NOIRLab Engagement Focuses on Framework Adoption, Assessment, and Strategic Planning

Over the course of 2021, Trusted CI and NOIRLab (NSF Major Facility) collaborated on an engagement to assist NOIRLab in formally adopting and aligning to the Trusted CI Framework. NOIRLab is the preeminent US national center for ground-based, nighttime optical and infrared astronomy. 

In the first half of 2021, Trusted CI conducted an assessment of NOIRLab’s cybersecurity program using the Trusted CI Framework. The assessment culminated in the delivery of an Assessment Report [1] describing NOIRLab’s cybersecurity program and recommendations to improve. The report also included an “implementation rating” for each of the 16 Trusted CI Framework Musts. 

In the second half of 2021, NOIRLab and Trusted CI continued the engagement with a series of monthly workshops designed to aid NOIRLab in implementing the highest priority recommendations from the Assessment Report. These workshops allowed Trusted CI to continue to provide input and guidance while NOIRLab tackled the most pressing changes needed to its cybersecurity program.  

Engagement Outcomes

• NOIRLab is among the first Major Facilities to formally adopt the Trusted CI Framework. NOIRLab’s adoption is formalized in policy.
• NOIRLab received an Assessment Report detailing Strengths and Opportunities, Challenges and Barriers, and discrete recommendations to improve their cybersecurity program.
• NOIRLab developed an updated Master Information Security Policy and Procedures document, aligning with Trusted CI’s updated template.
• NOIRLab adopted and began using the CIS Controls as its baseline control set.
• NOIRLab developed a Cybersecurity Program Strategic Plan (CPSP). The CPSP described NOIRLab’s mission, how NOIRLab’s cybersecurity program supports its mission, a cybersecurity strategy, and a timeline detailing the strategic outcomes the cybersecurity program will plan to achieve over the next three years. 
• NORILab’s strategic planning efforts dramatically helped Trusted CI refine its cybersecurity strategic planning approach and will lead to updates to the CPSP template.
• The success of the monthly workshops led to the development of a new Trusted CI “cohort” engagement approach to support scaling Framework adoption and implementation.

John Maclean, the Director of Center Operations Services for NOIRLab, said the following of the engagement:

“Trusted CI has given us a Framework, appropriate to our environment, with which to build our cybersecurity program. It allows us to do this in a manner that balances scientific productivity against organizational risk in a cost effective manner.”

Chris Morrison, the engagement lead for NOIRLab, said the following of the engagement:

“As we continue to merge technologies and processes throughout our constituent programs, the Framework assessment helped us focus our cybersecurity effort and think strategically. The programmatic focus on the initiatives is helping us make cybersecurity visible and understandable across the organization. The follow-on activities will unquestionably support this systematic deployment and facilitate communication and decision-making with NOIRLab’s senior leadership. We are incredibly pleased with the process and outcome of the engagement with Trusted CI, and we now have a clear and prioritized path forward.”

[1] This assessment was based on the PACT cybersecurity assessment methodology. PACT was developed by the Center for Applied Cybersecurity Research in collaboration with the US Navy. For more information about PACT, see https://cacr.iu.edu/pact/index.html. 

Trusted CI Launches “Operation Framework Cohort” to Accelerate Framework Adoption Across NSF

During the first half of 2022, Trusted CI is engaging with NSF Major Facilities by supporting a newly-established cohort that has committed to adopting and implementing [1] the Trusted CI Framework. Members of the cohort will work closely with Trusted CI staff through a series of workshops enabling Framework adoption. The outcome at the end of the engagement period will be for each cohort member to have adopted the Trusted CI Framework and to emerge possessing a validated assessment of their cybersecurity program along with a strategic plan detailing their path to fully implement each Framework Must. 

The cohort pilot officially begins in January 2022 and will include the following NSF Major Facilities:

• Geodetic Facility for the Advancement of Geoscience (GAGE)
• Laser Interferometer Gravitational-wave Observatory (LIGO)  
• National Optical-Infrared Astronomy Research Laboratory (NOIRLab)
• National Radio Astronomy Observatory (NRAO)
• National Solar Observatory (NSO)
• Ocean Observatories Initiative (OOI)

The Trusted CI Framework is a resource to help organizations establish and refine their cybersecurity programs. It is the product of Trusted CI’s many years of accumulated experience conducting cybersecurity research, training, assessments, consultations, and collaborating closely with the research community. In March 2021 Trusted CI published the Trusted CI Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators as the standard for cybersecurity programs among NSF funded organizations. Publishing the FIG represented a major step forward in advancing Trusted CI’s mission to enable trustworthy science through cybersecurity guidance, templates, and tools, empowering those projects to focus on their science endeavors.

