2 Leading the nation in cybersecurity

CACR continued its ongoing leadership in protecting the cybersecurity of more than $8 billion in NSF-funded research. CACR is the lead organization for Trusted CI, in collaboration with the National Center for Supercomputing Applications, the Pittsburgh Supercomputing Center, Lawrence Berkeley National Laboratory (Berkeley Lab), the University of South Alabama, and the University of Wisconsin–Madison. CACR also leads the ResearchSOC, collaborating with the Pittsburgh Supercomputing Center, Duke University, and the University of California San Diego, and has a strong partnership with the OmniSOC, the shared security operations center for higher education and research.

Trusted CI: the NSF Cybersecurity Center of Excellence

Now in its tenth year of service and third award, Trusted CI has been at the forefront of the NSF research community in building a set of technical, policy, and cultural best practices necessary to ensure the security of that infrastructure and the trustworthy nature of the science it produces. Trusted CI has now impacted 547 NSF projects through its webinars, engagements, and other activities.

The Trusted CI Framework is one of the center’s flagship products and is the focus of several initiatives. The Framework sets out a reasonable minimum standard for cybersecurity programs. It consists of 16 “Musts” that represent the baseline for programmatic competency in cybersecurity and focuses on supporting organizational missions, governance, and resources, complementing existing frameworks that have a heavier focus on controls and the technological side of cybersecurity. 2021 was a big year for the Trusted CI Framework.

Framework Implementation Guide

Trusted CI published the Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators. The FIG is an audience-specific deep dive for implementing the Framework’s 16 Musts. Since its publication, the document has been downloaded more than 1,000 times. In December, NSF updated its Research Infrastructure Guide to align with the Framework and directly references the FIG as a cybersecurity resource for research infrastructure operators.

Adopting the Framework

Trusted CI published updated tools and templates to help adopters align to the Framework, including a new template for a cybersecurity program strategic plan. Additionally, the center conducted an engagement with NSF’s NOIRLab, an early Framework adopter, focused on aligning to the Framework. Based on the success of this engagement, the center developed a new “cohort” engagement approach, allowing the team to scale Framework adoption and implementation among multiple NSF organizations simultaneously.

The Framework and FIG have successfully reached institutions both within and beyond the NSF community, including institutions such as the National Defense University, the U.S. Coast Guard, the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC), the Cybersecurity and Infrastructure Security Agency, and the government of the U.S. Virgin Islands.

View the Trusted CI Annual Report: go.iu.edu/4gYx

“Based on [CACR’s] recommendations, we have decided to revisit our cybersecurity strategy from the top down. . . . Thanks for all your efforts and in helping us take a different perspective.”

Rich Ceci, senior vice president for technology and projects, Port of Virginia

OmniSOC: higher education’s only collaborative multi-state institution security operations center

The OmniSOC is the shared security operations center for higher education and research. OmniSOC rapidly delivers only critical, actionable, high-quality alerts 24/7, allowing cybersecurity staff to focus on what’s important, at substantial cost savings, from a trusted leader in the higher education cybersecurity community. As the increasingly challenging demands of the cybersecurity landscape and the shortage of trained personnel have increased, CACR has responded to the community’s needs. In partnership with OmniSOC, CACR has provided virtual cybersecurity teams, ranging from a part-time security engineer to a full cybersecurity staff. OmniSOC member clients range from R1 universities to regional research and education networks to NSF facilities.

PACT: Addressing the toughest cybersecurity problems

Principles-based Assessment for Cybersecurity Toolkit (PACT) cybersecurity assessments focus on mission success, not checklist compliance. When conducting a PACT assessment for a partner organization, CACR analyzes the organization as a whole, understanding that cybersecurity can be a burden or an enabler. The team delivers actionable recommendations for operational personnel and lays out strategic priorities for leadership. CACR partners use the assessment reports to guide their cybersecurity activities for years. In 2021, CACR conducted two PACT assessments: an in-depth assessment of cybersecurity programmatics at NOIRLab as well as a programmatic and technical assessment of the HathiTrust Research Center.

2021 Pact Assessments

NOIRLab: An in-depth assessment of cybersecurity programmatics at the National Optical-Infrared Astronomy Research Laboratory (NOIRLab), the preeminent U.S. national center for ground-based, nighttime optical and infrared astronomy, using the Trusted CI Framework as the standard.

