Trusted CI and OOI Complete Engagement

The Ocean Observatories Initiative (OOI, https://oceanobservatories.org/), funded by the NSF OCE Division of Ocean Sciences #1743430, is a science-driven ocean observing network that delivers real-time data from more than 800 instruments to address critical science questions regarding the world’s oceans. OOI data are freely available online to anyone with an Internet connection. 

The OOI provides an exponential increase in the scope and timescale of observations of the world’s oceans. Present and future educators, scientists, and researchers are able to draw conclusions about climatological and environmental processes based on these measurements, requiring the data to be accurate, with a flawless pedigree. As a result, the OOI has a requirement to protect its data from being altered by any external agent.

To this end, OOI-CI (OOI Cyberinfrastructure) solicited a consultation from Trusted CI to evaluate their current security program, along with guidance on reviewing and evaluating potential alternatives for an enhanced security posture. We refined and prioritized OOI’s needs to the following goals: (i) perform a security review of OOI’s cyberinfrastructure using the Trusted CI Security Program Evaluation worksheet, (ii) take steps toward adopting the Trusted CI Framework by developing a “master information security policies and procedures” document (MISPP), (iii) investigate and document missing policies and procedures, including questions and concerns raised by OOI, and unknowns discovered in above exercises, and (iv) provide guidance on creating an asset inventory, applying a control set, and creating and maintaining a risk registry.

The OOI team completed the Trusted CI Security Program Evaluation spreadsheet. This exercise started  the OOI team thinking about and discussing cybersecurity concerns that were raised in the evaluation, both in previously known topics, but also unknown or undefined areas. The Trusted CI team created a list of prioritized recommendations aligned with Framework Musts -- core concepts that every cybersecurity program should have -- that the OOI team can use in addressing or documenting gaps.

We introduced OOI to the Framework and Implementation Guide, and had discussions concerning the Musts, what they entail, and how they apply to and define a mature security program. The OOI team attended the 2021 NSF Cybersecurity Summit and specifically The Framework Workshop, where they were able to benefit from a deeper dive into the Framework and implementation guidance.

OOI displayed a solid grasp of the suggested security program solution, the Trusted CI Framework, and of what needs to be done to adopt it.  Completely adopting the Framework was beyond the scope of this engagement, however OOI focused on (i) developing the top-level Master Information Security Policy & Procedures (MISPP) document, (ii) develop a Cybersecurity Strategic Plan, and (iii) develop supplemental security program policies, e.g., Incident Response Plan, Disaster Recovery, and Acceptable Use Policies. 

In addition to creating top level policy documents, Trusted CI stressed the importance of having an up to date asset inventory as well as selecting and applying a base-line control set. The OOI team began identifying their critical assets as well as selecting CIS v8 as a control set and then aimed to apply controls from Implementation Groups 1 and 2. Trusted CI staff also provided a list of ‘high priority’ controls to focus on that would provide the best ROI for time and resources spent implementing.

We are pleased to announce that OOI is a participant in Trusted CI’s Framework Cohort taking place the first half of 2022 (1H2022). This will allow them to continue their work on creating and refining a mature security program while working with other NSF Major Facilities under the guidance and expertise of Trusted CI’s Framework team. 

The engagement ran from August 16, 2021 to December 31, 2021, and was recorded in the document “OOI / Trusted CI Engagement Final Report” (https://hdl.handle.net/2022/27253).

Trusted CI Begins Engagement with OOI

The Ocean Observatories Initiative (OOI), funded by the NSF OCE Division of Ocean Sciences #1743430, is a science-driven ocean observing network that delivers real-time data from more than 800 instruments to address critical science questions regarding the world’s oceans. OOI data are freely available online to anyone with an Internet connection. 

The OOI provides an exponential increase in the scope and timescale of observations of the world’s oceans. Present and future educators, scientists, and researchers will draw conclusions about climatological and environmental processes based on these measurements, which sets a requirement for the data to be accurate, with a flawless pedigree. As a result, the OOI has a requirement to protect its data from being altered by any external agent.