Now that the FIG has been published, Trusted CI’s aim is to help facilitate Framework adoption and implementation across the broader NSF community. To fully realize the cybersecurity benefits provided by Framework implementation, community adoption must be facilitated at a much faster pace than is possible through the traditional one-on-one engagements undertaken by Trusted CI. To address this challenge, Trusted CI launched the “cohort” approach, where representatives from multiple NSF Major Facilities will participate in a group engagement with Trusted CI focused on adoption and implementation of the Framework. 

Trusted CI anticipates the cohort project will span from CY2021 to CY2024 to reach the 25-30 NSF Major Facilities and other NSF research programs targeted for this effort. Trusted CI leadership will discuss the timing and plans for future cohorts in early spring based on the progress and success of this pilot. As Trusted CI gains experience from this initial Framework Cohort, we will keep the community informed of upcoming plans and opportunities for additional facilitated Framework adoption. 

[1]  “Adoption” refers to an organizational commitment to use the Framework as the foundation for its cybersecurity program, and to make the Musts a strategic priority. Adoption is designed to be a low bar, and does not require any implementation. “Implementation” refers to bringing all Musts to (at least) a minimum level of competence. This is a longer term goal.

 

Trusted CI Webinar: Populating the HECVAT as an Academic Research Provider, January 24th @11am EST

Indiana University's Charles Escue and Ohio Supercomputer Center's Kyle Earley are presenting the talk, Populating the HECVAT as an Academic Research Provider - Representing Your Security Posture For Your Higher-Ed Information Security Partners, on Monday January 24th at 11am (Eastern).

Please register here.

To read more about our engagement with OSC and Trusted CI's contribution to the HECVAT, see our recent blog post.

At one time, higher-ed was the requestor of HECVAT's - now we are being called to populate them for our peers. The Higher Education Community Vendor Assessment Toolkit (HECVAT) has become the de facto standard for vendor risk and security assessment in higher education and the number of universities around the globe using the HECVAT in their assessment process is well into the hundreds. As researchers, and those in the academic mission, consume services of academic research providers (e.g., the Ohio Supercomputer Center, OSC), and thus sharing institutional data, their security offices are increasingly conducting security and risk assessment of these providers to ensure they are meeting the risk tolerance of their institution.

Taking a proactive approach to mitigate unnecessary burden in this space, Trusted CI lead an engagement looking to provide response guidance for these academic research service providers on how to properly represent the security state(s) of their environment. Join Kyle Earley, High Performance Computing Security Engineer from the Ohio Supercomputer Center and Charlie Escue, Information Security Manager at Indiana University and co-chair of EDUCAUSE's HECVAT Users Community Group, as they discuss this collaboration and the tangible guidance that was produced during the engagement.

Speaker Bios: 

Charles Escue manages Indiana University's Extended Information Security (EIS) team, a pioneering effort focused on improving university incident remediation capabilities and the handling of imminent threats, beyond the scope of our traditional security office. With over fourteen years of information technology (IT) experience at Indiana University, Charles proudly leads and contributes his expertise as co-chair of EDUCAUSE's HECVAT Users Community Group.

Kyle Earley serves as the High Performance Computing Security Engineer for the Ohio Supercomputer Center (OSC). He is the single security resource for the center covering everything from day-to-day security operations to specific engagements and audits. Kyle graduated with a bachelor's degree in Management of Information Systems Enterprise Security from Georgia Southern University. Prior to his time at OSC, he worked for Accenture on a wide array of projects from Department of Defense (DoD) contracts to Fortune 500 clients, last serving as a Senior Security Analyst in the consulting track.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Trusted CI engagement with OSC contributes to HECVAT 3.0

The EDUCAUSE Higher Education Information Security Council (HEISC) launched the latest version of the Higher Education Community Vendor Assessment Toolkit (HECVAT and HECVAT Lite v3). The new version has gone through a substantial overhaul to ensure the questions reflect the modern cloud research environment. More information about the new and improved HECVAT can be found on EDUCAUSE’s website.

