Tuesday, July 23, 2019

Trusted CI begins engagement with the United States Academic Research Fleet

The United States Academic Research Fleet (ARF, funded by multiple NSF awards) consists of eighteen oceanographic research vessels organized by the University-National Oceanographic Laboratory System (UNOLS) that vary in size and capability from large Global Class vessels to Coastal Class vessels. As a large facility, the ARF is unique because its primary assets (research vessels) are owned by several different agencies and independently operated by fourteen different oceanographic research institutions. The ARF supports seagoing research for scientific disciplines which require access to the sea. It is vital to programs as small as single-PI nearshore projects and as large as global multi-PI expeditions. The ARF provides multi-institutional and multi-disciplinary shared research infrastructure to serve these research projects. This infrastructure helps to advance research and education across a wide variety of disciplines for a diverse community.

The US ARF faces unique cybersecurity challenges due to the remote nature of the platforms and the increasing use of operational technology on research vessels. The fact that the platforms are operated by different institutions with distinct standards and policies further compounds these issues. As the platforms serve the same customers, a unified CI solution that works across institutional requirements would provide a more consistent environment to all personnel coming aboard US ARF ships. The engagement between Trusted CI and ARF will work to establish a unified cyber infrastructure security plan that will both serve the evolving security needs of its community and prepare the ARF for operational cybersecurity requirements due to be enforced by the International Maritime Organization in 2021.  

This engagement began in July 2019 and is scheduled to conclude by the end of December 2019.

Thursday, July 11, 2019

Registration is now open for the 2019 NSF Cybersecurity Summit

It is our great pleasure to announce registration is now open for  the 2019 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.  The event will take place Tuesday, October 15 thru Thursday, October 17, 2019, at the Catamaran Hotel, San Diego, CA.  Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities.


Complete the online registration form by October 9, 2019: https://trustedci.org/2019-nsf-cybersecurity-summit


Tuesday, July 9, 2019

CCoE Webinar July 22nd at 11am ET: Ancile: Enhancing Privacy for Ubiquitous Computing with Use-Based Privacy

Vassar College's Jason Waterman is presenting the talk "Ancile: Enhancing Privacy for Ubiquitous Computing with Use-Based Privacy" on Monday July 22nd at 11am (Eastern).

Please register here. Check spam/junk folder for registration confirmation email.
The recent proliferation of sensors has created an environment in which human behaviors are continuously monitored and recorded. However, many types of this passively-generated data are particularly sensitive.  For example, locations traces can be used to identify shopping, fitness, and eating habits.  These traces have also been used to set insurance rates and to identify individual users in large, anonymized databases. To develop a trustworthy platform for ubiquitous computing applications, it will be necessary to provide strong privacy guarantees for the data consumed by these applications. Use-based privacy, which re-frames privacy as the prevention of harmful uses, is well-suited to address this problem.

This webinar introduces Ancile, a platform for enforcing use-based privacy for applications. Ancile is a run-time monitor positioned between applications and the data (such as location) they wish to utilize. Applications submit requests to Ancile; each request contains a program to be executed in Ancile’s trusted environment along with credentials to authenticate the application to Ancile.  Ancile fetches data from a data provider, executes the program, and returns any output data to the application if and only if all commands in the program are authorized. We find that Ancile is both expressive and scalable. This suggests that use-based privacy is a promising approach to developing a privacy-enhancing platform for implementing location-based services and other applications that consume passively-generated data.
Speaker Bio:  Jason Waterman is an Assistant Professor of Computer Science at Vassar College.  He received his Ph.D in Computer Science at Harvard University in the area of Coordinated Resource Management in Sensor Networks.  He has also worked as research staff at MIT's Computer Science & Artificial Intelligence Laboratory, where he helped to build a system for monitoring patients in disaster situations.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, July 8, 2019

Trusted CI Completes REED+ Engagement

The Research Ecosystem for Encumbered Data (REED+) at Purdue University (https://www.rcac.purdue.edu/compute/reed), funded under the Office of Advanced Cyberinfrastructure (OAC #1840043), is a vision to implement a cost-effective ecosystem to manage regulated data. Researchers at Purdue, led by Preston Smith, Director of Research Services and Support, developed a strategic framework to address the compliance requirements for Controlled Unclassified Information (CUI) which is appearing in research sectors, e.g., defense and aerospace.