To this end, OOI-CI (OOI Cyberinfrastructure) is seeking consultation from Trusted CI on evaluation of their current security program, along with guidance on reviewing and evaluating potential alternatives for an enhanced security posture. Through a kick-off meeting, Trusted CI and OOI discussed their concerns, questions, and goals, including: penetration testing; system and software vulnerability scanning and remediation; gaps in current policies and procedures; developing periodic security tasks; and identifying ‘unknowns’. These topics were refined and prioritized based on their needs using a subset of tasks outlining the goals of the engagement, specifically:

1. Perform a review of OOI’s cyberinfrastructure using the Trusted CI Security Program Evaluation worksheet in order to assess the current state and target level of their cybersecurity.
2. Review the 2015 Engagement final report and recommendations (covering OOI @Rutgers University) with the goal to see if any recommendations made at that time are still applicable and warranted.
3. Using information documented in step 1., take initial steps towards adopting the Trusted CI Framework by developing a ‘master information security policies and procedures’ document (MISPP).
4. Discuss and document missing policies and procedures from the Framework, including questions and concerns raised by OOI, and also unknowns discovered in above exercises.  
5. Provide guidance on creating an asset inventory, applying a control set, and creating and maintaining a risk registry.

Additionally, broader impacts from this engagement can be realized as the OOI-CI is connected to several locations around the country. Lessons learned and recommendations from the engagement will be implemented at the other sites, which consist of Woods Hole Oceanographic Institute (WHOI) administration, and the three MIO’s (Marine Implementing Organizations) that provide data from Oregon State University, University of Washington, and WHOI.

The engagement will run from September 2021 to December 2021.

Trusted CI and SCiMMA Complete Engagement

The Scalable Cyberinfrastructure for Multi-Messenger Astrophysics (SCiMMA) project is a planned collaboration between data scientists, computer scientists, astronomers, astro-particle physicists, and gravitational wave physicists (https://scimma.org). Leveraging NSF investments in astronomical and multi-messenger facilities, and in advanced cyberinfrastructure (CI), SCiMMA intends to prototype a publish-subscribe system based on KAFKA to distribute alerts from gravitational wave, neutrino and electromagnetic observatories to authorized subscribers The system will additionally rely on supporting infrastructure, including: machine learning algorithms to analyze and classify alerts; and event databases for richer data mining. The pub/sub prototype will be hosted on cloud resources, including a commercial cloud (e.g., AWS). Upon award completion, SCiMMA will request funding for a sustained distributed institute that will expand the scope and depth of the prototyped system.

To this end, a group from SCiMMA solicited information security guidance from Trusted CI on and-or with various components of their prototype CI. For example, they sought help in developing an IT security program, identifying appropriate security control sets/catalogs, and performing a risk assessment with a corresponding residual risk registry.

Trusted CI and the SCiMMA team refined and prioritized SCiMMA’s needs to the following goals: (i) performing a security review of SCiMMA’s CI using the Trusted CI Security Program Evaluation worksheet (https://trustedci.org/evalws) in order to assess the target level of cybersecurity needed; (ii) developing a nascent security program with the information documented in step 1. and leveraging the master information security policies and procedures document (https://www.trustedci.org/guide); and (iii) documenting assets to be used by the security program in step 2.

The SCiMMA team completed the Trusted CI Security Program Evaluation spreadsheet, finding the exercise highly valuable as it encouraged the team to discuss the cybersecurity concerns broached in the evaluation. From there, the SCiMMA team deemed that having data to present to stakeholders that captured the CI risk -- conveying the need for security resources -- was of high priority to the team. So the engagement decided to tackle the task of documenting assets in order to produce an asset-based risk assessment spreadsheet. The task, however, was not without challenge; SCiMMA had a large number of assets, and its CI was still in flux. Thus, the team focused on documenting only critical assets, e.g., admin credentials, source code, DLP backups, etc.

In parallel to this, the SCiMMA team, after attending ‘The Trusted CI Framework’ workshop at the NSF Cybersecurity Summit (https://www.trustedci.org/2020-nsf-summit), sought to adopt many of the ideas promoted during that workshop, including leveraging the ‘CIS Controls v7.1 Tracking Tool’ (the tool was released by the presenters during the workshop and will be part of the Trusted CI Framework upon release in early 2021). Thus, in conjunction with working on the asset inventory, quality effort was also spent in understanding what controls comprised (at least) ‘Implementation Group 1’ from their base-line control set and-or catalog (i.e., the CIS Critical Security Controls - Version 7.1: https://www.sans.org/critical-security-controls), and how they would be applied to SCiMMA’s CI.

The SCiMMA team’s desire to both identify a control set for their CI and then strive to understand the residual risk that would still be present after implementing the controls displays their grasp of key cybersecurity essentials. Similarly, their understanding of the need for a cybersecurity budget and dedicated personnel -- also key components of a sound security program -- bodes well for the project.

The engagement ran from July 1, 2020 to December 31, 2020, and was recorded in the document “SCiMMA / Trusted CI Engagement Final Report” (https://hdl.handle.net/2142/109187).

