The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available by subscribing to Trusted CI's mailing list (see below).
We monitor a number of sources for vulnerabilities, then determine which ones are of critical interest to the CI community. While there are many cybersecurity issues reported in the news, we strive to alert on issues that affect the CI community in particular. These issues are identified using the following criteria:
- the affected technology's or software's pervasiveness in the CI community
- the technology's or software's importance to the CI community
- the type and severity of a potential threat, e.g., remote code execution
- the threat's ability to be triggered remotely
- the threat's ability to affect critical core functions
- the availability of mitigations
For issues that warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE, Open Science Grid (OSG), the NSF supercomputing centers, and the ResearchSOC on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Sources we monitor for possible threats to CI include the following:
- OpenSSL and OpenSSH
- US-CERT advisories
- XSEDE announcements
- RHEL/EPEL advisories
- REN-ISAC Alerts and Advisories
- Social media, such as Twitter, and Reddit (/r/netsec and /r/security)
- News sources, such as The Hacker News, Threatpost, The Register, Naked Security, Slashdot, Krebs, SANS Internet Storm Center, and Schneier
In 2021 the Cyberinfrastructure Vulnerabilities team discussed 40 vulnerabilities and issued 26 alerts to 183 subscribers.
You can subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list at https://list.iu.edu/sympa/subscribe/cv-announce-l . This mailing list is public and its archives are available at https://list.iu.edu/sympa/arc/cv-announce-l .
If you have information on a cyberinfrastructure vulnerability, let us know by sending email to alerts@trustedci.org .
