Tuesday, February 22, 2022

Trusted CI Announces The 2022 Fellows

Trusted CI, the NSF Cybersecurity Center of Excellence, is excited to announce the Trusted CI Open Science Cybersecurity Fellows. Eight individuals with professional interests in cybersecurity have been selected from a nationally competitive pool.  During the year of their Fellowship, they will receive recognition and cybersecurity professional development including training and travel funding to cybersecurity-related events.

The 2022 Trusted CI Open Science Cybersecurity Fellows are:

Brian Roland
Data Management Specialist at Northwestern University 

Brian Roland provides Data Management support and consultation for researchers at Northwestern University. He supports researchers across a broad spectrum of research disciplines with data workflow design and leveraging the appropriate data storage and data transfer solutions to meet their research goals and both federal and institutional compliance needs. In addition to providing data workflow support, Brian enjoys working with his colleagues on building out institutional lines of service that help optimize the data flows involved with researchers' analysis and data management plans.

Monday, February 14, 2022

Trusted CI Webinar: The Results of the Trusted CI Annual Challenge on Software, Mon Feb. 28 @ 1pm Eastern

Members of Trusted CI are presenting the Results of the Trusted CI Annual Challenge on Software, on Monday February 28th at 1pm (Eastern). Note the time is later than previous webinars.

Please register here.

This webinar presents the results of Trusted CI's 2021 examination of the state of software assurance in scientific computing, and also gives an overview of the contents of its recently released Guide to Securing Scientific Software (GS3), aimed at helping developers of software used in scientific computing improve the security of that software.

See our blog post announcing the report:
https://blog.trustedci.org/2021/12/publication-of-trusted-ci-guide-to.html

Speaker Bios

Dr. Elisa Heymann Pignolo is a Senior Scientist on the NSF Cybersecurity Center of Excellence at the University of Wisconsin, and an Associate Professor at the Autonomous University of Barcelona. She was in charge of the Grid/Cloud security group at the UAB, and participated in two major Grid European Projects: EGI‐InSPIRE and European Middleware Initiative (EMI). Heymann's research interests include security and resource management for Grid and Cloud environments. Her research is supported by the NSF, Spanish government, the European Commission, and NATO.

Prof. Barton Miller is the Vilas Distinguished Achievement Professor and Amar & Belinder Sohi Professor in computer science at the University of Wisconsin-Madison. Prof. Miller founded the field of fuzz random testing, which is foundational to computer security and software testing. In addition, he founded (with his then-student Prof. Jeffrey Hollingsworth) the field of dynamic binary instrumentation, which is a widely used, critical technology for cyberforensics. Prof. Miller advises the Department of Defense on computer security issues though his position at the Institute for Defense Analysis and was on the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee and the US Secret Service Electronic Crimes Task Force (Chicago Area). He is currently an advisor to the Wisconsin Security Research Council. Prof. Miller is a fellow of the ACM.

Dr. Sean Peisert leads applied research and development in computer security at the Berkeley Lab and UC Davis. He is also chief cybersecurity strategist for CENIC; co-lead of Trusted CI, the NSF Cybersecurity Center of Excellence; editor-in-chief of IEEE Security & Privacy; a member of the Distinguished Expert Review Panel for the NSA Annual Best Scientific Cybersecurity Paper Competition; a member of the DARPA Information Science and Technology (ISAT) Study Group; an ACSA Senior Fellow; past chair of the IEEE Technical Committee on Security & Privacy' and is a steering committee member and past general chair of the IEEE Symposium on Security and Privacy ("Oakland").

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, February 2, 2022

NSF publishes new Research Infrastructure Guide, bolsters alignment to Trusted CI Framework


In December, NSF published its newly-renamed Research Infrastructure Guide (RIG) (f.k.a. Major Facilities Guide). [1] During the public comment period, Trusted CI suggested updates, particularly considering our March 2021 publication of the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators (FIG).  

Alignment to the Trusted CI Framework

We are very pleased to see that NSF made many changes to the Research Infrastructure Guide, bringing it even more closely in line with the Trusted CI Framework, and pointing research infrastructure to the FIG as a resource. 

Those changes are captured in the cybersecurity section (6.3), as well as in the Competency Requirements for Major Facility Management (4.6.6.3), where knowledge of the Framework’s Four Pillars (Mission Alignment, Governance, Resources, and Controls) is an information technology competency. 

Operational Technology Clarification

Moreover, we applaud NSF’s clarification that operational technology [2] falls within the RIG’s definition of and scope for cybersecurity. Trusted CI advocated for this clarification. [3] 

Background

Beginning in 2014, Trusted CI partnered with the NSF Large Facilities Office in providing draft material for what became the first cybersecurity section for the then-titled Large Facilities Manual. Our work drew broadly from our cybersecurity experience and expertise, and specifically from our collaborations with the Major Facilities themselves. Since that original section’s publication, we have used the public comment process to suggest refinements.

Endnotes

[1] The name change reflects the fact that the document applies to mid-scale projects as well as Major Facilities. (See, p.i.)

[2] Operational technology (OT) / cyber physical systems (CPS) is the focus of Trusted CI’s 2022 annual challenge. Read more here.    

[3] We submitted the following rationale to NSF:

“While the MFG references controls for ICS and SCADA systems in Section 6.3.5.3, a clarification of the scope of “information systems” is warranted. Our work with Large/Major Facilities since 2013 suggests that some community stakeholders believe cybersecurity and related responsibilities are scoped only to traditional IT, and do not include OT. 

“If reflected in the scoping and resourcing of their cybersecurity programs, this misunderstanding and exclusion of OT cybersecurity considerations poses a serious risk to facility research missions. These missions frequently rely heavily on operational technology. The availability, functionality, and efficacy of scientific instruments (e.g., telescopes) frequently depend on both operational technologies and traditional information technologies. These technologies are increasingly architected as interconnected systems of systems composed of both traditional IT and OT. Cyberthreats to these operational technologies are real [FN1] and attacks that impact them can be executed both directly and through connected traditional IT systems. The gravity and impact of cyberthreats to OT is recognized at the federal level and action to address these threats is called out explicitly as a priority. [FN2,FN3,FN4] 

“This addition also will help clarify that NSF’s guidance is aligned with the federal definition of cybersecurity. [FN5]”

[FN1] See, https://www.dragos.com/resource/dragos-releases-annual-industrial-control-systems-cybersecurity-2020-year-in-review-report/.

[FN2] See, e.g., NATIONAL SECURITY AGENCY CYBERSECURITY REPORT: NSA/CSS Technical Cyber Threat Framework v2, p.2. Available at https://media.defense.gov/2019/Jul/16/2002158108/-1/-1/0/CTR_NSA-CSS-TECHNICAL-CYBER-THREAT-FRAMEWORK_V2.PDF.  

[FN3] See also, NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems - Alert (AA20-205A), Original release date: July 23, 2020. Available at https://us-cert.cisa.gov/ncas/alerts/aa20-205a.

[FN4] See also, NSA press release, “Protect Operational Technologies and Control Systems against Cyber Attacks.” Available at https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2285423/protect-operational-technologies-and-control-systems-against-cyber-attacks/

[FN5] https://fas.org/irp/offdocs/nspd/nspd-54.pdf.