Southern Ocean Carbon and Climate Observations and Modeling (SOCCOM) and Global Ocean Biogeochemistry Array (GO-BGC) Complete Trusted CI CyberCheckup

The Southern Ocean Carbon and Climate Observations and Modeling (SOCCOM) project is a $21 million NSF-funded project (OPP 1425989 and OPP 1936222) to instrument the Southern Ocean and make data publicly available.  SOCCOM has deployed nearly 200 robotic profiling floats in the Southern Ocean (south of 30°S). These floats are part of the international Argo network and collect physical, chemical, and biological sensor data from the upper 2000 m of the water column every 10 days. The data are transmitted to shore via the Iridium satellite system. The data are then passed through a series of institutional servers, where the data are fully processed and quality controlled. The resulting science quality data and the raw observations are made available within 24 hours with no restrictions. The data set has been used in more than 100 publications to assess physical, chemical, and biological processes in the Southern Ocean. 

The biogeochemical float array in the Southern Ocean is now expanding to the world ocean with a new NSF sponsored project, the Global Ocean Biogeochemistry (GO-BGC) Array (OCE  1946578).  GO-BGC will deploy 500 robotic profiling floats throughout the ocean.  GO-BGC is funded by a $52.9 million grant from the Mid-scale Research Infrastructure-2 program.  Institutional float operators expand from the University of Washington (UW) in SOCCOM to include Scripps Institution of Oceanography (SIO) and Woods Hole Oceanographic Institution (WHOI).  The Monterey Bay Aquarium Research Institute (MBARI) will maintain the biogeochemical data processing center for both programs.

SOCCOM and GO-BGC staff first used Trusted CI's "Securing Commodity IT in Scientific CI Projects" spreadsheet to evaluate four of their participating institutions, MBARI, UW, SIO, and WHOI. SOCCOM and GO-BGC staff next completed Trusted CI's "Information Security Program Evaluation" questionnaire. This document was used to capture the current state of each of the participant’s information security programs as well as find potential security policy gaps. The output from these two documents will be used by SOCCOM and GO-BGC to better secure their project. In addition to the CyberCheckup, Trusted CI staff walked project members through the use of Trusted CI’s guide to developing cybersecurity programs and the upcoming Trusted CI framework for putting together a comprehensive cybersecurity program.

The SOCCOM data system includes servers at UW, which handle float communications through the Iridium system, data processing for the physical variables (temperature, salinity, and pressure), and transmission of the physical data to the Argo Data Assembly Center in Miami, which is maintained by NOAA.  The UW system also links to the network at MBARI, where all of the biogeochemical data is processed and then transmitted to the Argo Data Assembly Center, where it is merged with the physical data.  The GO-BGC data system (including float communications, raw data acquisitions, data processing and quality control, and data dissemination and archiving) is more complicated with networks at UW, WHOI, and SIO communicating with floats and distributing data to MBARI for processing.   SOCCOM and GO-BGC performed a Trusted CI CyberCheckup to look at their needs for a comprehensive cybersecurity program.  The Cybercheckup is an engagee-driven, self-evaluation of a project’s cybersecurity readiness.  Trusted CI staff provided templates to be used for the CyberCheckup as well as assistance in reviewing the templates. 

The multi-institutional SOCCOM and GO-BGC projects create a cybersecurity challenge because of the mix of institutional assets, policies, and infrastructure.  To accommodate the multi-institutional nature of the project, a two-tiered approach to cybersecurity will be implemented, which incorporates the practices outlined in the Trusted CI review.  A project level CyberSecurity Team will encompass representatives of each institution.  This team will be led by a CyberSecurity Coordinator from the science staff.   

Each of the institutional members directly involved in the flow of project data will then implement a local team.  These local teams will include a cyber security professional from the information systems group at each location, a SOCCOM or GO-BGC science team representative, and a member from the SOCCOM or GO-BGC technical staff at the location.  The diverse membership of the local teams has the objective of ensuring professional cybersecurity capabilities, a vision of the scientific requirements for data availability and protection, and a code-level view of the project infrastructure.  The local CyberSecurity Teams are responsible for developing a cybersecurity plan that is adapted to their local infrastructure and policies.  

The Project CyberSecurity Team coordinates communications between the local teams and ensures that a system-wide review of security and vulnerabilities is conducted.  They ensure that the project-wide data system is functional, meets the broader community needs, and is capable of rapid recovery from a cyber attack. The Project CyberSecurity Team will conduct periodic reviews and tests (“fire drills”) of the local plans.  

