Trusted CI Blog

New Trusted CI Software Security Training Materials for the Community

2022-08-08T15:48:00.003-04:00

In a world of continuous cyber attacks, cybersecurity is a responsibility of every person involved in the software development life cycle: managers, designers, developers, and testers. Trusted CI offers an evolving collection of training materials on software security covering topics such as secure design, secure implementation, testing, code auditing, dependency tools, static analysis tools, and fuzz testing.

The materials are freely available at https://www.cs.wisc.edu/mist/SoftwareSecurityCourse. Apart from videos and corresponding book chapters, they include hands-on exercises and quizzes for many of the topics. Classroom exercises and the solutions to the hands-on exercises and quizzes are provided to instructors by request. Most of the videos now have captions in both English and Spanish.

These materials are being continuously updated, as we develop new modules. The latest additions are modules on address space layout optimization (ASLR), memory safety checks, fuzz testing and using AFL, and dependency analysis tools.

These materials have been used at conferences, workshops, and government agencies to train CI professionals in secure coding, design, and testing. They are also used at the University of Wisconsin-Madison to teach CS542, Introduction to Software Security.

Trusted CI Webinar: CIS Controls, August 22nd @11am EST

2022-08-08T14:33:00.002-04:00

Trusted CI's Shane Filus and Mark Krenz will be giving a presentation on CIS Controls on Monday, August 22nd at 11am (Eastern).

Please register here.

The Trusted CI Information Security Office (ISO) team will be presenting a webinar on the CIS Controls. This will include background and information on the CIS controls, our recent experiences using the controls to assess Trusted CI’s own cybersecurity program and operations, and how that can be applied to your own project.

Topics include:
Who Trusted CI is and why we have a cybersecurity program.
Background on the CIS controls and what an assessment is.
What led us to perform a CIS assessment.
Overview and discussion of our results.
Differences between control versions 7.1 and 8.
Discussion on methodology and tools that can be used in assessments.

Speaker Bios:

Shane Filus serves as a Senior Security Engineer at the Pittsburgh Supercomputer Center, and works with Trusted CI, XSEDE/ACCESS, and HuBMAP projects on all aspects of cybersecurity; from operations, to incident response, to policy, and everything in between.

Mark Krenz serves as Chief Security Analyst at Indiana University’s Center for Applied Cybersecurity Research. Mark’s focus is on cybersecurity operations, research and education. He has more than two decades of experience in system and network administration and has spent the last decade focused on cybersecurity. He serves as the CISO of the ResearchSOC and the Deputy CISO of Trusted CI.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Analysis of NSPM-33: Cybersecurity Requirements for Federally Funded Research Organizations

2022-08-01T13:07:00.001-04:00

By: Anurag Shankar and Scott Russell

This blog post provides research organizations a summary of the National Security Presidential Memorandum on United States Government-Supported Research and Development National Security Policy” (NSPM-33) and the recent Office of Science and Technology Policy (OSTP) / National Science and Technology Council (NSTC) guidance, along with analysis of the requirements.

Summary

In January 2021, then President Trump issued a directive “National Security Presidential Memorandum on United States Government-Supported Research and Development National Security Policy” (NSPM-33) to all federal agencies to: 1) standardize disclosure requirements and 2) mandate a research security program for all institutions receiving a total of $50 million or more in federally-funded research. In January 2022, the Office of Science and Technology Policy (OSTP) released further guidance on these requirements, including details on four elements specified in NSPM-33: cybersecurity, foreign travel security, research security training, and export control training. The cybersecurity guidance identifies 14 controls that it recommends as requirements for federal agencies to flow down to organizations receiving federal research funding. Twelve of these controls are included in the 17 “basic hygiene” controls specified by CMMC Level 1 and the 15 “minimum security controls” specified by FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” The rest are NSPM-33 specific, addressing training and ransomware/data integrity.

The OSTP guidance also includes a number of additional recommendations for federal agencies to flow down to research organizations, summarized below:

Documentation: Research organizations should be required to document their research security program and provide this documentation within 30 days of a request from a research agency that is funding an award or considering an application for award funding.
Certification: Research organizations should be required to provide certification of compliance with the research security program requirement. OSTP, in consultation with the NSTC Subcommittee on Research Security and OMB, plans to develop a single certification standard and process that will apply across all research agencies.
Timeline: Research organizations should establish a research security program as soon as possible, but given one year from the date of issuance of the formal requirement to comply. Organizations that become subject to the requirement in subsequent years are supposed to be similarly provided one additional year to comply.
Assistance: The Federal Government should provide technical assistance to support development of training content and program guidelines, tools, and best practices for research organizations to incorporate at their discretion. Agencies represented on the National Counterintelligence Task Force, in conjunction with the National Counterintelligence and Security Center, should jointly develop content that research organizations can leverage to meet requirements for research security programs and training. The Federal Government should consider supporting the formation of a community consortium to develop and maintain research security program information and implementation resources for research organizations, to include resources suitable for use within research security programs. The development of program content should be a collaborative effort between the government and organizations.
Discretion: Research organizations should be provided flexibility to structure the organization’s research security program to best serve its particular needs, and to leverage existing programs and activities where relevant, provided that the organization implements all required program components. Research organizations should be given flexibility in how they choose to integrate research security requirements into existing programs, such as existing cybersecurity programs. Research organizations should be strongly encouraged to integrate some or all elements into a coherent research security program, where applicable and feasible.
Funding agencies should consider integrating the research security program requirement into the Compliance Supplement’s Research and Development Cluster audit guidance as part of the single audit of Federal grant and assistance programs (2 C.F.R. Part 200, Appendix XI).

Analysis

The primary questions raised by NSPM-33 and the NTSC/OSTP guidance are 1) How will these requirements be flowed down to research organizations; 2) To what extent will funding agencies follow the guidance put forth by the NTSC; and 3) What is the scope of the requirements?

Regarding the first question, NSPM-33 only directly impacts federal funding agencies (e.g., NSF, DOE): the NSPM does not impose any requirements directly on research institutions. Instead, it instructs federal funding agencies to impose these requirements on research institutions receiving federal research funding. While the NTSC/OSTP guidance specifies January 2023 as the deadline for eligible institutions to comply, it does not specify how the requirements should be imposed. Moreover, the provision of NSPM-33 that specifically mentions cybersecurity is only intended to apply to research institutions receiving over $50 million in federal research funding, without clarifying how these institutions should be identified.

Practically speaking, the funding agencies may impose these requirements on all *new* grants. So although existing grants are technically unaffected, research institutions that wish to continue to get funding will be forced to implement the requirements regardless.

Moreover, it is also unclear to what extent federal funding agencies are bound by the NTSC guidance. NSPM-33 only instructs OSTP to “promulgate guidelines for research institutions to mitigate risks to research security and integrity”: it is not empowered to dictate what requirements federal funding agencies impose. Indeed, neither OSTP nor NTSC were mentioned in the subsection referencing research security programs and cybersecurity.

Scope is another issue. The guidance does not clarify whether the security program requirements apply only to researchers receiving federal funding or every researcher within the organization. It specifies controls for programs to implement but does not explicitly state if every system used by researchers (e.g, their workstations) is in scope or institutional systems only. Since this has financial repercussions, clarity is needed on what the requirements cover.