HathiTrust Research Center: A programmatic and technical assessment of the HathiTrust Research Center (HTRC), a collaborative research center launched jointly by Indiana University and the University of Illinois, along with HathiTrust, to help researchers solve technical challenges face when dealing with massive amounts of digital text.

Methodology

The PACT methodology is collaborative and non-invasive. It was developed by CACR subject matter experts for the United States Navy and has been successfully applied in diverse operational environments. The methodology is based heavily on assessments conducted in 13 prior engagements through the NSF Cybersecurity Center of Excellence and the Navy. It has been proven by two congressionally funded, DoD-sponsored pilots, most recently at the Port of Virginia in collaboration with the United States Coast Guard. This latter assessment led to continued engagement with the Coast Guard, including an engagement with Rear Admiral Lower Half John Mauger and a presentation to the membership of the MTS-ISAC. CACR has introduced assessment and programmatics work to Cybersecurity and Infrastructure Security Agency personnel and congressional staffers, Senator Braun’s staffers, and numerous DoD and Defense Industrial Base stakeholders.

ResearchSOC: Delivering cybersecurity services to the nation’s greatest research

In 2021, ResearchSOC grew to serve four NSF major facilities, two of which have moved from grant-funded service to self-funded service.  ResearchSOC has built upon its 24/7 monitoring and threat hunting, managed honeypot, and vulnerability scanning services with new capabilities, including incident response support, virtual CISOs, virtual cybersecurity teams, engineering support, and CISO advisory services.  Research and development continue for new ways to serve NSF major facilities and other science organizations throughout 2022 and beyond.

Launched in October 2018, ResearchSOC is unique in the world: it is the only organization with the mission to provide operational cybersecurity services to NSF-funded facilities and projects, while at the same time seeking to further research in cybersecurity. Funded by a $5 million award from the NSF, ResearchSOC helps make scientific computing resilient to cyberattacks and capable of supporting trustworthy, productive research. CACR leads this collaborative effort that brings together existing cybersecurity services and expertise from Indiana University, including the OmniSOC and REN-ISAC; Duke University; the Pittsburgh Supercomputing Center; and the University of California San Diego.

OSG, IRIS-HEP, and PATh

The Open Science Grid (OSG), the Institute for Research and Innovation in Software for High Energy Physics (IRIS-­HEP), and the Partnership to Advance Throughput Computing (PATh) are a set of three closely related research computing projects that have turned to CACR to provide a single security team across the projects while supporting the tight integration of services. PATh brings together the Center for High Throughput Computing and the OSG to advance the nation’s campuses and science communities through the use of distributed high throughput computing. The OSG facilitates access to distributed high throughput computing for research in the United States and worldwide. IRIS-­HEP serves as an active center for software R&D and transforms the operational services required to ensure the success of the Large Hadron Collider.

Custos

The Custos project, a collaboration within PTI and led by PTI’s Cyberinfrastructure Integration Research Center (CIRC), provides an innovative integration of major security capabilities needed by science gateways. These include identity management, secrets management for third-party resource integration, and group and sharing management for securely controlling permissions and broader access to the digital object science gateways.

IRIS

CACR continued its partnership with Renaissance Computing Institute (RENCI) on the Integrity Introspection for Scientific Workflows (IRIS) project. IRIS automatically detects, diagnoses, and pinpoints the source of unintentional integrity anomalies in scientific workflows executing on distributed computing infrastructure. CACR is supporting IRIS through expert guidance on cybersecurity and privacy challenges. RENCI is a partnership between the University of North Carolina–Chapel Hill, Duke University, and the city of Durham, North Carolina. RENCI leads a project allowing scientists to share and analyze data across institutional boundaries. The three-year project was funded by a $3 million NSF grant.

ImPACT

CACR is contributing its cybersecurity expertise to a three-year, $3 million project funded by the NSF. The Infrastructure for Privacy-assured CompuTations (ImPACT) project, led by RENCI, will allow researchers to focus more fully on science by building a technology infrastructure that supports best practices in moving data, managing data ensuring security, and preserving privacy.

Providing research cybersecurity as a service

Leveraging its experience in providing virtual cybersecurity leadership, expertise, and consulting for scientific research projects, CACR expanded its portfolio of research “cybersecurity as a service” clients, providing cybersecurity leadership and consulting services to these projects, with CACR team members serving as the projects’ chief information security officers or as cybersecurity consultants providing input on best practices.

