The National Ecological Observatory Network (
NEON) is a nationwide network of ecological sensors and observation facilities sponsored by the National Science Foundation (
NSF) to gather and synthesize data on the impacts of climate change, land use change, and invasive species on natural resources and biodiversity. NEON collects data from over 80 land and water based sites across the United States and standardizes this data for use by scientists.
CTSC, in collaboration with the NEON team, performed a cybersecurity risk assessment on the NEON network of sensors and data servers. The results of this assessment will be used to develop a cybersecurity plan for the NEON project. The engagement commenced in March 2015 and was completed in August 2015. CTSC personnel conducted this review using
CTSC assessment methodologies designed to fit the scope and objectives of the review. CTSC personnel interacted closely with NEON personnel to perform this engagement.
The goals for the collaboration with NEON were to:
- generate a list of threats, vulnerabilities, estimates for likelihood, and impacts;
- review and prioritize these lists into risks; and
- generate a high level cybersecurity plan for NEON's Airborne Observation Platform (AOP) and CyberInfrastruture (CI).
The engagement began with a
CyberCheckup to get a rough assessment of the status of NEON cybersecurity. NEON staff reviewed "
Securing Commodity IT in Scientific CI Projects" to see how well the recommended controls were applied to NEON's systems. The areas reviewed included policies and procedures, host protection, network security, physical security, and monitoring and logging. The results of this quick survey led to a more detailed Risk Assessment and Security Planning effort.
The formal Risk Assessment of NEON identified issues which are being addressed through NEON policies and implementation of formal operational processes and procedures. Other issues can be addressed by utilizing software solutions such as monitoring and vulnerability scanning software.
Working closely with the NEON team, CTSC concluded the risk assessment, transferred the skill of performing future iterations of the risk assessment, and assisted the NEON team in documenting recommended cybersecurity controls that, when implemented, will mitigate the current level of risks for NEON. Considering that full operation of the NEON network is planned by 2017, an effective security strategy is critical to protecting and isolating data from external and internal threats.
CTSC staff performed a site visit to the Gemini North facility to inform detailed recommendations for improving the physical security and technical security of instrument and industrial control / SCADA systems critical for Gemini’s scientific mission. The visit included inspection tours of the base facility in Hilo, the mid-point facility at Hale Pohaku, and the actual telescope atop Maunakea at 14,000 feet. CTSC interviewed eight Gemini staff members concerning IT support, physical security, ICS/SCADA systems, MS Windows security, web application development, and operational application support. CTSC conducted a physical penetration test of the Base facility, which was thwarted an attentive Gemini staffer. The depth and breadth of this fact-finding mission enabled CTSC to produce a report providing detailed recommendations for enhancements to both physical security and cybersecurity from an on-the-ground point of view.