A research security program clearly requires controls to secure projects. However, prescribing a set of controls which research systems must implement can be problematic, as research systems have unique needs that may not function using traditional controls (instead requiring alternate controls to achieve their mission.) Moreover, the focus on system-centric controls is not well suited for securing research workflows, which require more than technical controls alone. The uniqueness of research systems (telescopes, sensors, microscopes, etc.) requires different approaches than controls designed to secure “systems.” For example, the Trusted CI Framework is a more appropriate fit for research programs. It includes controls, but provides the institution flexibility in choosing a baseline control set that is tailored to the institution’s mission. Additionally, this baseline control set is supplemented with additional and alternate controls that are particularly important in the research context, as research infrastructure often requires specialized protections. Securing research ultimately requires flexibility.

Applying the same level of security to all research is also unwise. How research is protected is currently scoped to data by sensitivity and regulatory requirements. This is done for a reason, namely to apply security proportionally to risk to contain cost. Expanding it indiscriminately will be wasteful and unnecessary. For instance, public data does not need the same level of security as patient data.

The guidance asks agencies to allow flexibility on which program components institutions choose to implement but also directs them to “strongly encourage” choosing them all. With a documentation submission requirement, it is unclear how the program will be judged and what the impact of a “less than perfect choice” might be (e.g., of not having all of the controls in place).

The certification requirement also is likely to present challenges. As the CMMC rollout shows, designing a certification process for compliance at this scale is extremely challenging. And whereas CMMC is limited in scope, NSPM-33 is potentially much broader. With CMMC compliance, most organizations can design isolated environments for controlled data CUI to limit scope, certifying compliance for research will be much more challenging, given the variety and complexity of research infrastructure.

Trusted CI Co-authors Identity Management Cookbook for NSF Major Facilities

2022-07-29T09:00:00.015-04:00

Trusted CI’s Josh Drake has co-authored a new document addressing many identity management (IdM) challenges present at NSF Major Facilities. Due to their size and collaborative missions, Major Facilities often have many users, across multiple organizations, all with different access permissions to a diverse collection of CI resources. The Federated Identity Management Cookbook aims to address these challenges by providing time-tested “recipes” for building IdM capabilities, as well as a primer on the topic of IdM itself.

“While operating the IdM working group and CI Compass, we had many opportunities to engage with major facilities on identity and access management issues facing researchers. We were able to explore a variety of options to help researchers integrate federated identities into their cyberinfrastructure,” said Josh Drake. “This cookbook represents the distilled version of months of engagement with the MF community and a primer to identity management concepts that we hope will be of use to research cyberinfrastructure operators everywhere.” Trusted CI’s Ryan Kiser and Adrian Crenshaw also participated in the engagements that contributed to the cookbook.

This work was created in partnership with Erik Scott (RENCI) and CI Compass. CI Compass provides expertise and active support to cyberinfrastructure practitioners at NSF Major Facilities in order to accelerate the data lifecycle and ensure the integrity and effectiveness of the cyberinfrastructure upon which research and discovery depend.

The cookbook is available in the CI Compass Resource Library and on Zenodo. See CI Compass’s website to read the full press release.

Advancing the Cybersecurity of NSF Major Facilities: Trusted CI’s Inaugural Framework Cohort Successfully Completes Six-Month Program (June 2022)

2022-07-26T11:47:00.001-04:00

Trusted CI’s first Framework Cohort has successfully completed its initial six-month period of workshops designed to improve NSF Major Facilities’ alignment to the Trusted CI Framework. Each cohort member adopted the Trusted CI Framework as the foundation for their cybersecurity program. Additionally, each cohort member worked closely with Trusted CI to produce 1) a validated self-assessment of their cybersecurity program’s alignment with the Trusted CI Framework; and 2) a draft Cybersecurity Program Strategic Plan identifying priorities and directions for further refining their cybersecurity programs.

The inaugural Cohort included the following NSF Major Facilities:

The success of the Framework Cohort is particularly notable as each of these facilities voluntarily adopted and rallied around the Trusted CI Framework as the foundation for their cybersecurity programs.

The foundation of the Cohort program is the Trusted CI Framework, which was created as a minimum standard for cybersecurity programs. In contrast to cybersecurity guidance focused narrowly on cybersecurity controls, the Trusted CI Framework provides a more holistic and mission-focused standard for managing cybersecurity.

For GAGE, LIGO, NRAO, NSO, and OOI, the Cohort was their first formal training in the Trusted CI Framework’s “Pillars” and “Musts” and how to apply these fundamental principles to assess and strengthen their cybersecurity programs. NOIRLab contributed their experience as an early adopter of the Framework, having previously completed a one-on-one Framework engagement with Trusted CI.

Feedback from members of the first cohort on their experience has been strongly positive:

Eric Cross, Head of Information Technology, National Solar Observatory, said the following about his experience:

"The TrustedCI Framework Cohort was a valuable experience. The process required us to research and reflect on our internal cybersecurity policies and procedures. The Cohort provided a platform to meet with other facilities and work through challenges with feedback from peers. The experience resulted in formal documentation that provided our organization's leadership clear direction to improve our cybersecurity program with specific short-term and long-term goals. I highly recommend this exercise for all NSF facilities."

Craig Risien, CI Systems Project Manager, Ocean Observatories Initiative, said the following about his experience:

“I found participating in Trusted CI’s first Framework Cohort to be exceptionally instructive and really enjoyed the opportunities to discuss cybersecurity challenges and lessons learned with Trusted CI and colleagues at other NSF Major Facilities. Working with Trusted CI on creating a validated self-assessment based on the Trusted CI Framework over the past six months has helped the Ocean Observatories Initiative (OOI) better understand the current state of its cybersecurity program. Being part of this cohort has also assisted the OOI with the development of a plan to fully implement the Trusted CI Framework and create a well-established and mature cybersecurity program. I look forward to the follow-on cohort sessions in the coming months.”

Trusted CI is continuing to support the first cohort through the end of 2022 by facilitating monthly workshops. Each facility will have the opportunity to lead a workshop in which they are encouraged to share their specific challenges and seek advice among the other cohort members.

Concurrently, Trusted CI is conducting its second cohort engagement leveraging the lessons learned from the first cohort. The second cohort includes the following organizations:

Corporation for Education Network Initiatives in California (CENIC), a California research and education network
International Ocean Discovery Program (IODP), an NSF Major Facility
FABRIC, an NSF Mid-Scale Research Infrastructure Facility
National Ecological Observatory Network (NEON), an NSF Major Facility
Seismological Facility for the Advancement of GEoscience (SAGE), an NSF Major Facility

Trusted CI is excited to be working with these new facilities to advance their understanding and implementation of cybersecurity programs and best practices!

For more information, please contact us at info@trustedci.org.

Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research

2022-07-15T12:59:00.002-04:00

This year, Trusted CI is conducting a year-long effort on the security of operational technology in science. Operational technology (OT) encompasses broad categories of computing and communication systems that in some way interact with the physical world. This includes devices that either have sensing elements or control elements, or some combination of the two. Networked sensors and control systems are increasingly important in the context of science as they are critical in operating scientific instruments. Trusted CI is pleased to share its findings from this study, published in the following report:

Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, and John Zage. “Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research,” July 13, 2022. DOI: 10.5281/zenodo.6828675 https://doi.org/10.5281/zenodo.6828675

In support of this study, Trusted CI gratefully acknowledges the many individuals from the following NSF Major Facilities that contributed to this effort: IceCube Neutrino Observatory, NOIRLab, Ocean Observatories Initiative, and the United States Academic Research Fleet.