The HECVAT is designed specifically for colleges and universities to measure vendor risk. It is presented as a questionnaire that focuses on the unique needs of a college or university. It can also be used by solution providers to demonstrate their organization’s adherence to the security expectations outlined by the HEISC. Providers are encouraged to fill out the HECVAT and share it in the Community Broker Index.

During the development of v3 of the HECVAT and HECVAT Lite, the HEISC Shared Assessments Working Group reached out to representatives of the higher ed community with expertise in industry standards (e.g., CIS Security Controls, HIPAA, ISO 27002:2013, various NIST frameworks, and the Trusted CI Framework) to conduct a “crosswalk.” Trusted CI contributed to the crosswalk by mapping the HECVAT questions to one or more of the 16 Musts in the Trusted CI Framework. Trusted CI has also published guidance on applying the HECVAT for NSF research projects. 

Our collaboration with EDUCAUSE on the HECVAT v3 was prompted by Trusted CI’s recent engagement with Ohio Supercomputer Center. We are very proud to have contributed to this important project. During our Fall 2021 engagement, OSC successfully completed the HECVAT-Lite Version 3 questionnaire on request by a research project at another university that planned to use OSC’s HPC services. OSC's HECVAT can be accessed through the Community Broker Index.
Trusted CI will be presenting a webinar on the new version of the HECVAT on Monday January 24th at 11am Eastern. Registration information is available at trustedci.org/webinars.

Trusted CI Webinar Series: Planning for 2022, review of 2021

The 2021 season of the Trusted CI Webinar series has concluded and we are looking forward to the presentations scheduled in 2022.

In 2022 we will be featuring webinars that reflect Trusted CI's commitment to providing additional support, consultation and guidance to NSF Major Facilities.

The following topics and have been booked early in 2022:

• January 24th, The EDUCUSE Higher Education Community Vendor Assessment Toolkit (HECVAT) and our engagement with Ohio Supercomputer Center
  
• February 28th, Software Assurance: Findings of the 2021 Trusted CI Annual Challenge
  

In case you missed them, here are the webinars from 2021:

• January ’21: SciTokens with Jim Basney, Brian Bockelman, and Derek Weitzel (Video)(Slides)
  
• February ’21: The CARE Lab: Application, Research, and Education with Aunshul Rege (Video)(Slides)
  
• March ’21: REED+ ecosystem with Carolyn Ellis, Jay Yang, and Preston Smith  (Video)(Slides)
  
• April ’21: Arizona State’s ScienceDMZ with Douglas Jennewein and Chris Kurtz (Video)(Slides)
  
• May ’21: Identifying Vulnerable GitHub Repositories with Sagar Samtani (Video)(Slides)
  
• June ’21: Investigating Secure Development In Practice: A Human-Centered Perspective with Michelle Mazurek (Video)(Slides)
  
• July ’21: Open Science Grid with Brian Bockleman (Video)(Slides)
  
• August ‘21: NCSA Experience with SOC2 in the Research Computing Space with Alex Withers (Video)(Slides)
  
• September ‘21: Q-Factor: Real-time data transfer optimization leveraging In-band Network provided by P4 data planes (Video)(Slides)
  
• October ‘21: The Trusted CI Framework; Overview and Recent Developments with Scott Russell (Video)(Slides)
• December ‘21: Lessons from a Real-World Ransomware Attack on Research (Video)(Slides)
  

Join Trusted CI''s announcements mailing list for information about upcoming events. Our complete catalog of webinars and other presentations are available on our YouTube channel.

Trusted CI Tackling Major Facilities' Cybersecurity and Ransomware in 2022

Last year brought great progress and success for Trusted CI, including the March release of the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators. At the same time we observed an increase in the risk of ransomware on the research community. 

