Friday, January 22, 2021

Trusted CI and SCiMMA Complete Engagement

The Scalable Cyberinfrastructure for Multi-Messenger Astrophysics (SCiMMA) project is a planned collaboration between data scientists, computer scientists, astronomers, astro-particle physicists, and gravitational wave physicists (https://scimma.org). Leveraging NSF investments in astronomical and multi-messenger facilities, and in advanced cyberinfrastructure (CI), SCiMMA intends to prototype a publish-subscribe system based on KAFKA to distribute alerts from gravitational wave, neutrino and electromagnetic observatories to authorized subscribers The system will additionally rely on supporting infrastructure, including: machine learning algorithms to analyze and classify alerts; and event databases for richer data mining. The pub/sub prototype will be hosted on cloud resources, including a commercial cloud (e.g., AWS). Upon award completion, SCiMMA will request funding for a sustained distributed institute that will expand the scope and depth of the prototyped system.

To this end, a group from SCiMMA solicited information security guidance from Trusted CI on and-or with various components of their prototype CI. For example, they sought help in developing an IT security program, identifying appropriate security control sets/catalogs, and performing a risk assessment with a corresponding residual risk registry.

Trusted CI and the SCiMMA team refined and prioritized SCiMMA’s needs to the following goals: (i) performing a security review of SCiMMA’s CI using the Trusted CI Security Program Evaluation worksheet (https://trustedci.org/evalws) in order to assess the target level of cybersecurity needed; (ii) developing a nascent security program with the information documented in step 1. and leveraging the master information security policies and procedures document (https://www.trustedci.org/guide); and (iii) documenting assets to be used by the security program in step 2.

The SCiMMA team completed the Trusted CI Security Program Evaluation spreadsheet, finding the exercise highly valuable as it encouraged the team to discuss the cybersecurity concerns broached in the evaluation. From there, the SCiMMA team deemed that having data to present to stakeholders that captured the CI risk -- conveying the need for security resources -- was of high priority to the team. So the engagement decided to tackle the task of documenting assets in order to produce an asset-based risk assessment spreadsheet. The task, however, was not without challenge; SCiMMA had a large number of assets, and its CI was still in flux. Thus, the team focused on documenting only critical assets, e.g., admin credentials, source code, DLP backups, etc.

In parallel to this, the SCiMMA team, after attending ‘The Trusted CI Framework’ workshop at the NSF Cybersecurity Summit (https://www.trustedci.org/2020-nsf-summit), sought to adopt many of the ideas promoted during that workshop, including leveraging the ‘CIS Controls v7.1 Tracking Tool’ (the tool was released by the presenters during the workshop and will be part of the Trusted CI Framework upon release in early 2021). Thus, in conjunction with working on the asset inventory, quality effort was also spent in understanding what controls comprised (at least) ‘Implementation Group 1’ from their base-line control set and-or catalog (i.e., the CIS Critical Security Controls - Version 7.1: https://www.sans.org/critical-security-controls), and how they would be applied to SCiMMA’s CI.

The SCiMMA team’s desire to both identify a control set for their CI and then strive to understand the residual risk that would still be present after implementing the controls displays their grasp of key cybersecurity essentials. Similarly, their understanding of the need for a cybersecurity budget and dedicated personnel -- also key components of a sound security program -- bodes well for the project.

The engagement ran from July 1, 2020 to December 31, 2020, and was recorded in the document “SCiMMA / Trusted CI Engagement Final Report” (https://hdl.handle.net/2142/109187).