Now that Trusted CI has finished its examination of the current state of the security of OT in science, it will turn its focus to developing a roadmap of solutions to sustainably advance security of scientific operational technology, which will be published in late 2022.

Trusted CI co-PI Bart Miller wins award for landmark paper on dependable computing

2022-06-30T11:43:00.003-04:00

Bart Miller, Trusted CI co-PI, and his two student co-authors were honored with the 2022 Jean-Claude Laprie Award in Dependable Computing on June 28 in Baltimore, Md. Miller, along with L. Fredriksen, and B. So, were presented the award during the opening session of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

The groundbreaking paper, “An Empirical Study of the Reliability of UNIX Utilities," published in 1990, launched the field of fuzz random testing, or fuzzing as it is commonly called. The paper created a new technique for easy-to-use software testing and then used that technique to evaluate UNIX utilities crashes. As part of this research, the authors also studied the root causes of the failures. They also released its code and data openly (a novelty at that time). The paper has been cited more than 1,300 times and was responsible for creating an entire new branch of testing and security research. Hundreds of papers and tens of PhD dissertations are produced each year in this area.

Today, fuzzing is taught in introductory software testing and security courses, is a prominent area of focus at numerous conferences, and is recognized by major companies. For example, Microsoft recently published a paper on how they integrate fuzzing in the life cycle of almost all their products. Similarly, Google recently reported that 80 percent of the bugs they find in production in the Chrome web browser are due to fuzzing.

Fuzzing is heavily used in security research and is often the tool of choice for penetration testers. Thus, this paper has important implications for reliability and security research.

About Bart Miller

Bart Miller with his Cessna TR182 that he bought in 1980. He's had his commercial pilots license since 1979.

Barton Miller is the Vilas Distinguished Achievement Professor at the University of Wisconsin-Madison. Co-PI on Trusted CI, where he leads the software assurance effort. Research interests include software security, in-depth vulnerability assessment, and binary code analysis. In 1988, Miller founded the field of fuzz random software testing, a foundation of many security and software engineering disciplines. In 1992, Miller and his then-student Jeffrey Hollingsworth founded the field of dynamic binary code instrumentation and coined the term “dynamic instrumentation.” Miller is a Fellow of the ACM.

About the Jean-Claude Laprie Award in Dependable Computing

The award was created in 2011, in honor of Jean-Claude Laprie (1944-2010), whose pioneering contributions to the concepts and methodologies of dependability were influential in defining and unifying the field of dependable and secure computing. The award recognizes outstanding papers that have significantly influenced the theory and/or practice of dependable computing.

About IFIP WG 10.4 on Dependable Computing and Fault Tolerance

IFIP Working Group 10.4 was established in 1980 with the aim of identifying and integrating approaches, methods, and techniques for specifying, designing, building, assessing, validating, operating, and maintaining dependable computer systems (those that are reliable, available, safe, and secure). Its 75 members from around the world meet twice a year to conduct in-depth discussions of important technical topics to further the understanding of the fundamental concepts of dependable computing.

About the International Federation for Information Processing

IFIP is a non-governmental, non-profit umbrella organization for national societies working in the field of information processing. It was established in 1960 under the auspices of UNESCO as a result of the first World Computer Congress held in Paris in 1959. It is the leading multinational, apolitical organization in Information and Communications Technologies and Sciences.

Announcement of Trusted CI Director Transition

2022-06-27T14:34:00.000-04:00

Dear Trusted CI community, friends, and partners,

After 10 years of directing Trusted CI, I am stepping down as Trusted CI Director today. I thank all of you for your support over the past decade - you have made my job both a huge privilege and a pleasure. I also extend my gratitude to NSF for providing this unique opportunity.

I’m excited to share that Jim Basney has agreed to accept the role of Trusted CI Director. Jim has served as Trusted CI’s Deputy Director for the past three years and has been part of its leadership team since its inception. I suspect most of you already know Jim and will join me in my optimism that Jim will serve as an excellent leader for Trusted CI’s second decade.

I thank Jim for his contributions as deputy, which I found invaluable, and I’m happy to also share that Jim will receive similar support from Sean Peisert, who has agreed to serve as Trusted CI Deputy Director going forward. Since Sean joined Trusted CI in 2019 he has made strong leadership contributions, including serving as a co-PI the last year and leading annual challenges and the OSCRP effort.

Kelli Shute will be staying on as Executive Director and has my thanks for her contributions in this role both past and into the future. Jim, Sean, and Kelli will be supported by the rest of the current leadership team: Kathy Benninger, Professor Bart Miller, and Mark Krenz.

I ask you to join me in congratulating Jim and Sean, and providing them and the rest of the team with the same support and collaboration going forward which you extended to me over the past decade. You can contact Jim and Sean directly at jbasney@illinois.edu and sppeisert@lbl.gov.

While my stepping down as Trusted CI Director is part of a larger life change I am making in that I will be leaving Indiana University at the end of the month, I will remain involved with Trusted CI to support this transition.

Thank you, it has been an honor.

Von

Indiana University Center for Applied Cybersecurity Research releases an “ Effective Cybersecurity for Research” Whitepaper

2022-06-22T14:02:00.000-04:00

The tension between cybersecurity and research has kept institutional cybersecurity efforts for research confined to the most sensitive research, especially in academia. Evolving threats and new cybersecurity requirements scoped beyond individual awards are now slated to change the status quo. They point to a future where securing research holistically is no longer optional. Indiana University’s Center for Applied Cybersecurity Research released a paper this week outlining an approach to cybersecurity for research that shows great promise in breaking the prevailing security versus research impasse. It focuses exclusively on the researcher and the research mission, reduces the cybersecurity and compliance burden on the researcher, and secures not only research subject to rules and regulations, but all research. It is being embraced by researchers voluntarily and accelerating research measurably.

The paper can be accessed by visiting this EDUCAUSE library page: Effective Cybersecurity for Research

2022 NSF Cybersecurity Summit- Call for Participation is now open- Submission deadline June 10th

2022-05-24T11:34:00.002-04:00

We are pleased to announce that the 2022 NSF Cybersecurity Summit is taking place the week of October 17th with the training and workshops occurring on Tuesday, October 18th, and plenary sessions occurring on Wednesday, October 19th, and Thursday, October 20th.

The final program is still evolving, but we will maintain our mission of providing a format designed to increase the NSF community’s understanding of cybersecurity strategies that strengthen trustworthy science: what data, processes, and systems are crucial to the scientific mission, what risks they face, and how to protect them.

Call for Participation (CFP)

Program content for the Summit is driven by our community. We invite proposals for plenary presentations & workshops. The deadline for CFP submissions is July 8th. To learn more about the CFP, please visit: www.trustedci.org/2022-summit-cfp

Student Program

To support workforce development, the Summit organizers invite several students to attend the Summit at no cost every year. Both undergraduate and graduate students may apply, and no specific major or course of study is required, as long as the student is interested in learning and applying cybersecurity innovations to scientific endeavors. To learn more about the student program, visit our website: https://www.trustedci.org/summit2022/students

On behalf of the 2022 NSF Cybersecurity Summit organizers and program committee, we welcome your participation and hope to see you in October.

