Wednesday, January 12, 2022

Trusted CI Webinar: Populating the HECVAT as an Academic Research Provider, January 24th @11am EST

Indiana University's Charles Escue and Ohio Supercomputer Center's Kyle Earley are presenting the talk, Populating the HECVAT as an Academic Research Provider - Representing Your Security Posture For Your Higher-Ed Information Security Partners, on Monday January 24th at 11am (Eastern).

Please register here.

To read more about our engagement with OSC and Trusted CI's contribution to the HECVAT, see our recent blog post.

At one time, higher-ed was the requestor of HECVAT's - now we are being called to populate them for our peers. The Higher Education Community Vendor Assessment Toolkit (HECVAT) has become the de facto standard for vendor risk and security assessment in higher education and the number of universities around the globe using the HECVAT in their assessment process is well into the hundreds. As researchers, and those in the academic mission, consume services of academic research providers (e.g., the Ohio Supercomputer Center, OSC), and thus sharing institutional data, their security offices are increasingly conducting security and risk assessment of these providers to ensure they are meeting the risk tolerance of their institution.

Taking a proactive approach to mitigate unnecessary burden in this space, Trusted CI lead an engagement looking to provide response guidance for these academic research service providers on how to properly represent the security state(s) of their environment. Join Kyle Earley, High Performance Computing Security Engineer from the Ohio Supercomputer Center and Charlie Escue, Information Security Manager at Indiana University and co-chair of EDUCAUSE's HECVAT Users Community Group, as they discuss this collaboration and the tangible guidance that was produced during the engagement.

Speaker Bios

Charles Escue manages Indiana University's Extended Information Security (EIS) team, a pioneering effort focused on improving university incident remediation capabilities and the handling of imminent threats, beyond the scope of our traditional security office. With over fourteen years of information technology (IT) experience at Indiana University, Charles proudly leads and contributes his expertise as co-chair of EDUCAUSE's HECVAT Users Community Group.

Kyle Earley serves as the High Performance Computing Security Engineer for the Ohio Supercomputer Center (OSC). He is the single security resource for the center covering everything from day-to-day security operations to specific engagements and audits. Kyle graduated with a bachelor's degree in Management of Information Systems Enterprise Security from Georgia Southern University. Prior to his time at OSC, he worked for Accenture on a wide array of projects from Department of Defense (DoD) contracts to Fortune 500 clients, last serving as a Senior Security Analyst in the consulting track.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, January 11, 2022

Trusted CI engagement with OSC contributes to HECVAT 3.0


The EDUCAUSE Higher Education Information Security Council (HEISC) launched the latest version of the Higher Education Community Vendor Assessment Toolkit (HECVAT and HECVAT Lite v3). The new version has gone through a substantial overhaul to ensure the questions reflect the modern cloud research environment. More information about the new and improved HECVAT can be found on EDUCAUSE’s website.

The HECVAT is designed specifically for colleges and universities to measure vendor risk. It is presented as a questionnaire that focuses on the unique needs of a college or university. It can also be used by solution providers to demonstrate their organization’s adherence to the security expectations outlined by the HEISC. Providers are encouraged to fill out the HECVAT and share it in the Community Broker Index.

During the development of v3 of the HECVAT and HECVAT Lite, the HEISC Shared Assessments Working Group reached out to representatives of the higher ed community with expertise in industry standards (e.g., CIS Security Controls, HIPAA, ISO 27002:2013, various NIST frameworks, and the Trusted CI Framework) to conduct a “crosswalk.” Trusted CI contributed to the crosswalk by mapping the HECVAT questions to one or more of the 16 Musts in the Trusted CI Framework. Trusted CI has also published guidance on applying the HECVAT for NSF research projects. 

Our collaboration with EDUCAUSE on the HECVAT v3 was prompted by Trusted CI’s recent engagement with Ohio Supercomputer Center. We are very proud to have contributed to this important project. During our Fall 2021 engagement, OSC successfully completed the HECVAT-Lite Version 3 questionnaire on request by a research project at another university that planned to use OSC’s HPC services. OSC's HECVAT can be accessed through the Community Broker Index.
Trusted CI will be presenting a webinar on the new version of the HECVAT on Monday January 24th at 11am Eastern. Registration information is available at trustedci.org/webinars.

Trusted CI Webinar Series: Planning for 2022, review of 2021

The 2021 season of the Trusted CI Webinar series has concluded and we are looking forward to the presentations scheduled in 2022.

In 2022 we will be featuring webinars that reflect Trusted CI's commitment to providing additional support, consultation and guidance to NSF Major Facilities.

