Friday, December 18, 2020

Southern Ocean Carbon and Climate Observations and Modeling (SOCCOM) and Global Ocean Biogeochemistry Array (GO-BGC) Complete Trusted CI CyberCheckup

The Southern Ocean Carbon and Climate Observations and Modeling (SOCCOM) project is a $21 million NSF-funded project (OPP 1425989 and OPP 1936222) to instrument the Southern Ocean and make data publicly available.  SOCCOM has deployed nearly 200 robotic profiling floats in the Southern Ocean (south of 30°S). These floats are part of the international Argo network and collect physical, chemical, and biological sensor data from the upper 2000 m of the water column every 10 days. The data are transmitted to shore via the Iridium satellite system. The data are then passed through a series of institutional servers, where the data are fully processed and quality controlled. The resulting science quality data and the raw observations are made available within 24 hours with no restrictions. The data set has been used in more than 100 publications to assess physical, chemical, and biological processes in the Southern Ocean. 

The biogeochemical float array in the Southern Ocean is now expanding to the world ocean with a new NSF sponsored project, the Global Ocean Biogeochemistry (GO-BGC) Array (OCE  1946578).  GO-BGC will deploy 500 robotic profiling floats throughout the ocean.  GO-BGC is funded by a $52.9 million grant from the Mid-scale Research Infrastructure-2 program.  Institutional float operators expand from the University of Washington (UW) in SOCCOM to include Scripps Institution of Oceanography (SIO) and Woods Hole Oceanographic Institution (WHOI).  The Monterey Bay Aquarium Research Institute (MBARI) will maintain the biogeochemical data processing center for both programs.

SOCCOM and GO-BGC staff first used Trusted CI's "Securing Commodity IT in Scientific CI Projects" spreadsheet to evaluate four of their participating institutions, MBARI, UW, SIO, and WHOI. SOCCOM and GO-BGC staff next completed Trusted CI's "Information Security Program Evaluation" questionnaire. This document was used to capture the current state of each of the participant’s information security programs as well as find potential security policy gaps. The output from these two documents will be used by SOCCOM and GO-BGC to better secure their project. In addition to the CyberCheckup, Trusted CI staff walked project members through the use of Trusted CI’s guide to developing cybersecurity programs and the upcoming Trusted CI framework for putting together a comprehensive cybersecurity program.

The SOCCOM data system includes servers at UW, which handle float communications through the Iridium system, data processing for the physical variables (temperature, salinity, and pressure), and transmission of the physical data to the Argo Data Assembly Center in Miami, which is maintained by NOAA.  The UW system also links to the network at MBARI, where all of the biogeochemical data is processed and then transmitted to the Argo Data Assembly Center, where it is merged with the physical data.  The GO-BGC data system (including float communications, raw data acquisitions, data processing and quality control, and data dissemination and archiving) is more complicated with networks at UW, WHOI, and SIO communicating with floats and distributing data to MBARI for processing.   SOCCOM and GO-BGC performed a Trusted CI CyberCheckup to look at their needs for a comprehensive cybersecurity program.  The Cybercheckup is an engagee-driven, self-evaluation of a project’s cybersecurity readiness.  Trusted CI staff provided templates to be used for the CyberCheckup as well as assistance in reviewing the templates. 

The multi-institutional SOCCOM and GO-BGC projects create a cybersecurity challenge because of the mix of institutional assets, policies, and infrastructure.  To accommodate the multi-institutional nature of the project, a two-tiered approach to cybersecurity will be implemented, which incorporates the practices outlined in the Trusted CI review.  A project level CyberSecurity Team will encompass representatives of each institution.  This team will be led by a CyberSecurity Coordinator from the science staff.   

Each of the institutional members directly involved in the flow of project data will then implement a local team.  These local teams will include a cyber security professional from the information systems group at each location, a SOCCOM or GO-BGC science team representative, and a member from the SOCCOM or GO-BGC technical staff at the location.  The diverse membership of the local teams has the objective of ensuring professional cybersecurity capabilities, a vision of the scientific requirements for data availability and protection, and a code-level view of the project infrastructure.  The local CyberSecurity Teams are responsible for developing a cybersecurity plan that is adapted to their local infrastructure and policies.  

The Project CyberSecurity Team coordinates communications between the local teams and ensures that a system-wide review of security and vulnerabilities is conducted.  They ensure that the project-wide data system is functional, meets the broader community needs, and is capable of rapid recovery from a cyber attack. The Project CyberSecurity Team will conduct periodic reviews and tests (“fire drills”) of the local plans.  

As noted by Ken Johnson, the GO-BGC PI at MBARI, “The Trusted CI CyberCheckUp has been a really important mechanism for us to review a critical path that often gets overlooked.  Our program will be a lot stronger as a result of the review.”