The foundation of the REED+ framework integrates NIST SP 800-171 and other related publications, including NIST’s Cybersecurity Framework (CSF) and the Big Ten Academic Alliance guidelines. It is intended to serve as a standard for campus IT to align with security regulations and best practices. Leveraging the framework, a single process for intake and contracting can be followed by the university’s Sponsored Programs Office (SPS), Human Research Protection Program (which oversees the IRB), Export Controls and Research Information Assurance (EC/IAO), and Information Technology at Purdue (ITaP) Research Computing division (formally the Rosen Center for Advanced Computing, or RCAC). Moreover, the framework also facilitates a tractable mapping of controlled research to cyberinfrastructure (CI) resources. The overarching goal of the REED+ framework is to enable researchers, administrators, and campus IT to better understand complicated data security regulations affecting research projects.

To assist in developing the framework, Trusted CI engaged with the REED+ team at Purdue from January through June of 2019. The initial step in the engagement was a review of existing documents and processes, followed by exploring proposed policies. Trusted CI found the flow of REED+ framework sound, and soon switched to working with Preston’s team in focusing on specific aspects of the process, e.g., providing controlled research ‘use cases’. The engagement proved especially rewarding, as both the REED+ researchers and Trusted CI came away from the engagement with a greater understanding in the nascent and vanguard processes involved in handling CUI compliance in the domain of research and education.

Sunday, July 7, 2019

Cyberinfrastructure Vulnerabilities 2019 Q2 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available to all by subscribing to Trusted CI’s mailing lists (see below).

We monitor a number of sources for software vulnerabilities of interest, then determine which ones are of the most critical interest to the community. While it’s easy to identify issues that have piqued the public news cycle, we strive to alert on issues that affect the CI community in particular. These are identified using the following criteria: the affected technology’s or software’s pervasiveness in the CI community; the technology’s or software’s importance to the CI community; type and severity of potential threat, e.g., remote code execution; the threat’s ability to be remotely triggered; the threat’s ability to affect critical core functions; and if mitigation is available. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE, Open Science Grid (OSG), the NSF supercomputing centers, and the ResearchSOC on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Some of the sources we monitor for possible threats to CI include:


In 2Q2019 the Cyberinfrastructure Vulnerabilities team issued the following 10 vulnerability alerts to 133 subscribers:


If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available at https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Wednesday, July 3, 2019

Trusted CI Completes Engagement with the Polar Geospatial Center

The Polar Geospatial Center (PGC) (NSF 1559691, NSF 1614673, NSF 1810976, NASA NNX16AK90G, and NASA 80NSSC18K1370) at the University of Minnesota provides geospatial support, mapping, and GIS/remote sensing solutions to researchers and logistics groups in the polar science community. The PGC supports U.S. polar scientists to complete their research goals in a safe, timely, and efficient manner by providing a service which most groups do not have the resources or expertise to complete. The mission of the PGC is to introduce new, state-of-the-art techniques from the geospatial field to effectively solve problems in the least mapped places on Earth. Trusted CI's engagement with PGC began in January 2019 and concluded in June 2019.

The primary goals for this engagement were to rapidly mature PGC’s cybersecurity program and develop a roadmap for future cybersecurity efforts at PGC. Trusted CI and PGC conducted a risk assessment of cyberinfrastructure assets, and then, driven by the results of the assessment, worked to build upon these results to improve PGC’s security program. The Trusted CI Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects and related materials were used to facilitate the effort.

NSF Community Cybersecurity Benchmarking Survey

It's time again for the NSF Community Cybersecurity Benchmarking Survey (“Community Survey”). We’ve appreciated all the great participation in the past, and look forward to seeing your responses again this year. The Community Survey, started in 2016, is a key tool used by Trusted CI to gauge the cybersecurity posture of the NSF science community. The twin goals of the Community Survey are: 1) To collect and aggregate information about the state of cybersecurity for NSF projects and facilities; and 2) To produce a report analyzing the results, which will help the community level-set and provide Trusted CI and other stakeholders a richer understanding of the community’s cybersecurity posture. To ensure the survey report is of maximum utility, we want to encourage a high level of participation, particularly from NSF Large Facilities. Please note that we are aggregating responses and minimizing the amount of project-identifying information we’re collecting, and any data that is released will be anonymized.

https://forms.gle/meVYfsxvbzEEYWAn6

Each NSF project or facility should submit only a single response to this survey. Completing the survey may require input from the PI, the IT manager, and/or the person responsible for cybersecurity (if those separate areas of responsibility exist). While answering specific questions is optional, we strongly encourage you to take the time to respond as completely and accurately as possible. If you prefer not to respond to or are unable to answer a particular question, we ask that you make that explicit (e.g., by using “other:” inputs) and provide your reason.

The response period closes July 31, 2019.