More information can be found at: https://www.trustedci.org/2022-cybersecurity-summit

Better Scientific Software (BSSw) Helps Promote Trusted CI Guide to Securing Scientific Software

2022-05-13T11:08:00.001-04:00

Trusted CI is grateful to Better Scientific Software (BSSw) for helping to publicize the results of Trusted CI’s software security study, including its recently published findings report and Guide to Securing Scientific Software (GS3), via its widely-read blog. Read the full blog post here.

Trusted CI Webinar: Ransomware: Threats & Mitigations, June 27th @11am EST

2022-05-10T08:17:00.007-04:00

This event was originally scheduled to occur on May 23rd and has been rescheduled to June 27th.

REN-ISAC's Sarah Bigham and Krysten Stevens will be presenting the talk, Ransomware: Threats & Mitigations, on Monday June 27th at 11am (Eastern).

Please register here.

The education industry has unceremoniously emerged as the second most common target for ransomware. It continues to evolve in how it is used as a fund-raiser for criminal organizations and how the technology works, to keep its victims guessing as to defense and eradication. Institutions face the difficult challenge of preserving academic freedom, easy access to information, and open collaboration while defending from threat actors who exploit these same characteristics. This presentation will focus on the current threats and provide guidance on protecting against ransomware attacks.

Speaker Bios:

Sarah Bigham: joined the REN-ISAC in March 2014. As Lead Security Analyst, her day-to-day responsibilities include managing the REN-ISAC Blended Threat Workshops, working closely with the National Council of ISACs (NCI), FBI, DHS, and other state and federal peers to stay abreast of new and emerging threats, as well as special projects, and member relations. Before coming to the REN-ISAC, Sarah worked at Harvard University as a Systems Support Specialist focusing on campus-wide Identity & Access Management (IdM) and HIPAA compliance for Harvard University Health Services. Prior to that, Sarah was a defense contractor at the United States Naval Academy where she focused on user and desktop support across the Yard for all faculty, staff, and midshipmen. Sarah holds an Associate of Applied Science in Computer Network Management from Anne Arundel Community College (Annapolis, MD) and a Bachelor of Science in Information Systems Management from University of Maryland Global Campus.

Krysten Stevens joined REN-ISAC as Director of Technical Operations in 2020. She has a background in IT security analysis and cyber threat intelligence from Purdue University, where she used her leadership and expertise to train other security analysts, create security awareness programs, and develop threat intelligence strategies on an organizational level. Krysten graduated from Purdue University Global with an MS Cybersecurity Management in 2020, and she holds CISSP and GCTI certifications. When not at work, Krysten enjoys spending time with her husband, two children, five cats, and two golden retrievers (who refuse to retrieve).

---

Call for Trusted CI Framework Cohort Participation

2022-05-05T12:07:00.002-04:00

The Framework Cohort is a six month, group engagement aimed at facilitating adoption and implementation of the Trusted CI Framework among NSF Major Facilities. During the engagement, members of the cohort will work closely with Trusted CI to adopt the Trusted CI Framework at their facility, emerging with a validated assessment of their cybersecurity program and a strategic plan detailing their path to fully implement each Framework Must.Cohort members will participate in six monthly workshops (each three hours) and spend no more than eight hours each month outside of the workshops on cohort assignments. The second cohort will meet from July to December 2022.

Since January 2022, Trusted CI has been working with six Major Facilities in the inaugural Framework cohort: GAGE, LIGO, NOIRLab, NRAO, NSO and OOI. As this inaugural Framework cohort approaches completion in June 2022, Trusted CI is looking for Major Facilities that are interested in participating in the upcoming second cohort.

NSF Major Facilities interested in participating in the Framework cohort should respond to the call by completing the form at the bottom of this page: https://www.trustedci.org/trusted-ci-framework-cohort-participation.

If you have any questions, please contact us at info@trustedci.org.

2022 NSF Summit Student Program-Call For Application

2022-05-05T09:34:00.003-04:00

Every year, Trusted CI organizes and hosts the NSF Cybersecurity Summit to bring together leaders in NSF cybersecurity and cyberinfrastructure. To support workforce development, the Summit organizers invite several students to attend the Summit at no cost every year. Both undergraduate and graduate students may apply, no specific major or course of study is required, as long as the student is interested in learning and applying cybersecurity innovations to scientific endeavors.

Students may either self-nominate or be nominated by a mentor or teacher.

To be considered, students must submit a one-page letter (800-word maximum) describing their interest in and any relevant experience with cybersecurity, emphasizing the benefit to the student and/or community of their attendance at the Summit.

This letter must include the student's name, contact information, the institution of higher education of attendance, and their current expected year of graduation. A resume may be submitted in substitution for the requested information.

Up to fifteen successful student applicants will receive invitations to attend the Summit at no cost.

All applications will be reviewed by the Program Committee and students will be selected. The Program Committee will select students with an interest in advancing diversity and inclusiveness in the program.

The deadline for applications is August 1, 2022, with notification of acceptance to be sent by August 10, 2022.

Please discuss attendance with your instructors prior to attending.

APPLY TO ATTEND SUMMIT (FORM)

For more information on the event itself, please visit: https://www.trustedci.org/2022-cybersecurity-summit

Tips for Applying:

The most successful applicants will...

Be prepared to actively engage and participate with the programming.
Make it known that they are interested in complex cybersecurity needs around and new, efficient, effective ways to protect information assets while supporting science, even if they are new to the subject matter - let the program committee know why you are interested in this subject matter ; and
Relay at least 1-3 personal goals they would strive to meet while at the summit.

Highlighting these interests in the application will allow the review committee to understand why the student feels he or she will be best suited to attend the conference.

Send questions to students@trustedci.org

NSF Announces CICI Program Solicitation

2022-04-18T10:01:00.001-04:00

NSF’s Office of Advanced Cyberinfrastructure recently announced solicitation 22-581 in the Cybersecurity Innovation for Cyberinfrastructure program. Proposals, due June 27, are solicited in three areas:

Usable and Collaborative Security for Science (UCSS)
Reference Scientific Security Datasets (RSSD)
Transition to Cyberinfrastructure Resilience (TCR)

NSF is hosting a webinar covering the objectives of the CICI program on April 27th at 2 PM Eastern. During the 90-minute webinar, Program Director Robert Beverly will discuss the program and answer questions. The presentation portion of the webinar will be recorded and posted on the CICI program website. Please register to attend.

As a reminder, you can find resources for including Trusted CI in your proposal on our website.

Trusted CI webinar: Updates from the Trusted CI Framework Cohort, April 25th @11am EST

2022-04-12T16:06:00.001-04:00

Trusted CI's Scott Russell will be presenting the talk, Updates from the Trusted CI Framework Cohort, on Monday April 25th at 11am (Eastern).

Please register here.

The Trusted CI Framework is a minimum standard for cybersecurity programs. In response to cybersecurity guidance focused narrowly on cybersecurity controls, the Trusted CI Framework provides a more holistic and mission-focused standard for managing cybersecurity. In order to encourage adoption of the Trusted CI Framework, we have created a program called the Framework Cohort, where representatives from multiple NSF Major Facilities and other "Key Projects" participate in a group engagement with Trusted CI focused on adoption and implementation of the Framework.

