Cybersecurity Challenges and Opportunities Anita Nikolich Program Director, Advanced Cyberinfrastructure October 2015 Why Worry about Security in the Scientific Environment? Integrity of data and results Embarrassment, damage to reputation High value assets – understand and manage risk Scientific Collaborations based on trust Being used to harm others would be damaging to one’s reputation Rutgers – 4 attacks in 5 months. Cost 2 Bitcoin, or ~$500! Knocked out Wi-Fi, course registration, email. Goal to annoy. 2 Facilities Security (FacSec) Group of NSF Program Directors with responsibility for large projects or facilities (ie, LSST, OOI, Polar) Quarterly meetings to exchange best practices, share information Facilitated by ACI 3 Secure and Trustworthy Cyberspace (SaTC) Cross Directorate Program Aims to support fundamental scientific advances and technologies to protect cyber-systems from malicious behavior, while preserving privacy and promoting usability. Develop the foundations for engineering systems inherently resistant to malicious cyber disruption Cybersecurity is a multi-dimensional problem, involving both the strength of security technologies and variability of human behavior. Encourage and incentivize socially responsible and safe behavior by individuals and organizations Focus on Privacy: Dear Colleague Letter for new collaborations between Computer and Social Scientists, including a focus on privacy. 4 SaTC FY15 Funding Areas Access control Anti-malware Anticensorship Applied cryptography Authentication Cellphone network security Citizen science Cloud security Cognitive psychology Competitions Cryptographic theory Cyber physical systems Cybereconomics Cyberwar Digital currencies Education Forensics Formal methods Governance Hardware security Healthcare security Insider threat Intrusion detection Mobile security Network security Operating systems Personalization Privacy Provenance Security usability Situational awareness Smart Grid Social networks Sociology of security Software security Vehicle security Verifiable computation Voting systems security Web security 5 SaTC: Transition to Practice (TTP) Supports later stage activities in the research and development lifecycle such as prototyping and experimental deployment ACI Funded Looking for early adopters Review Criteria: Impact on deployed environment Value in terms of needed capability and potential impact across the NSF community Feasibility, utility, and interoperability in operation Project plan including goals, milestones, demonstration and evaluation Tangible metrics to evaluate effectiveness of capabilities developed 6 Center for Trustworthy Scientific Cyberinfrastructure (CTSC) PI: Von Welch, Indiana University Mission: Establish a coherent cybersecurity ecosystem for NSF computational science and engineering, while allowing projects to focus on their science endeavors. Trustedci.org - webinars, project documents, best practices, online free training, etc Hosts annual Large Facilities Cybersecurity Summit, 120+ attendees 7 CTSC Community Engagements No cost outside of time and effort. Can be answering a question, a phone call to advise, a day-long review, or week-to-month of collaboration. Examples: • • • • • Building or reviewing a cybersecurity plan Software assessment Design review Advanced challenges (federated IdM, delegation, etc.) Topics as needed by the community. trustedci.org 8 CTSC: Security Training For PI’s or Technical Staff Secure coding • Identity Management/InCommon • Developing a cybersecurity plan • Present at existing conferences (XSEDE, SC, NSF Cybersecurity Summit, etc.) or can come to you TrustedCI Forum for users: • https://trustedci.groupsite.org Questions, discussions regarding NSF cybersecurity • * Did I mention it’s at no cost to you? Contact ask@trustedci.org 9 Cybersecurity Innovation for Cyberinfrastructure (CICI) NSF 15-549 Activities that impact the security of science, engineering and education environments Target community is operational cyberinfrastructure FY15 $11M/13 awards. FY15 Areas: Cybersecurity Center of Excellence ($5M award, still pending) Secure Data Provenance ($500K awards) Secure Architecture Design ($500K awards) 10 Cybersecurity Innovation for Cyberinfrastructure (CICI) FY16 Areas TBD Focus on security of scientific workflow and operational cyberinfrastructure What are your greatest privacy, security, identity management challenges? 11 Examples of ACI Funded Security Projects Bro IDS - ubiquitous at large sites and campuses ShellOS Malware Detection – UNC-Chapel Hill deploys in production . More accurate and useful than off the shelf appliances. CICI: Mini Science DMZ for Scientific Instruments (IU) CICI: Provenance-Based Trust Management for Collaborative Data Curation (UPenn) CICI: CapNet: Secure Scientific Workloads with Capability Enabled Networks (Utah) 12 Security within ACI programs Data/DIBBs – Focus on privacy and integrity of data sets Software/SI2 – Focus on trustworthy software. Vulnerability assessments throughout process HPC – Focus on integrity of results and secure interoperability of computing resources LWD – Integration of training and education through CICI 13 How Can NSF Help? Tell me your biggest security challenge – lack of tools? Lack of people? Lack of time to think about security? Not wanting to impede the scientific workflow? Talk to me today or email me: anikolic@nsf.gov 14