The following topics and have been booked early in 2022:

  • January 24th, The EDUCUSE Higher Education Community Vendor Assessment Toolkit (HECVAT) and our engagement with Ohio Supercomputer Center
  • February 28th, Software Assurance: Findings of the 2021 Trusted CI Annual Challenge

In case you missed them, here are the webinars from 2021:

  • January ’21: SciTokens with Jim Basney, Brian Bockelman, and Derek Weitzel (Video)(Slides)
  • February ’21: The CARE Lab: Application, Research, and Education with Aunshul Rege (Video)(Slides)
  • March ’21: REED+ ecosystem with Carolyn Ellis, Jay Yang, and Preston Smith  (Video)(Slides)
  • April ’21: Arizona State’s ScienceDMZ with Douglas Jennewein and Chris Kurtz (Video)(Slides)
  • May ’21: Identifying Vulnerable GitHub Repositories with Sagar Samtani (Video)(Slides)
  • June ’21: Investigating Secure Development In Practice: A Human-Centered Perspective with Michelle Mazurek (Video)(Slides)
  • July ’21: Open Science Grid with Brian Bockleman (Video)(Slides)
  • August ‘21: NCSA Experience with SOC2 in the Research Computing Space with Alex Withers (Video)(Slides)
  • September ‘21: Q-Factor: Real-time data transfer optimization leveraging In-band Network provided by P4 data planes (Video)(Slides)
  • October ‘21: The Trusted CI Framework; Overview and Recent Developments with Scott Russell (Video)(Slides)
  • December ‘21: Lessons from a Real-World Ransomware Attack on Research (Video)(Slides)
Join Trusted CI''s announcements mailing list for information about upcoming events. Our complete catalog of webinars and other presentations are available on our YouTube channel.



Monday, January 10, 2022

Trusted CI Tackling Major Facilities' Cybersecurity and Ransomware in 2022

Last year brought great progress and success for Trusted CI, including the March release of the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators. At the same time we observed an increase in the risk of ransomware on the research community

As we enter 2022, we are looking forward to building on Trusted CI’s progress and momentum to address the increasing threats to the NSF research community. We are kicking off the year with new initiatives which will provide additional support, consultation and guidance to NSF Major Facilities. Announced during the 2021 Summit, we are piloting a Framework cohort, which will accelerate Major Facility adoption of the Framework via a group engagement approach. The cohort kicks off this month with the first in the workshop series and the following facilities participating:

In addition to the Framework cohort, we are establishing the Trusted CI Major Facilities Ambassadors program. This program seeks to provide direct support to NSF Major Facilities by helping them to establish, evaluate, implement and evolve their cybersecurity programs using the Framework. Each Major Facility will have an assigned Ambassador whose role it is to develop an understanding of the facility’s activities, cybersecurity program, and unique challenges to enable them to provide tailored support and guidance.

As our 2021 engagement with Michigan State University showed, the effects of ransomware continue to impact the research community. Trusted CI is taking action to help prepare the NSF community for the threat. We are leveraging our expertise, relationships, and program activities to identify, document, and educate the NSF community about best practices for mitigating ransomware threats. We will add a page to the Trusted CI website with easy access to those best practices and resources as well as any related presentations, reports, etc.

We look forward to another successful year and welcome community member input on our priorities for 2022. If you have any questions or feedback you’d like to share, please email info@trustedci.org.

Friday, January 7, 2022

Cyberinfrastructure Vulnerabilities 2021 Annual Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available by subscribing to Trusted CI's mailing list (see below).

We monitor a number of sources for vulnerabilities, then determine which ones are of critical interest to the CI community. While there are many cybersecurity issues reported in the news, we strive to alert on issues that affect the CI community in particular. These issues are identified using the following criteria:

  • the affected technology's or software's pervasiveness in the CI community
  • the technology's or software's importance to the CI community
  • the type and severity of a potential threat, e.g., remote code execution
  • the threat's ability to be triggered remotely
  • the threat's ability to affect critical core functions
  • the availability of mitigations

For issues that warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE, Open Science Grid (OSG), the NSF supercomputing centers, and the ResearchSOC on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Sources we monitor for possible threats to CI include the following:

In 2021 the Cyberinfrastructure Vulnerabilities team discussed 40 vulnerabilities and issued 26 alerts to 183 subscribers.

You can subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list at https://list.iu.edu/sympa/subscribe/cv-announce-l . This mailing list is public and its archives are available at https://list.iu.edu/sympa/arc/cv-announce-l .