This webinar will provide updates from the inaugural cohort, currently in progress, and discuss the opportunity to participate in future cohorts.

More information about the Framework can be found at https://www.trustedci.org/framework

Speaker Bio:

Scott Russell is a Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research. Scott was previously the Postdoctoral Fellow in Information Security Law & Policy. Scott’s work thus far has emphasized private sector cybersecurity best practices, data aggregation and the First and Fourth Amendments, and cybercrime in international law. Scott studied Computer Science and History at the University of Virginia and received his J.D. from the Indiana University, Maurer School of Law.

---

SAVE THE DATE: Announcing the 2022 NSF Cybersecurity Summit, Oct 18-20 in Bloomington, Indiana

2022-04-06T15:51:00.000-04:00

Please mark your calendars for the 2022 NSF Cybersecurity Summit planned for October 18-20 at the Monroe Convention Center, Bloomington, Indiana, near the Indiana University Campus.

Plenary sessions are scheduled to take place October 19th and 20th, while training and workshops will take place on the 18th.

Stay tuned for more information by following the Trusted CI Blog or our Announcement email list for more updates.

On behalf of Trusted CI

Trusted CI Fellows urge researchers to protect their data

2022-04-04T11:07:00.000-04:00

Each year, Trusted CI selects a small number of community members to become Trusted CI Fellows. They make connections in the research cybersecurity community and receive training, knowledge, and skills from Trusted CI, which they can then take back into their local communities to advance the state of cybersecurity for research and serve as an ongoing Trusted CI liaison. Trusted CI also asks Fellows to produce a report to capture and share what they’ve learned and how it applies to their domain.

Trusted CI Fellows Deb McCaffrey and Michael Kyle have examined the security needs of higher education researchers in recently published reports. Having augmented their security knowledge from Trusted CI webinars and workshops, they advise researchers to take a systemic approach to protecting their data.

In her Trusted CI report, Deb McCaffrey, a research computing facilitator at the University of Michigan, explores the security needs of basic and clinical research. She concludes that researchers need a better understanding of their security environments to protect their data.

Michael Kyle is a scientific applications consultant for the University of Delaware. In his Trusted CI report, he describes how researchers can manage their risks with the proper classification and protection of digital research data.

Trusted CI thanks Deb and Michael for these contributions and will highlight these and future Fellows reports in the Fellows section of the Trusted CI website.

Trusted CI Publishes 2022 Report Summarizing its Impact on Over 500 NSF Projects

2022-03-28T15:43:00.000-04:00

Trusted CI has published its second Impacts Report analyzing our impact on the NSF community. The first report was published in 2018 and summarized our impact from 2012 to 2018. This new report updates our analysis under the current NSF cooperative agreement, which began in 2019 (award #1920430).

We define "impact" as the number of NSF projects (awards) that have had an engagement with Trusted CI or have had staff attend a Trusted CI event; including the NSF Cybersecurity Summit, webinars, and training events. Using that metric, we find that since 2012, Trusted CI has interacted with over 500 NSF projects, including over 300 NSF projects during the last 3 years (2019-2021).

The full report includes more details about our impact broken down by NSF Directorate, our engagements, Summit attendance, and more. It is available at https://doi.org/10.5281/zenodo.6350540.

White House Fact Sheet on cybersecurity protections

2022-03-22T16:41:00.000-04:00

On March 21, the White House published “FACT SHEET: Act Now to Protect Against Potential Cyberattacks” providing guidance on protection against potential Russian cyberattacks in response to sanctions. The White House post was covered by CNN, NBC News, Reuters, Bloomberg, and others.

The guidance in the Fact Sheet, specifically the Cybersecurity & infrastructure Security Agency’s (CISA) Shields Up guidance, is well established advice and in line with recommendations in Trusted CI’s Framework and software assurance guidance. Trusted CI encourages members of the NSF community who are considering or are in the process of implementing controls such as those mentioned in the Fact Sheet to have discussions among their leadership team about accelerating deployment of those protections at this time.

Trusted CI and OOI Complete Engagement

2022-03-22T14:50:00.001-04:00

The Ocean Observatories Initiative (OOI, https://oceanobservatories.org/), funded by the NSF OCE Division of Ocean Sciences #1743430, is a science-driven ocean observing network that delivers real-time data from more than 800 instruments to address critical science questions regarding the world’s oceans. OOI data are freely available online to anyone with an Internet connection.

The OOI provides an exponential increase in the scope and timescale of observations of the world’s oceans. Present and future educators, scientists, and researchers are able to draw conclusions about climatological and environmental processes based on these measurements, requiring the data to be accurate, with a flawless pedigree. As a result, the OOI has a requirement to protect its data from being altered by any external agent.

To this end, OOI-CI (OOI Cyberinfrastructure) solicited a consultation from Trusted CI to evaluate their current security program, along with guidance on reviewing and evaluating potential alternatives for an enhanced security posture. We refined and prioritized OOI’s needs to the following goals: (i) perform a security review of OOI’s cyberinfrastructure using the Trusted CI Security Program Evaluation worksheet, (ii) take steps toward adopting the Trusted CI Framework by developing a “master information security policies and procedures” document (MISPP), (iii) investigate and document missing policies and procedures, including questions and concerns raised by OOI, and unknowns discovered in above exercises, and (iv) provide guidance on creating an asset inventory, applying a control set, and creating and maintaining a risk registry.

The OOI team completed the Trusted CI Security Program Evaluation spreadsheet. This exercise started the OOI team thinking about and discussing cybersecurity concerns that were raised in the evaluation, both in previously known topics, but also unknown or undefined areas. The Trusted CI team created a list of prioritized recommendations aligned with Framework Musts -- core concepts that every cybersecurity program should have -- that the OOI team can use in addressing or documenting gaps.

We introduced OOI to the Framework and Implementation Guide, and had discussions concerning the Musts, what they entail, and how they apply to and define a mature security program. The OOI team attended the 2021 NSF Cybersecurity Summit and specifically The Framework Workshop, where they were able to benefit from a deeper dive into the Framework and implementation guidance.

OOI displayed a solid grasp of the suggested security program solution, the Trusted CI Framework, and of what needs to be done to adopt it. Completely adopting the Framework was beyond the scope of this engagement, however OOI focused on (i) developing the top-level Master Information Security Policy & Procedures (MISPP) document, (ii) develop a Cybersecurity Strategic Plan, and (iii) develop supplemental security program policies, e.g., Incident Response Plan, Disaster Recovery, and Acceptable Use Policies.

In addition to creating top level policy documents, Trusted CI stressed the importance of having an up to date asset inventory as well as selecting and applying a base-line control set. The OOI team began identifying their critical assets as well as selecting CIS v8 as a control set and then aimed to apply controls from Implementation Groups 1 and 2. Trusted CI staff also provided a list of ‘high priority’ controls to focus on that would provide the best ROI for time and resources spent implementing.

We are pleased to announce that OOI is a participant in Trusted CI’s Framework Cohort taking place the first half of 2022 (1H2022). This will allow them to continue their work on creating and refining a mature security program while working with other NSF Major Facilities under the guidance and expertise of Trusted CI’s Framework team.

The engagement ran from August 16, 2021 to December 31, 2021, and was recorded in the document “OOI / Trusted CI Engagement Final Report” (https://hdl.handle.net/2022/27253).