As we enter 2022, we are looking forward to building on Trusted CI’s progress and momentum to address the increasing threats to the NSF research community. We are kicking off the year with new initiatives which will provide additional support, consultation and guidance to NSF Major Facilities. Announced during the 2021 Summit, we are piloting a Framework cohort, which will accelerate Major Facility adoption of the Framework via a group engagement approach. The cohort kicks off this month with the first in the workshop series and the following facilities participating:

• GAGE
• LIGO
• NOIRLab
• NRAO
• NSO
• Ocean Observatories Initiative

In addition to the Framework cohort, we are establishing the Trusted CI Major Facilities Ambassadors program. This program seeks to provide direct support to NSF Major Facilities by helping them to establish, evaluate, implement and evolve their cybersecurity programs using the Framework. Each Major Facility will have an assigned Ambassador whose role it is to develop an understanding of the facility’s activities, cybersecurity program, and unique challenges to enable them to provide tailored support and guidance.

As our 2021 engagement with Michigan State University showed, the effects of ransomware continue to impact the research community. Trusted CI is taking action to help prepare the NSF community for the threat. We are leveraging our expertise, relationships, and program activities to identify, document, and educate the NSF community about best practices for mitigating ransomware threats. We will add a page to the Trusted CI website with easy access to those best practices and resources as well as any related presentations, reports, etc.

We look forward to another successful year and welcome community member input on our priorities for 2022. If you have any questions or feedback you’d like to share, please email info@trustedci.org.

Cyberinfrastructure Vulnerabilities 2021 Annual Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available by subscribing to Trusted CI's mailing list (see below).

We monitor a number of sources for vulnerabilities, then determine which ones are of critical interest to the CI community. While there are many cybersecurity issues reported in the news, we strive to alert on issues that affect the CI community in particular. These issues are identified using the following criteria:

• the affected technology's or software's pervasiveness in the CI community
• the technology's or software's importance to the CI community
• the type and severity of a potential threat, e.g., remote code execution
• the threat's ability to be triggered remotely
• the threat's ability to affect critical core functions
• the availability of mitigations

For issues that warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE, Open Science Grid (OSG), the NSF supercomputing centers, and the ResearchSOC on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Sources we monitor for possible threats to CI include the following:

• OpenSSL and OpenSSH
• US-CERT advisories
• XSEDE announcements
• RHEL/EPEL advisories
• REN-ISAC Alerts and Advisories
• Social media, such as Twitter, and Reddit (/r/netsec and /r/security)
• News sources, such as The Hacker News, Threatpost, The Register, Naked Security, Slashdot, Krebs, SANS Internet Storm Center, and Schneier

In 2021 the Cyberinfrastructure Vulnerabilities team discussed 40 vulnerabilities and issued 26 alerts to 183 subscribers.

You can subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list at https://list.iu.edu/sympa/subscribe/cv-announce-l . This mailing list is public and its archives are available at https://list.iu.edu/sympa/arc/cv-announce-l .

If you have information on a cyberinfrastructure vulnerability, let us know by sending email to alerts@trustedci.org .

 

Trusted CI, EPOC and University of Arkansas create security resources for Science DMZs

In the 2nd half of 2021 Trusted CI partnered with EPOC at Indiana University to participate in an engagement with University of Arkansas as they worked on the NSF funded project "Data Analytics that are Robust and Trusted" or DART. DART, funded by NSF grant #OIA-1946391 to build an Arkansas wide Science DMZ capability for use by participating institutions of higher education across Arkansas. A Science DMZ is a network architecture for friction free science data transfers that allows very high throughput. Most Science DMZs are modeled around two end points that need to transfer data between each other. The goal of the DART project is to build a statewide network for Arkansas institutions to transfer data between any participating institution.  The DART project applied for an engagement with Trusted CI in order to seek guidance on securing their multi-tenant ScienceDMZ infrastructure, but also to improve the state of security documentation for ScienceDMZs in general.

One of the challenges with Science DMZs is that CISOs and executive leadership at institutions have been resistant to the idea due to the myth that a Science DMZ has no security controls by being placed outside the traditional firewall perimeter. To try to quell these concerns the team wrote a white paper on the security of Science DMZs that is devoted in the first half to introducing the concept of a Science DMZ and explaining the need as well as the high level overview of the alternative security controls used. The audience for this first section is CISOs at universities.  The 2nd half of the document goes into more specific details of implementation, summarizing and referencing many of the recommendations made by various resources in the community as well as providing a few additional recommendations made by Trusted CI. This document is now published at https://scholarworks.iu.edu/dspace/handle/2022/27007.

