David Halstead, Chief Information Officer for NRAO, states,
The Trusted CI engagement allowed Information Services to take a holistic view of the risk and threat landscape facing the observatory’s CI instead of the more traditional audits which largely ignore the research infrastructure and focus on the financial systems.
Engagement Process
Fact-Finding. Trusted CI gathered information using a variety of methods, including dynamic question and answer sessions with NRAO staff and through review of over one hundred public and private documents obtained from publicly accessible websites and from NRAO’s internal document repository. NRAO also completed our rigorous survey assessing the current state of their cyberinfrastructure. During this phase of the engagement, we held seven one-hour conference calls together, focused mainly on building Trusted CI’s understanding of NRAO’s security program.
Site Visit. The Trusted CI and NRAO teams also met for a period of three days onsite in Charlottesville, Virginia, giving us an opportunity to interact face-to-face. During that time, we performed a physical walkthrough of NRAO’s onsite computing infrastructure, interviewed personnel with security functions, and held detailed discussions on the current status of the security program as well as possible opportunities for maturation. When a passing blizzard forced NRAO to close its doors for one of those days, the teams refused to be slowed down and instead met virtually, maximizing the amount of time we could dedicate to working together.
Recommendations Report. The subsequent report that Trusted CI delivered to NRAO first included a set of foundational recommendations. Recommendations were marked ‘foundational’ if they appeared feasible to begin in the next six months; called for architectural, philosophical, or major resource additions or reallocations; and were expected to generate strong outcomes, particularly in facilitating other impactful actions. We organized other recommendations by estimated benefit and cost to implement. Grounded in best practices and community standards, these recommendations frequently referenced the Center for Internet Security (CIS) Controls and the Australian Signal Directorate’s Essential Eight, two evidence-based control sets, as well as Trusted CI’s four pillar framework for developing cybersecurity programs for open science.
Deep Dives. After delivering the final report, we used the remainder of our engagement time to facilitate phone and email discussions focused on implementing these recommendations. Dr. Jim Basney and Ryan Kiser, Trusted CI subject matter experts in federated identity management and application authorization respectively, each joined for a conference call focused on his area of expertise in order to share insights and answer questions posed by NRAO. Other topics of conversation included inventory and asset management, network visibility, and Trusted CI’s process and tools for self-assessing gaps and actions under the CIS Controls v7.
Reflections and Acknowledgements
NRAO’s effort and openness were critical to the success of this engagement. Their willingness to share information, including providing access to NRAO’s internal documents, allowed us to tailor our recommendations to their specific level of maturation in each area. We would like to thank all of the NRAO staff who spent time talking with us and responding to our questions, especially our primary engagees David Halstead and Pat Murphy, as well as Chris Clark, Karyn Roberts, Derek Hart, Josh Malone, Matthew McCleary, Ferzen Manglicmot, Wolfgang Baudler, Warren Richardson, and Guilhem Werbelow.
NRAO’s commitment extended beyond participation and into implementation, as evidenced by how quickly the organization created a plan based on Trusted CI’s recommendations and moved to enact it. We are excited to see this engagement already having a major impact on the funding, structure, and visibility of their security program.
We would also like to thank Steven Berukoff and Tony Hays from the Daniel K. Inouye Solar Telescope (DKIST) project for permitting us to share one of their internal network diagrams with NRAO. Steven and Tony had presented this diagram to us during a prior Trusted CI engagement and agreed to let us share it with NRAO. Their example of “documentation done well” assisted in facilitating a discussion on the kinds of network documentation most useful from a security and operations support standpoint.
Through interacting with NRAO and learning about their cybersecurity needs, the Trusted CI team continued to refine our understanding of the unique challenges and opportunities involved with securely supporting science. We look forward to continuing to engage, advise, and grow with the community in this evolving landscape. For more information on how to work with us, please visit our engagements page.
[This article was edited on 2020-07-14 to replace "application whitelisting" with "application authorization."]