Join Us at EDUCAUSE CPP Conference - Early Registration Ends 3/22

2022-03-11T09:00:00.003-05:00

Trusted CI will be presenting at the 2022 EDUCAUSE Cybersecurity and Privacy Professionals Conference on May 3 - 5th in Baltimore, MD. The CPPC is “the premier forum for connecting with higher education information security and privacy professionals.” Early registration for this conference ends Tuesday, March 22nd. Trusted CI’s Ishan Abhinit, Kathy Benninger, and Mark Krenz will be participating in the sessions listed below. We are looking forward to seeing you at this exciting event!

Training: Security Log Analysis
Tuesday, May 03 | 8:30AM–12:00PM ET
Presenters: Ishan and Mark
The security log analysis workshop walks participants through the security log analysis life cycle, providing considerations for centralized log collection and log management tools, phases of compromise, and examples from real attacks. We will be analyzing logs from Zeek Network Security Monitor, the Apache web server, two-factor authentication systems, cloud service logs, and others. This workshop also includes a hands-on exercise that will demonstrate techniques to analyze logs to detect security incidents using both the command line and Elastic Stack (aka ELK). The hands-on exercise will provide an overview of investigation techniques to determine security incident logs of some common attacks like SQL injection, filesystem traversal, brute force attacks, command-line injection, and more. Recent security vulnerabilities, such as log4shell, will also be discussed, along with techniques for detection. This will be an interactive session allowing Q&A and will also feature interactive polls to enhance participants' learning experience.

Training: Security in the Shell (or, How I Learned to Think Before Forking)
Tuesday, May 03 | 1:00PM–4:30PM ET
Presenters: Ishan and Mark
Although it is one of the oldest technologies in IT, the command line and terminal emulators continue to be in wide use for modern IT needs. Although people may think of these technologies as having a solid security footing, there are a number of ways someone can shoot themselves in the foot while using them, and I'm not just talking about running "rm -fr /". In this workshop, Mark Krenz, the creator of the popular Twitter account climagic, will demonstrate these and guide students through how to practice better command line security, from understanding the metadata that is generated by your favorite editor to knowing how to exploit SSH, knowing how to protect yourself when checking malware, and much more. There is something for everyone in this workshop, and you are sure to come away with a plethora of job-saving tips.

Breakout session: Security Recommendations for Science DMZs
Wednesday, May 04 | 10:45AM–11:30AM ET
Presenters: Ishan, Kathy, and Mark
A Science DMZ is a special network architecture designed to improve the speed at which large science data transfers can be made. They have become a common solution to the issue of busy academic networks causing slowdowns or failures of large data transfers. A new paper published by Trusted CI on the security of Science DMZs provides an overview of this type of network architecture, summarizing the current best practice cybersecurity risk mitigations as well as providing additional security recommendations. This session is a brief introduction to the Science DMZ concept and presents an overview of the mitigations documented in the paper.

Trusted CI Applauds JASON Report on Facilities Cybersecurity

2022-03-09T09:28:00.000-05:00

In 2021, the NSF "commissioned a study by the JASON advisory group to assess and make recommendations regarding cybersecurity at NSF’s major facilities.” In December, NSF publicly released the seven recommendations from the JASON group and NSF’s response to those recommendations. Given Trusted CI’s role over the past 10 years in providing leadership and guidance to NSF Major Facilities, we welcomed the opportunity to contribute to the JASON group’s study and the dialogue it spurred. The following text consists of each of the JASON group’s recommendations, followed by the response from NSF, and Trusted CI’s response, which is the unique contribution of this document. We provide our responses to help the community understand how Trusted CI can help them as they consider these recommendations and their impact within their own projects.

JASON recommendation: “NSF should maintain its current approach of supporting major facilities to enhance cybersecurity through assessments of risk, and development and implementation of mitigation plans. A prescriptive approach to cybersecurity should be avoided because it would be a poor fit to the diversity of facilities, would inefficiently use resources, and would not evolve quickly enough to keep up with changing threats.” NSF response: “NSF intends to maintain its current philosophy of performing oversight of awardee plans that are tailored to the unique natures of the individual major facilities. Through its review processes, NSF will ensure that these plans are consistent with best practices for cybersecurity that are in common between major research facilities and other types of infrastructure.”

Trusted CI response: Trusted CI will continue helping the NSF community develop and improve their cybersecurity plans which capture and prioritize best practices. Trusted CI will continue training and advising Major Facilities as they mature their cybersecurity programs and develop prioritized, mission-sensitive plans. We are available to support NSF reviews in any way that serves the community. We encourage expansion of NSF’s current approach and the inclusion of Trusted CI in the process of establishing generalized best practices for Major Facilities. We recommend those best practices align closely or equate to the Trusted CI Framework. NSF also recently released a new version of the Research Infrastructure Guide (formerly the Major Facilities Guide). Section 6.3 (Guidelines for Cybersecurity of NSF’s Major Facilities) has been significantly updated to align and refer to the Framework.

2. JASON recommendation: “An executive position for cybersecurity strategy and coordination for major facilities should be created at NSF. This executive should have authorities that allow them to continually support the balancing of cybersecurity, scientific progress, and cost in the distinct ways that will be appropriate for each facility.”

NSF response: “NSF notes and agrees with the emphasis on such a position on strategy and coordination. NSF will explore different options for initiating the position and plans to create such a position within the next six months."

Trusted CI response: We strongly endorse this foundational recommendation and we look forward to collaborating with the new executive to fulfill our aligned missions. In Trusted CI’s experience, cybersecurity frequently proves ineffective or counterproductive when cybersecurity leadership lacks an understanding of the organization’s mission. An executive at NSF with expertise in both cybersecurity and the research mission would bring valuable additional perspective and leadership to NSF.

3. JASON recommendation: “Using annual reporting and review processes, NSF should ensure major facilities implement robust cybersecurity programs that remain consistent with current best practice.”

NSF response: “NSF plans to review the elements of a good facility cybersecurity program, currently described in Section 6.3 of the NSF Major Facilities Guide, to ensure that this section is up to date. NSF will add cybersecurity as a required element of annual reports and program plans and conduct any additional specialized reviews based on perceived risk.”

Trusted CI response: Trusted CI helps facilities develop cybersecurity programs that help ensure productive, trustworthy science. The Trusted CI Framework is a tool to help organizations establish and refine their cybersecurity programs. In March 2021, we released the Framework Implementation Guide for Research Cyberinfrastructure Operators, which contains detailed guidance that can help major facilities implement effective cybersecurity programs and thereby addresses Section 6.3 of the Research Infrastructure Guide.

4. JASON recommendation: “NSF should develop a procedure for response to major cybersecurity incidents at its major research facilities, encompassing public relations, coordination mechanisms, and a pre-ordained chain of authority for emergency decisions. Each major facility should also have their own response plan that is both specific to its needs and consistent with NSF's plan.”

NSF response: “NSF has charged a working group to develop a more robust response plan that integrates with both the agency's overall crisis communications plan and the response plans at the individual major facilities.”

Trusted CI response: Through our ongoing engagement activities with NSF Major Facilities and our mission "to lead in the development of an NSF Cybersecurity Ecosystem," we are uniquely positioned to provide guidance to this working group. During the past decade, we have built our understanding of cybersecurity challenges faced by the Major Facilities by hosting the annual Cybersecurity Summit, establishing and facilitating monthly meetings of the Large Facilities Security Team, and conducting 13 direct one-on-one engagements with the 10 of the Major Facilities. We look forward to bringing that experience, along with our ever-increasing understanding of the threat landscape faced by research facilities, to a productive collaboration with the working group and the executive identified in recommendation #2.

