Registration Open for ’23 NSF Research Infrastructure Workshop

Trusted CI invites cybersecurity staff from NSF Major Facilities and NSF Mid-Scale Facilities to join us at the 2023 NSF Research Infrastructure Workshop, hosted by NSF’s Large Facilities Office (LFO). The Research Infrastructure Workshop (RIW) is a collaborative forum for all the NSF research infrastructure projects.

The workshop is a hybrid format and will be held Tuesday through Friday, June 27th - 30th at the Washington Marriott at Metro Center. 

Registration is currently open.

There will be many opportunities to join discussions on cyberinfrastructure and cybersecurity. A few highlights include:

• A dedicated Cybersecurity track on Day 2, which will cover the Trusted CI Framework, operational cybersecurity with ResearchSOC, and Regulated Research Community of Practice (RRCoP). Also, Robert Beverly (NSF) will provide introductory remarks for the Cybersecurity track.
  
• Trusted CI Director, Jim Basney, and Roland Roberts presenting, “Overview of Cybersecurity at Research Infrastructure: Balancing the Need to Be Secure and Also Open,” during the plenary session on Day 3.
• Tony Beasley (NRAO) presenting "Lessons from the 2022 Ransomware Attack on ALMA" during the plenary session on Day 3.
  
• Partner project CI Compass are presenting, “Overview of CI Compass and the Relevance of AI in Cyberinfrastructure,” during the plenary session on Day 1.
• And, a dedicated Cyberinfrastructure track on Day 1 covering "Models of Data Governance" and "Expanding use of AI in Research Infrastructure applications."

The drafted agenda is available (pdf) on RIW’s event site. The event includes a poster session, welcome reception, and a tour of the National Air and Space Museum.

Join Trusted CI's announcements mailing list for information about upcoming events. 

NSF publishes new Research Infrastructure Guide, bolsters alignment to Trusted CI Framework

In December, NSF published its newly-renamed Research Infrastructure Guide (RIG) (f.k.a. Major Facilities Guide). [1] During the public comment period, Trusted CI suggested updates, particularly considering our March 2021 publication of the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators (FIG).  

Alignment to the Trusted CI Framework

We are very pleased to see that NSF made many changes to the Research Infrastructure Guide, bringing it even more closely in line with the Trusted CI Framework, and pointing research infrastructure to the FIG as a resource. 

Those changes are captured in the cybersecurity section (6.3), as well as in the Competency Requirements for Major Facility Management (4.6.6.3), where knowledge of the Framework’s Four Pillars (Mission Alignment, Governance, Resources, and Controls) is an information technology competency. 

Operational Technology Clarification

Moreover, we applaud NSF’s clarification that operational technology [2] falls within the RIG’s definition of and scope for cybersecurity. Trusted CI advocated for this clarification. [3] 

Background

Beginning in 2014, Trusted CI partnered with the NSF Large Facilities Office in providing draft material for what became the first cybersecurity section for the then-titled Large Facilities Manual. Our work drew broadly from our cybersecurity experience and expertise, and specifically from our collaborations with the Major Facilities themselves. Since that original section’s publication, we have used the public comment process to suggest refinements.

Endnotes

[1] The name change reflects the fact that the document applies to mid-scale projects as well as Major Facilities. (See, p.i.)

[2] Operational technology (OT) / cyber physical systems (CPS) is the focus of Trusted CI’s 2022 annual challenge. Read more here.    

[3] We submitted the following rationale to NSF:

“While the MFG references controls for ICS and SCADA systems in Section 6.3.5.3, a clarification of the scope of “information systems” is warranted. Our work with Large/Major Facilities since 2013 suggests that some community stakeholders believe cybersecurity and related responsibilities are scoped only to traditional IT, and do not include OT. 