As noted by Ken Johnson, the GO-BGC PI at MBARI, “The Trusted CI CyberCheckUp has been a really important mechanism for us to review a critical path that often gets overlooked.  Our program will be a lot stronger as a result of the review.”

Trusted CI Begins Engagement with SCiMMA

The Scalable Cyberinfrastructure Institute for Multi-Messenger Astrophysics (SCiMMA), funded under NSF grant #1934752, is a planned collaboration between data scientists, computer scientists, astronomers, astro-particle physicists, and gravitational wave physicists.  Leveraging NSF investments in astronomical and multi-messenger facilities and in advanced cyberinfrastructure, SCiMMA intends to prototype a publish-subscribe system based on Apache Kafka to distribute alerts from gravitational wave, neutrino and electromagnetic observatories to authorized subscribers (initially, public alerts so that all subscribers are authorized, but eventually proprietary alerts).  The system will additionally rely on supporting infrastructure, including: machine learning algorithms to analyze and classify alerts; an AARC2-style federated identity and access management suite; and event databases for richer data mining. The pub/sub prototype will be hosted on cloud resources, including a commercial cloud. Upon award completion, SCiMMA will pursue funding for a sustained distributed institute that will expand the scope and depth of the prototyped system.

To this end, SCiMMA is seeking help on and-or with various components of their prototype cyberinfrastructure. Primarily, they seek to develop a sound IT security program. Through a kick-off meeting and post-discussion, Trusted CI and SCiMMA have defined and prioritized their needs using a subset of tasks, outlining the goals of the engagement, specifically:

1. Perform a security review of SCiMMA’s cyberinfrastructure using the Trusted CI Security Program Evaluation worksheet in order to assess the target level of cybersecurity needed;

2. Using information documented in step 1, develop the start of a security program leveraging a master information security policies and procedures document; 

3. Develop an asset inventory to be used by the security program in step 2, and;

4. Perform a nascent risk assessment using identified assets with a corresponding residual risk registry.

Upon completion of the engagement, Trusted CI will produce a final, publishable report describing the work performed, potential impact to the open-science community, and areas SCiMMA may find appropriate for future engagements.

Open Storage Network (OSN) and Trusted CI Complete CyberCheckup

The Open Storage Network (OSN) is an NSF-funded pilot project (OAC 1747483, 1747490, 1747493, 1747507, and 1747552). The OSN pilot project's goal is to design and test a cooperative multi-institution, research-oriented storage and transfer service, including a governance model to manage both the technical system and user allocations. The outcome of the pilot project will direct the design of a national scale infrastructure that can serve as a storage substrate along with NSF's other national investments (e.g., XSEDE) and network implementations supported by NSF's CC* program.

OSN is a distributed storage infrastructure accessible via national research and education networks (NRENs). To evaluate the current state of this infrastructure, OSN performed a Trusted CI CyberCheckup, which is an engagee-driven, self-evaluation of a project's cybersecurity readiness. Trusted CI staff provided templates to be used for the CyberCheckup as well as assistance in filling out the templates.

OSN staff first used Trusted CI's "Securing Commodity IT in Scientific CI Projects" spreadsheet to evaluate five facilities including NCSA, SDSC, RENCI, MGHPCC, and JHU. These results were then used to evaluate the OSN system as a whole. OSN staff next completed Trusted CI's "Information Security Program Evaluation" questionnaire. This document was used to capture the current state of the OSN information security program as well as find potential security policy gaps in the pilot program. The output from these CyberCheckup documents will be used by OSN to better secure future phases of the project.

DesignSafe-CI and CTSC Complete Cyber-checkup

CTSC has completed its engagement with DesignSafe-CI (DesignSafe), a component of the Natural Hazards Engineering Research Infrastructure (NHERI) and funded by the NSF under a Cooperative Agreement through the Division Of Civil, Mechanical, and Manufacturing Innovation (CMMI) (NSF-1520817).  In a cyber-checkup tailored for DesignSafe’s existing NIST 800-53 based cybersecurity control implementation, CTSC reviewed security documents for DesignSafe, as well as seven experimental facilities (EFs) that DesignSafe governed, and then generated a matrix in order to display the thoroughness of each site’s adherence to best practices in security.  Using this observed data, both CTSC and DesignSafe collaborated in identifying opportunities for improvement for each of the sites' existing security programs.

