2023 Summit Report Available, Save the Date for 2024 Summit

The report of the 2023 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure is now available on Zenodo for your review.

Mark your calendar for the 2024 NSF Cybersecurity Summit, which will be held for four full days from October 7-10, 2024, at Carnegie Mellon University in Pittsburgh, PA.

Like last year, Trusted CI is inviting other groups to schedule full-day training on Monday, October 7, that may interest our community. Tuesday through Thursday will include a mix of plenary and shorter training sessions and workshops. If your organization is interested in providing a full-day training session on October 7, please contact the Summit organizers at summit@trustedci.org and include "full-day training" in the subject line.

To stay updated and receive more information about the Summit, please check our website, 2024 NSF Cybersecurity Summit, follow the Trusted CI blog, or subscribe to our announcement email.

If you have any questions, please don't hesitate to contact us at summit@trustedci.org.

Thank you, and we look forward to seeing you at the Summit!

Cyberinfrastructure Vulnerabilities 2023 Annual Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available by subscribing to Trusted CI's mailing list (see below).

We monitor a number of sources for vulnerabilities, then determine which ones are of critical interest to the CI community. While there are many cybersecurity issues reported in the news, we strive to alert on issues that affect the CI community in particular. These issues are identified using the following criteria:

• the affected technology's or software's pervasiveness in the CI community
• the technology's or software's importance to the CI community
• the type and severity of a potential threat, e.g., remote code execution (RCE)
• the threat's ability to be triggered remotely
• the threat's ability to affect critical core functions
• the availability of mitigations

For issues that warrant alerts to the Trusted CI mailing list, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with ACCESS, Open Science Grid (OSG), and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Sources we monitor for possible threats to CI include the following:

• OpenSSL and OpenSSH
• US-CERT advisories
• RHEL/EPEL advisories
• REN-ISAC Alerts and Advisories
• Social media, such as Twitter, and Reddit (/r/netsec and /r/cybersecurity)
• News sources, such as The Hacker News, Threatpost, The Register, Naked Security, Slashdot, Krebs on Security, SANS Internet Storm Center, and Schneier on Security

In 2023 the Cyberinfrastructure Vulnerabilities team discussed 43 vulnerabilities and issued 26 alerts to 187 subscribers.

You can subscribe to Trusted CI's Cyberinfrastructure Vulnerability Alerts mailing list by sending email to cv-announce+subscribe@trustedci.org. This mailing list is public and its archives are available at https://groups.google.com/a/trustedci.org/g/cv-announce.

If you have information on a cyberinfrastructure vulnerability, let us know by sending email to alerts@trustedci.org.