During the first half of the engagement, Trusted CI and EPOC worked to determine the scope of what could be called the Science DMZ, with a lot of discussion in engagement meetings about what should and should not be on a Science DMZ. There is a natural temptation to place more hosts in the Science DMZ than are necessary and this must be resisted, instead use the data transfer nodes (DTNs) as the focal points on the Science DMZ.

Beyond the end of the engagement, Trusted CI, in partnership with staff from the DART project, plans to leverage this whitepaper to develop additional presentation materials to help other institutions promote and implement Science DMZs. This effort will start in the first half of 2022.

Announcing the 2022 Trusted CI Annual Challenge on Scientific OT/CPS Security

 The Trusted CI Annual Challenge is a year-long project focusing on a cybersecurity topic of importance for scientific computing environments.  In its first year, the Trusted CI Annual Challenge focused on improving trustworthy data for open science.  In its second year, the Annual Challenge focused on software assurance in scientific computing.  Now in its third year, the Annual Challenge is focusing on the security of “operational technology” or “cyber-physical systems” in science.

Operational technology (OT) or cyber-physical systems (CPS) are networked systems connected to computing systems on one side and to either controls or sensors of physical systems on the other side.  Networked sensors and control systems are increasingly important in the context of science as they are critical in  operating scientific instruments like telescopes,biological and chemical reactors, and even  vehicles used in scientific discovery.  Given their increasing importance in the process of scientific discovery, disruption of networked instruments therefore also increasingly can have negative consequences to the scientific mission.  And, like OT/CPS everywhere, including commercial, off the shelf (COTS) OT/IoT, by definition, any control system can also have physical consequences in the real world, including equipment damage and loss of life. Indeed, NSF's recent update to the Research Infrastructure Guide (formerly known as the Major Facilities Guide) further clarified that OT is within the scope of information assets to be protected by the facilities' cybersecurity programs (see Sections 6.3.3.2 and 6.3.6.1).

Trusted CI has a long history in addressing the security of operational technology through its engagements with facilities that operate such equipment.  The 2022 Annual Challenge seeks to gain both broader and deeper insights into the security of these important and specialized systems.  To accomplish this, in the first half of the year, we plan to have conversations with personnel involved with IT security and OT operations at a variety of NSF Major Research Facilities.  In the second half of the year, we will leverage this insight to develop a multi-year roadmap of solutions to advance the security of scientific operational technology. This guidance will offer security recommendations in a way most relevant to NSF facilities, rather than existing guides that have different foci and audiences with different priorities and resources.  

This year’s Annual Challenge is supported by a stellar team of Trusted CI staff, including Emily K. Adams (Indiana University), Ryan Kiser (Indiana University), Drew Paine (Berkeley Lab), Susan Sons (Indiana University), John Zage (University of Illinois, Urbana-Champaign), and Sean Peisert (Berkeley Lab; 2022 Annual Challenge Project Lead).

2021 NSF Cybersecurity Summit Report is now available

The 2021 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure continued a nine-year tradition of providing a forum for NSF scientists, researchers, and cybersecurity professionals to develop community and share best practices. Trusted CI, NSF’s Cybersecurity Center of Excellence, hosted the Summit and looks forward to the 10th anniversary of hosting the Summit in 2022. 

Due to the ongoing COVID-19 pandemic, Trusted CI hosted the Summit virtually for the second year in a row. The 2021 Summit was held online Oct. 12-13, 15, 18-19. On Oct. 14, NSF held a Large Facilities Workshop in coordination with Trusted CI.

Collaboration, communicating with leadership about technology, mitigating against cyberattacks, identity management, building the cybersecurity workforce, and compliance were among important themes at the Summit.

The number of individuals who registered for the 2021 Summit increased to 329, including 15 students, 101 NSF-supported projects, and 19 of 20 NSF Large Facilities.

By removing the budget constraints of travel and hotel costs, this year’s online Summit enabled increased international participation, with representation from 11 countries from the previous high of eight in 2020.

The Trusted CI team looks forward to an in-person 2022 Summit, along with a virtual attendance option, so we can continue to advance the mission of the NSF science community.

Click here to see the 2021 Summit report.