Cybersecurity for Leadership (C4L)

Targeted to both non-cybersecurity and cybersecurity leaders, the Cybersecurity for Leadership (C4L) curriculum begins with a half-day bootcamp that provides practical tools to help organizational leaders play an effective role in cybersecurity oversight.

Drawn from years of experience across multiple projects, the C4L Bootcamp focuses on key cybersecurity program enablers of mission alignment, governance, resourcing, and controls based on the Trusted CI Framework. The training includes explicit detail on what leaders must do (and avoid) to evolve the cybersecurity program and organization’s culture. Additionally, the training introduces organizations to CACR’s Information Security Practice Principles as a tool to assist leaders with decision making, communication, and strategy.

In 2020, CACR piloted C4L with the U.S. Virgin Islands. In early 2021, the team conducted a second and final pilot with Look Listen, a marketing firm. Additionally, CACR advertised C4L to a broad range of stakeholders through presentations, briefings, and announcements coordinated with IU’s AVP for Business Partnerships. In November—through the Indiana Economic Development Corp (IEDC) and Chief Executive Group—Craig Jackson and Scott Russell presented a portion of the C4L Bootcamp as a masterclass for smart manufacturing executives.

Facilitating AI for cybersecurity research

CACR led a team piloting evaluation of a research prototype application designed to highlight collections of indicators, such as alerts, which represent attacker behavior during different types of cyberattacks, including novel attacker behavior. The ASSERT application, a collaboration with Ahmet Okutan and S. Jay Yang at Rochester Institute of Technology, uses theoretical-based measures to perform unsupervised learning from intrusion alerts across platforms. Over time, the system learns to build attack models, which may prove valuable for identifying attacks, determining their potential impact, and predicting future attacker behaviors. CACR worked closely with OmniSOC to validate the methodology and test the research prototype for use at OmniSOC for applicability to SOC workflows. The project used only data OmniSOC aggregated from IU as an exploration of machine learning approaches.

Leading the national conversation

CACR continued its leadership role in providing forums to further the exchange of knowledge and ideas through hosting/co-hosting or conducting workshops at key community events. Even though 2021 continued with a strong virtual emphasis due to the pandemic, attendance and participation remained strong.

NSF Summit on Cybersecurity and Cyberinfrastructure

In its role as the lead organization for Trusted CI, CACR hosted a virtual version of the annual NSF Cybersecurity Summit. Opened up to the public for the first time, the summit drew more than 325 registrants.

Engaging with Women in Cybersecurity (WiCyS)

Led by CACR, Indiana University became a strategic partner of Women in Cybersecurity (WiCyS) in 2021 as part of its efforts to drive inclusion and diversity in the cybersecurity workforce. The strategic partnership augments IU’s ongoing support of the WiCyS annual conference, activities collectively supported by CACR, OVPIT, the Luddy School of Informatics, Computing, and Engineering, OmniSOC, the REN-ISAC, and the local IU WiCyS Student Chapter.

CISE Community Research Infrastructure Workshop

In collaboration with colleagues at University of Virginia and George Washington University and with funding from the National Science Foundation, CACR co-led a workshop exploring how multi-campus data collection and sharing infrastructure could enable research by machine-learning cybersecurity and privacy researchers. This workshop explored use cases, sustainability and privacy, and operational cybersecurity concerns.

Trusted CI at PEARC21 participation

Members of Trusted CI virtually presented a workshop on trustworthy scientific cyberinfrastructure and led a tutorial on security log analysis at the Practice and Experience in Advanced Research Computing (PEARC) conference.

Cybersecurity engagement in a research environment workshop

In December, ResearchSOC held a free workshop addressing the challenges of providing cybersecurity for research projects in higher education. The “Cybersecurity Engagement in a Research Environment” workshop was led by CACR’s partners at the University of California San Diego. It was a training and development opportunity for researcher-facing cybersecurity professionals who are responsible for applying standard security operations to the heterogeneous research ecosystem to develop research-specific cybersecurity approaches at their home institutions. Forty higher education security professionals attended the three-day virtual event.

Trusted CI webinars

In 2021, Trusted CI hosted 11 talks with 449 total attendees and more than 777 total views. In May, Trusted CI announced a podcast version of its webinar series that is now available on most podcast applications.

ResearchSOC webinars

Throughout the year, ResearchSOC sponsored five webinars addressing key cybersecurity operational issues such as Framework implementation, vulnerability management, STINGAR and threat intelligence, Google Drive security, and ransomware.