Identifying Vulnerable GitHub Repositories
  • June: Trusted CI annual challenge - Software Assurance
  • July: Open Science Grid
  • August: NCSA's SOC Type 2 certification
  • September: Q-Factor project
  • October: Legal insights with Scott Russell
  • December: Trusted CI annual challenge - Software Assurance

In case you missed them, here are the webinars from 2020:

  • January ’20: REN-ISAC for Research Facilities & Projects with Kim Milford (Video)(Slides)
  • February ’20: FABRIC: Adaptive programmaBle networked Research Infrastructure for Computer science with Anita Nikolich (Video)(Slides)
  • March ’20: OnTimeURB: Multi-cloud Broker Framework for Creation of Secure and High-performance Science Gateways with Prasad Calyam (Video)(Slides)
  • April ’20: Trustworthy Decision Making and Artificial Intelligence with Arjan Durresi (Video)(Slides)
  • May ’20: Is your code safe from attack? with Barton Miller and Elisa Heymann (Video)(Slides)
  • June ’20: The ResearchSOC with Susan Sons (Video)(Slides)
  • July ’20: Whose line is it anyway? - Problem solving in complex networks with Doug Southworth (EPOC) (Video)(Slides)
  • August ’20: Transitioning Cybersecurity Research to Practice - Success stories and tools you can use,” with Patrick Traynor, Florence Hudson, and Ryan Kiser (Video)(Slides)
  • September ’20: Trusted CI Webinar: ACCORD: Integrating CI policy and mechanism to support research on sensitive data; with Ron Hutchinson, Tho Nguyen, Neal Magee (Video)(Slides)
  • October ’20: RDP: Enforcing Security and Privacy Policies to Protect Research Data with Yuan Tian (Video)(Slides)
  • October ’20: Cybersecurity Maturity Model Certification (CMMC) with Scott Russell (Video)(Slides)
  • December ’20: Trustworthy Data panel (Video)(Slides)
 Join Trusted CI''s announcements mailing list for information about upcoming events. Our complete catalog of webinars and other presentations are available on our YouTube channel.


Friday, November 20, 2020

Open Science Cyber Risk Profile (OSCRP), and Data Confidentiality and Data Integrity Reports Updated

 In April 2017, Trusted CI released the Open Science Cyber Risk Profile (OSCRP), a document designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. The OSCRP was the culmination of extensive discussions with research and education community leaders, and has since become a widely-used resource, including numerous references in recent National Science Foundation (NSF) solicitations.

The OSCRP has always been intended to be a living document.  In order to gather material for continued refreshing of ideas, Trusted CI has spent the past couple of years performing in-depth examination of additional topics for inclusion in a revised OSCRP.  In 2019, Trusted CI examined the causes of random bit flips in scientific computing and common measures used to mitigate the effects of “bit flips.”  Its report, “An Examination and Survey of Random Bit Flips and Scientific Computing,” was issued in December 2019.  In order to address the community's need for insights on how to start thinking about computing on sensitive data, in 2020, Trusted CI examined data confidentiality issues and solutions in academic research computing.  Its report, “An Examination and Survey of Data Confidentiality Issues and Solutions in Academic Research Computing,” was issued in September 2020.  

Both reports have now been updated, with the current versions being made available at the links to the report titles above.  In conjunction, the Open Science Cyber Risk Profile (OSCRP) itself has also been refreshed with insights from both data confidentiality and data integrity reports.

All of these documents will continue to be living reports that will be updated over time to serve community needs. Comments, questions, and suggestions about this post, and both documents are always welcome at info@trustedci.org.