5. JASON recommendation: “NSF and the major facilities must be adequately resourced for their cyberinfrastructure and cybersecurity needs. What is appropriate will depend on each facility's unique characteristics and specific needs. The cybersecurity budget should be commensurate with perceived risk of an event, which may be unrelated to the cost of constructing or operating the facility.”

NSF response: “NSF will work with each awardee to develop a cybersecurity risk register for each major facility and will then integrate those risk registers in order to determine the highest NSF risks and implement any needed mitigations.”

Trusted CI response: We agree with the JASON group’s assertion that Major Facilities must be adequately resourced for their cybersecurity needs. Cybersecurity spending is a necessary focus area in the expanding dialogue among Major Facilities, NSF, and other relevant stakeholders. Adequate resourcing to address unacceptable cybersecurity risk is precisely the subject of the Trusted CI Framework’s Must 11. Cybersecurity risk registers may be a helpful tool assessing whether cybersecurity spending is commensurate with the threats posed by unmitigated risk. However, the need for the allocation of cybersecurity resources is fundamental.

6. JASON recommendation: “NSF should refine facility proposal and design review processes to ensure that new major facilities plan cybersecurity as an integral part of the information technology infrastructure. NSF should regularly review the cybersecurity plans and efforts of both new and existing major facilities. Shifts to cloud-based cyberinfrastructure and to a wider range of partners will impact cybersecurity planning and need to be considered at proposal time.”

NSF response: “NSF believes that the cybersecurity review process at the time of awards should be risk-based. NSF will work to ensure that cybersecurity is a specified element and review criterion of each call for proposals in a major facility competition. For a renewal proposal, NSF will include a requirement for submission of a cybersecurity plan. For a new construction award, or a project in the Design Stage, the cybersecurity plan will be required to be integrated with the Project Execution Plan. NSF will assure that appropriate expertise is present on review panels to assess the adequacy of the cybersecurity plan.”

Trusted CI response: We support the recommendation to require cybersecurity planning as part of facility proposal and design and would extend that recommendation to include the construction phase as well. For renewal proposals, we recommend expanding the requirement such that facilities must submit evidence of an active cybersecurity program (not just a plan). Trusted CI’s guidance provides facilities with the means to both plan and assess their programs. Prioritized, mission-based cybersecurity planning is central to the Trusted CI Framework, and we have demonstrated experience supporting NSF Major Facilities with cybersecurity strategic planning, through activities like the LFST, regular engagements, the NSF Summit and our 2022 Framework cohort.

7. JASON recommendation: “NSF should remain aware of national security concerns regarding its facilities and continue to facilitate coordination with appropriate agencies.”

NSF response: “NSF will conduct an assessment of national security concerns that may be associated with its major research facilities.”

Trusted CI response: Several members of the Trusted CI team have experience working at the intersection of cybersecurity and national security, and we are happy to be a resource to facilities in this area. Trusted CI has a long and successful history providing tailored, actionable guidance and expertise to NSF Major Facilities. The JASON working group’s recommendations are a strong endorsement of NSF’s direction, Trusted CI’s contribution, and if followed, represent a step forward in ensuring the security of our nation’s science. Collaborating with NSF and Major Facilities to enable trustworthy science is central to Trusted CI’s mission.

Trusted CI Announces The 2022 Fellows

2022-02-22T09:54:00.000-05:00

Trusted CI, the NSF Cybersecurity Center of Excellence, is excited to announce the Trusted CI Open Science Cybersecurity Fellows. Eight individuals with professional interests in cybersecurity have been selected from a nationally competitive pool. During the year of their Fellowship, they will receive recognition and cybersecurity professional development including training and travel funding to cybersecurity-related events.

The 2022 Trusted CI Open Science Cybersecurity Fellows are:

Brian Roland
Data Management Specialist at Northwestern University

Brian Roland provides Data Management support and consultation for researchers at Northwestern University. He supports researchers across a broad spectrum of research disciplines with data workflow design and leveraging the appropriate data storage and data transfer solutions to meet their research goals and both federal and institutional compliance needs. In addition to providing data workflow support, Brian enjoys working with his colleagues on building out institutional lines of service that help optimize the data flows involved with researchers' analysis and data management plans.

Charles McElroy
Assistant Professor at Cleveland State University

Professor Charles McElroy earned his PhD from Case Western Reserve University, (Cleveland, OH) in Information Systems in 2017. There he studied how diverse scientific teams used sophisticated cyberinfrastructure to formulate complex arguments. Upon graduation, Professor McElroy won a national competition sponsored by the Office of the Director for National Intelligence to conduct research in data science at the Center for Data-Driven Discovery (CD3) at the California Institute of Technology (Pasadena, CA). At the conclusion of his IC PostDoc experience, Professor McElroy won a Fulbright Fellowship to Oxford University (2019), where he focused on issues related to Cyber-Security. Professor McElroy is currently a new Assistant Professor in Information Systems at Cleveland State University. His interests include data science, AI, machine learning, and how these tools can be applied to cybersecurity issues.

Garhan Attebury
Lead System Administrator at the University of Nebraska-Lincoln

Garhan Attebury is the lead system administrator within the Holland Computing Center at the University of Nebraska. His efforts and interests cover a wide spectrum of research computing areas from local HPC needs to global computing with involvement in the WLCG and other distributed platforms. He additionally acts as the networking and security liaison for HCC and has a strong interest in architecting solutions that balance enabling research with meeting security and privacy needs.

Hannah Hiles
Research Project Manager and Product Owner at RENCI

Hannah Hiles is a research project manager and product owner at the Renaissance Computing Institute (RENCI). She received her MS in Library and Information Science from UNC Greensboro; her studies focused on academic and digital libraries and served as a touchstone for instilling curiosity about the intersection of people and information. Her research is centered around UI/UX development, mindful community engagement, and iterative design of best practices to support researchers and their research communities in accomplishing shared goals.

Joseph White-Swift
Systems Engineer for HPC/CI in the Office of Information Technology at The University of Texas at Dallas

Joey is a systems engineer at the University of Texas at Dallas focusing on CI and Networking. Wearing his CI hat, he primarily serves economists from around the Federal Reserve Bank System in a partnership to admin and supports their Big-Tex Cluster. Wearing his networking hat, he provides networking support and services for the university CI infrastructure and the university science DMZ, which includes both the Texas Research and education CyberInfrastructure Services (TRECIS) and the Global Environment network Innovations (GENI) projects. Wearing his researcher hat, he works with, supports, and conducts research as a member of the Open Networking Advanced Research (OpNeAR) Lab and has also served as a reviewer for the INDIS Workshop since 2020. Joey has been a member of the IEEE since 2016 and is an Eagle Scout.