“If reflected in the scoping and resourcing of their cybersecurity programs, this misunderstanding and exclusion of OT cybersecurity considerations poses a serious risk to facility research missions. These missions frequently rely heavily on operational technology. The availability, functionality, and efficacy of scientific instruments (e.g., telescopes) frequently depend on both operational technologies and traditional information technologies. These technologies are increasingly architected as interconnected systems of systems composed of both traditional IT and OT. Cyberthreats to these operational technologies are real [FN1] and attacks that impact them can be executed both directly and through connected traditional IT systems. The gravity and impact of cyberthreats to OT is recognized at the federal level and action to address these threats is called out explicitly as a priority. [FN2,FN3,FN4] 

“This addition also will help clarify that NSF’s guidance is aligned with the federal definition of cybersecurity. [FN5]”

[FN1] See, https://www.dragos.com/resource/dragos-releases-annual-industrial-control-systems-cybersecurity-2020-year-in-review-report/.

[FN2] See, e.g., NATIONAL SECURITY AGENCY CYBERSECURITY REPORT: NSA/CSS Technical Cyber Threat Framework v2, p.2. Available at https://media.defense.gov/2019/Jul/16/2002158108/-1/-1/0/CTR_NSA-CSS-TECHNICAL-CYBER-THREAT-FRAMEWORK_V2.PDF.  

[FN3] See also, NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems - Alert (AA20-205A), Original release date: July 23, 2020. Available at https://us-cert.cisa.gov/ncas/alerts/aa20-205a.

[FN4] See also, NSA press release, “Protect Operational Technologies and Control Systems against Cyber Attacks.” Available at https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2285423/protect-operational-technologies-and-control-systems-against-cyber-attacks/

[FN5] https://fas.org/irp/offdocs/nspd/nspd-54.pdf.

2021 NSF Cybersecurity Summit Report is now available

The 2021 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure continued a nine-year tradition of providing a forum for NSF scientists, researchers, and cybersecurity professionals to develop community and share best practices. Trusted CI, NSF’s Cybersecurity Center of Excellence, hosted the Summit and looks forward to the 10th anniversary of hosting the Summit in 2022. 

Due to the ongoing COVID-19 pandemic, Trusted CI hosted the Summit virtually for the second year in a row. The 2021 Summit was held online Oct. 12-13, 15, 18-19. On Oct. 14, NSF held a Large Facilities Workshop in coordination with Trusted CI.

Collaboration, communicating with leadership about technology, mitigating against cyberattacks, identity management, building the cybersecurity workforce, and compliance were among important themes at the Summit.

The number of individuals who registered for the 2021 Summit increased to 329, including 15 students, 101 NSF-supported projects, and 19 of 20 NSF Large Facilities.

By removing the budget constraints of travel and hotel costs, this year’s online Summit enabled increased international participation, with representation from 11 countries from the previous high of eight in 2020.

The Trusted CI team looks forward to an in-person 2022 Summit, along with a virtual attendance option, so we can continue to advance the mission of the NSF science community.

Click here to see the 2021 Summit report.

Published: The Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators

On the behalf of Trusted CI, we are pleased and excited to announce the release of version 1.0 of the Trusted CI Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators (RCOs). This guide is the culmination of many years of accumulated experience conducting cybersecurity research, training, assessments, consultations, and collaborating closely with the research community. It has been reviewed and vetted by our Framework Advisory Board, a diverse collection of stakeholders from the research community. This launch of the first FIG represents a major step forward in advancing Trusted CI’s mission to enable trustworthy science through cybersecurity guidance, templates, and tools, empowering those projects to focus on their science endeavors. [1]

We also published a new Cybersecurity Program Strategic Plan template along with releasing significantly updated versions of the Incident Response Policy and Master Information Security Policy & Procedures templates.

Learn more about the Framework, download FIG v1.0, explore our templates and tools, offer feedback, and share your experiences by visiting https://www.trustedci.org/framework. [2]

About the Trusted CI Framework

The Trusted CI Framework is a tool to help organizations establish and refine their cybersecurity programs. In response to an abundance of guidance focused narrowly on cybersecurity controls, Trusted CI set out to develop a new framework that would empower organizations to confront cybersecurity from a mission-oriented, programmatic, and full organizational lifecycle perspective.

The Trusted CI Framework is structured around 4 Pillars which make up the foundation of a competent cybersecurity program: Mission Alignment, Governance, Resources, and Controls. 

Composing these pillars are 16 Musts that identify the concrete, critical requirements for establishing and running a competent cybersecurity program. The 4 Pillars and the 16 Musts combined make up the Framework Core, which is designed to be applicable in any environment and useful for any organization.