If you have information on a cyberinfrastructure vulnerability, let us know by sending email to alerts@trustedci.org .

 

Trusted CI, EPOC and University of Arkansas create security resources for Science DMZs

In the 2nd half of 2021 Trusted CI partnered with EPOC at Indiana University to participate in an engagement with University of Arkansas as they worked on the NSF funded project "Data Analytics that are Robust and Trusted" or DART. DART, funded by NSF grant #OIA-1946391 to build an Arkansas wide Science DMZ capability for use by participating institutions of higher education across Arkansas. A Science DMZ is a network architecture for friction free science data transfers that allows very high throughput. Most Science DMZs are modeled around two end points that need to transfer data between each other. The goal of the DART project is to build a statewide network for Arkansas institutions to transfer data between any participating institution.  The DART project applied for an engagement with Trusted CI in order to seek guidance on securing their multi-tenant ScienceDMZ infrastructure, but also to improve the state of security documentation for ScienceDMZs in general.

One of the challenges with Science DMZs is that CISOs and executive leadership at institutions have been resistant to the idea due to the myth that a Science DMZ has no security controls by being placed outside the traditional firewall perimeter. To try to quell these concerns the team wrote a white paper on the security of Science DMZs that is devoted in the first half to introducing the concept of a Science DMZ and explaining the need as well as the high level overview of the alternative security controls used. The audience for this first section is CISOs at universities.  The 2nd half of the document goes into more specific details of implementation, summarizing and referencing many of the recommendations made by various resources in the community as well as providing a few additional recommendations made by Trusted CI. This document is now published at https://scholarworks.iu.edu/dspace/handle/2022/27007.

During the first half of the engagement, Trusted CI and EPOC worked to determine the scope of what could be called the Science DMZ, with a lot of discussion in engagement meetings about what should and should not be on a Science DMZ. There is a natural temptation to place more hosts in the Science DMZ than are necessary and this must be resisted, instead use the data transfer nodes (DTNs) as the focal points on the Science DMZ.

Beyond the end of the engagement, Trusted CI, in partnership with staff from the DART project, plans to leverage this whitepaper to develop additional presentation materials to help other institutions promote and implement Science DMZs. This effort will start in the first half of 2022.

Wednesday, January 5, 2022

Announcing the 2022 Trusted CI Annual Challenge on Scientific OT/CPS Security

 The Trusted CI Annual Challenge is a year-long project focusing on a cybersecurity topic of importance for scientific computing environments.  In its first year, the Trusted CI Annual Challenge focused on improving trustworthy data for open science.  In its second year, the Annual Challenge focused on software assurance in scientific computing.  Now in its third year, the Annual Challenge is focusing on the security of “operational technology” or “cyber-physical systems” in science.

Operational technology (OT) or cyber-physical systems (CPS) are networked systems connected to computing systems on one side and to either controls or sensors of physical systems on the other side.  Networked sensors and control systems are increasingly important in the context of science as they are critical in  operating scientific instruments like telescopes,biological and chemical reactors, and even  vehicles used in scientific discovery.  Given their increasing importance in the process of scientific discovery, disruption of networked instruments therefore also increasingly can have negative consequences to the scientific mission.  And, like OT/CPS everywhere, including commercial, off the shelf (COTS) OT/IoT, by definition, any control system can also have physical consequences in the real world, including equipment damage and loss of life. Indeed, NSF's recent update to the Research Infrastructure Guide (formerly known as the Major Facilities Guide) further clarified that OT is within the scope of information assets to be protected by the facilities' cybersecurity programs (see Sections 6.3.3.2 and 6.3.6.1).

Trusted CI has a long history in addressing the security of operational technology through its engagements with facilities that operate such equipment.  The 2022 Annual Challenge seeks to gain both broader and deeper insights into the security of these important and specialized systems.  To accomplish this, in the first half of the year, we plan to have conversations with personnel involved with IT security and OT operations at a variety of NSF Major Research Facilities.  In the second half of the year, we will leverage this insight to develop a multi-year roadmap of solutions to advance the security of scientific operational technology. This guidance will offer security recommendations in a way most relevant to NSF facilities, rather than existing guides that have different foci and audiences with different priorities and resources.  

This year’s Annual Challenge is supported by a stellar team of Trusted CI staff, including Emily K. Adams (Indiana University), Ryan Kiser (Indiana University), Drew Paine (Berkeley Lab), Susan Sons (Indiana University), John Zage (University of Illinois, Urbana-Champaign), and Sean Peisert (Berkeley Lab; 2022 Annual Challenge Project Lead).