Melissa Cragin
Chief Strategist for Data Initiatives in the Research data Services at SDSC/UCSD

Melissa Cragin is Chief Strategist for Data Initiatives in the Research Data Services division at the San Diego Supercomputer Center (SDSC), at the University of California San Diego (UCSD).Prior to joining SDSC, Melissa was the Executive Director of the Midwest Big Data Hub, based at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign (UIUC). Previously, Melissa served for several years in the Office of the Assistant Director, Directorate of Biological Sciences at the National Science Foundation (NSF), where she guided the development of data policy and accelerated community engagement on research data management and public access. At SDSC, Melissa works on projects to improve data access and use, and foster the development of the national data infrastructure ecosystem and related policy. Melissa has a PhD in information science from the iSchool at Illinois (UIUC), and a MLIS degree from Rutgers University.

Stephen Streng
Research Development Strategist with the Strategic Projects and Research Collaborative (SPARC) at the University of Minnesota

Stephen Streng is a Research Development Strategist with the Strategic Projects and Research Collaborative (SPARC) at the University of Minnesota (UMN). In this role, he helps interdisciplinary and multi-institutional teams and the UMN system achieve significant impact by providing competitive intelligence, strategic planning, proposal development, and project design consultation. Stephen has been involved in cybersecurity since 2015 when in a previous role at the UMN Food Protection and Defense Institute (FPDI), he initiated FPDI’s cybersecurity research program by organizing and facilitating the first Food Industry Cybersecurity Summit. In 2019, FPDI published his white paper, Adulterating More Than Food: The Cyber Risk to Food Processing and ManufacturingMore Than Food: The Cyber Risk to Food Processing and Manufacturing, which examined the cyber risks to industrial control systems in food processing and manufacturing industries. Stephen is a former Department of Homeland Security Analytic Exchange Program (AEP) participant as a member of the Protecting Sensitive Data and Intellectual Property topic team, and he currently serves on the UMN Highly Restricted Data Steering Committee. Stephen continues to consult for FPDI and has an ongoing interest in operational technology cybersecurity. participant as a member of the Protecting Sensitive Data and Intellectual Property topic team, and he currently serves on the UMN Highly Restricted DataSteering Committee. Stephen continues to consult for FPDI and has an ongoing interest in operational technology cybersecurity.

Unal Tatar
Assistant Professor at SUNY at Albany

Dr. Unal Tatar is an assistant professor at the College of Emergency Preparedness, Homeland Security, and Cybersecurity at the University at Albany. Dr. Tatar served as the head of the National Computer Emergency Response Team of Turkey and as an academic advisor at the NATO Center of Excellence Defense Against Terrorism. Dr. Tatar has three main lines of research: the economics of cybersecurity and risk management, critical infrastructure protection and national security, and cybersecurity capacity building and workforce development. Dr. Tatar’s research has been funded by NSF, DOD, NSA, ONR, AFRL, NATO, and several foundations. Dr. Tatar holds a BS in Computer Science, an MS in Cryptography, and a Ph.D. in Engineering Management and Systems Engineering.

The Fellows will receive training consisting of a Virtual Institute, providing 20 hours of basic cybersecurity training over six months. The training will be delivered by Trusted CI staff and invited speakers. The Virtual Institute will be presented as a weekly series via Zoom and recorded to be publicly available for later online viewing. Travel support is budgeted (during their first year only) to cover fellows’ attendance at the NSF Cybersecurity Summit, PEARC, and one professional development opportunity agreed to with Trusted CI. The Fellows will be added to an email list to discuss any challenges they encounter that will receive prioritized attention from Trusted CI staff. Trusted CI will recognize the Fellows on its website and social media. Fellowships are funded for one year, after which the Trusted CI Fellows will be encouraged to continue participating in Trusted CI activities in the years following their fellowship year. After their training in the Virtual Institute, Fellows, with assistance from the Trusted CI team, are expected to help their science community with cybersecurity and make them aware of Trusted CI for complex needs. By the end of the year, they will be expected to present or write a short white paper on the cybersecurity needs of their community and some initial steps they will take (or have taken) to address these needs. After the Fellowship year Trusted CI will continue to recognize the cohort of Fellows and give them prioritized attention. Over the years, this growing cohort of Fellows will broaden and diversify Trusted CI’s impact.

About the Trusted CI Fellows Program

Trusted CI serves the scientific community as the NSF Cybersecurity Center of Excellence, providing leadership in and assistance in cybersecurity in the support of research. In 2019, Trusted CI establish an Open Science Cybersecurity Fellows program. This program establishes and support a network of Fellows with diversity in both geography and scientific discipline. These fellows will have access to training and other resources to foster their professional development in cybersecurity. In exchange, they will champion cybersecurity for science in their scientific and geographic communities and communicate challenges and successful practices to Trusted CI.

Fellows come from a variety of career stages. They demonstrate a passion for their area, the ability to communicate ideas effectively, and a real interest in the role of cybersecurity in research. Fellows are empowered to talk about cybersecurity to a wider audience, network with others who share a passion for cybersecurity for open science and learn key skills that benefit them and their collaborators.

Trusted CI Webinar: The Results of the Trusted CI Annual Challenge on Software, Mon Feb. 28 @ 1pm Eastern

2022-02-14T14:48:00.010-05:00

Members of Trusted CI are presenting the Results of the Trusted CI Annual Challenge on Software, on Monday February 28th at 1pm (Eastern). Note the time is later than previous webinars.

Please register here.

This webinar presents the results of Trusted CI's 2021 examination of the state of software assurance in scientific computing, and also gives an overview of the contents of its recently released Guide to Securing Scientific Software (GS3), aimed at helping developers of software used in scientific computing improve the security of that software.

See our blog post announcing the report:
https://blog.trustedci.org/2021/12/publication-of-trusted-ci-guide-to.html

Speaker Bios:

Dr. Elisa Heymann Pignolo is a Senior Scientist on the NSF Cybersecurity Center of Excellence at the University of Wisconsin, and an Associate Professor at the Autonomous University of Barcelona. She was in charge of the Grid/Cloud security group at the UAB, and participated in two major Grid European Projects: EGI‐InSPIRE and European Middleware Initiative (EMI). Heymann's research interests include security and resource management for Grid and Cloud environments. Her research is supported by the NSF, Spanish government, the European Commission, and NATO.

Prof. Barton Miller is the Vilas Distinguished Achievement Professor and Amar & Belinder Sohi Professor in computer science at the University of Wisconsin-Madison. Prof. Miller founded the field of fuzz random testing, which is foundational to computer security and software testing. In addition, he founded (with his then-student Prof. Jeffrey Hollingsworth) the field of dynamic binary instrumentation, which is a widely used, critical technology for cyberforensics. Prof. Miller advises the Department of Defense on computer security issues though his position at the Institute for Defense Analysis and was on the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee and the US Secret Service Electronic Crimes Task Force (Chicago Area). He is currently an advisor to the Wisconsin Security Research Council. Prof. Miller is a fellow of the ACM.

Dr. Sean Peisert leads applied research and development in computer security at the Berkeley Lab and UC Davis. He is also chief cybersecurity strategist for CENIC; co-lead of Trusted CI, the NSF Cybersecurity Center of Excellence; editor-in-chief of IEEE Security & Privacy; a member of the Distinguished Expert Review Panel for the NSA Annual Best Scientific Cybersecurity Paper Competition; a member of the DARPA Information Science and Technology (ISAT) Study Group; an ACSA Senior Fellow; past chair of the IEEE Technical Committee on Security & Privacy' and is a steering committee member and past general chair of the IEEE Symposium on Security and Privacy ("Oakland").

---