DesignSafe-CI and CTSC Engage for Cyber-checkup

CTSC has initiated an engagement with DesignSafe-CI (DesignSafe) (NSF-1520817, NSF-1612144, NSF-1612843), a component of the Natural Hazards Engineering Research Infrastructure (NHERI) and funded by the NSF under a Cooperative Agreement through the Division Of Civil, Mechanical, & Manufacturing Innovation (CMMI) (NSF-1520817). The scope of the engagement is to perform a cyber-checkup -- a high-level review of the project’s cybersecurity program. The process tailored to DesignSafe’s needs will constitute a fact-finding exercise that delves into DesignSafe’s security processes, policies and protocols. Due to the maturity of DesignSafe’s existing security program, CTSC anticipates the engagement will be completed by November 2017.

CTSC Completes Engagement With DataONE

CTSC engaged DataONE, an NSF funded project under a Cooperative Agreement through the Division of Advanced Cyberinfrastructure (ACI), in a cyber-checkup -- a high-level review by CTSC of that project’s cybersecurity program.  The engagement began with DataONE undertaking a risk-based survey designed to explore the current state of security within DataONE’s cyberinfrastructure (CI).  To accomplish this, DataONE utilized CTSC’s Risk Evaluation Spreadsheet.  CTSC and DataONE then focused on identifying key areas where DataONE could use its resources most efficiently to strengthen its CI.  Finally, CTSC presented DataONE with a list of opportunities that describe new or updated mechanisms and/or policies in the aforementioned areas such that DataONE could continue to strengthen and advance their cybersecurity posture.

CTSC Risk Assessment of NEON

The National Ecological Observatory Network (NEON) is a nationwide network of ecological sensors and observation facilities sponsored by the National Science Foundation (NSF) to gather and synthesize data on the impacts of climate change, land use change, and invasive species on natural resources and biodiversity. NEON collects data from over 80 land and water based sites across the United States and standardizes this data for use by scientists.

CTSC, in collaboration with the NEON team, performed a cybersecurity risk assessment on the NEON network of sensors and data servers. The results of this assessment will be used to develop a cybersecurity plan for the NEON project. The engagement commenced in March 2015 and was completed in August 2015. CTSC personnel conducted this review using CTSC assessment methodologies designed to fit the scope and objectives of the review. CTSC personnel interacted closely with NEON personnel to perform this engagement.

The goals for the collaboration with NEON were to:

• generate a list of threats, vulnerabilities, estimates for likelihood, and impacts;
• review and prioritize these lists into risks; and
• generate a high level cybersecurity plan for NEON's Airborne Observation Platform (AOP) and CyberInfrastruture (CI).

The engagement began with a CyberCheckup to get a rough assessment of the status of NEON cybersecurity. NEON staff reviewed "Securing Commodity IT in Scientific CI Projects" to see how well the recommended controls were applied to NEON's systems. The areas reviewed included policies and procedures, host protection, network security, physical security, and monitoring and logging. The results of this quick survey led to a more detailed Risk Assessment and Security Planning effort.

The formal Risk Assessment of NEON identified issues which are being addressed through NEON policies and implementation of formal operational processes and procedures. Other issues can be addressed by utilizing software solutions such as monitoring and vulnerability scanning software.

Working closely with the NEON team, CTSC concluded the risk assessment, transferred the skill of performing future iterations of the risk assessment, and assisted the NEON team in documenting recommended cybersecurity controls that, when implemented, will mitigate the current level of risks for NEON. Considering that full operation of the NEON network is planned by 2017, an effective security strategy is critical to protecting and isolating data from external and internal threats.

Gemini and CTSC Collaborate on Intensive Cybercheckup

In June 2015, as a precursor to a forthcoming full engagement, Gemini Observatory and CTSC undertook a brief, but very intensive “cybercheckup”-style engagement. Using Indiana University’s REDCap service (https://redcap.uits.iu.edu/), CTSC has developed a questionnaire designed to gather key pieces of information regarding the information security program at large-scale NSF projects and facilities. Gemini personnel completed this questionnaire, and met with the CTSC engagement team on two occasions, to discuss the cybercheckup process and provide more detailed information. In early July, CTSC delivered a report to Gemini with recommendations for the Gemini information security program, prioritized by CTSC’s estimated cost and impact in implementing the recommendations. Following the NSF Cybersecurity Summit, we will sit down in person in Arlington  to review the report. Gemini and CTSC will use these results to structure and make the most of our Fall 2015 full engagement.

"I feel very fortunate to have the resources of CTSC available to Gemini Observatory as we develop a more mature, comprehensive "v2.0" cybersecurity program. The breadth and depth of knowledge and experience that the CTSC team has contributed thus far is vast, and has been key in gaining budgetary and Directorate support for cybersecurity initiatives.” -- Tim Minick, Information Technology Services Manager, Gemini Observatory

CTSC thanks Gemini for the effort and openness required to make this kind of activity valuable.