About the Framework Implementation Guide for Research Cyberinfrastructure Operators (RCOs)

This Framework Implementation Guide is designed for use by research cyberinfrastructure operators (RCOs). We define RCOs as organizations that operate on-premises, cloud-based, or hybrid computational and data/information management systems, scientific instruments, visualization environments, networks, and/or other technologies that enable knowledge breakthroughs and discoveries. These include, but are not limited to, major research facilities, research computing centers within research institutions, and major computational resources that support research computing. The chapters in this FIG provide RCOs with roadmaps for establishing mature cybersecurity programs, pointers to resources, and advice on overcoming potential challenges.

About the Framework Advisory Board (FAB)

As a product ultimately designed for use in the research and higher education communities, this Framework Implementation Guide was developed with significant input from stakeholders that represent a cross section of the target audience. This Framework Advisory Board (FAB) is a collection of 19 volunteers with diverse interests and roles in the research and education communities. From January 2020 through January 2021, Trusted CI’s Framework project team engaged the FAB on a monthly basis, conducting two meetings per month to accommodate the broad geographic distribution of all its members. The FAB provided substantial input, suggestions, questions, and critiques during the drafting of the FIG content. Based on this input from the FAB, the authors refined and published version 1.0.

 

The Framework Advisory Board is:

Kay Avila (NCSA); Steve Barnet (IceCube); Tom Barton (University of Chicago); Jim Basney (NCSA); Jerry Brower (NOIRLab, Gemini Observatory); Jose Castilleja (NCAR / UCAR); Shafaq Chaudhry (UCF); Eric Cross (NSO); Carolyn Ellis (Purdue U.); Terry Fleury (NCSA); Paul Howell (Internet2); Tim Hudson (NEON / Battelle / Arctic); David Kelsey (UKRI/WISE); Tolgay Kizilelma (UC Merced); Nick Multari (PNNL); Adam Slagell (ESnet); Susan Sons (IU CACR); Alex Withers (NCSA / XSEDE); Melissa Woo (Michigan State U.)

Thank you for your interest. We look forward to your feedback and hearing about your experiences with the Framework and FIG.

***

[1] A “Framework Implementation Guide” (FIG) is an audience-specific deep dive into how an organization would begin implementing the 16 Musts. FIGs provide detailed guidance and recommendations and are expected to be updated much more frequently than the Framework Core.

[2] This page now includes templates and tools from the “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects” webpage. Visitors accessing the old “Guide” page will be redirected to the Framework webpage going forward. Finally, we are leveraging the Zenodo.org Trusted CI Community to archive FIG v1.0. Zenodo.org is a catch-all repository for open science and is funded by the European Commission via OpenAIRE (https://www.openaire.eu/about) and CERN (https://home.cern/about). 

CTSC Collaboration with NSF Campus Cyberinfrastructure and CyberTraining Projects

NSF's 2018 solicitation for Campus Cyberinfrastructure (CC*) projects states that the "Campus CI plan should address the campus-wide approach to cybersecurity in the scientific research and education infrastructure," and NSF's 2018 solicitation for CyberTraining projects highlights the need for "training and certification of CI Professionals in cybersecurity technology and management for advanced CI-enabled research."

CTSC resources and staff are available to assist Campus Cyberinfrastructure and CyberTraining projects with cybersecurity plans and training, via one-on-one engagements and other CTSC activities. For example, CTSC recently engaged with the University of New Hampshire Research Computing Center (funded in part by the NSF CC*DNI program).

Our cybersecurity program guide provides recommendations and templates for establishing and maintaining cybersecurity programs. Our online training materials and webinars cover many cybersecurity topics tailored to the NSF CI community. CTSC staff are available to participate in training events as our schedule and travel budget allows. We can also assist with disseminating announcements about training events and training materials to the community. Our annual cybersecurity summit provides a venue for training sessions for cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community.

If you are preparing a Campus Cyberinfrastructure or CyberTraining proposal to address cybersecurity needs, please see our guidance on including CTSC in a proposal and don't hesitate to contact us to discuss how CTSC can help.