Cybersecurity Challenges and
Opportunities
Anita Nikolich
Program Director, Advanced Cyberinfrastructure
October 2015
Why Worry about Security in the
Scientific Environment?
Integrity of data and results
 Embarrassment, damage to reputation
 High value assets – understand and manage
risk
 Scientific Collaborations based on trust
 Being used to harm others would be
damaging to one’s reputation
 Rutgers – 4 attacks in 5 months. Cost 2
Bitcoin, or ~$500! Knocked out Wi-Fi, course
registration, email. Goal to annoy.

2
Facilities Security (FacSec)
Group of NSF Program Directors with
responsibility for large projects or facilities
(ie, LSST, OOI, Polar)
 Quarterly meetings to exchange best
practices, share information
 Facilitated by ACI

3
Secure and Trustworthy Cyberspace
(SaTC)






Cross Directorate Program
Aims to support fundamental scientific advances and technologies to
protect cyber-systems from malicious behavior, while preserving
privacy and promoting usability.
Develop the foundations for engineering systems inherently
resistant to malicious cyber disruption
Cybersecurity is a multi-dimensional problem, involving both the
strength of security technologies and variability of human behavior.
Encourage and incentivize socially responsible and safe behavior by
individuals and organizations
Focus on Privacy: Dear Colleague Letter for new collaborations
between Computer and Social Scientists, including a focus on
privacy.
4
SaTC FY15 Funding Areas
Access control
Anti-malware
Anticensorship
Applied cryptography
Authentication
Cellphone network security
Citizen science
Cloud security
Cognitive psychology
Competitions
Cryptographic theory
Cyber physical systems
Cybereconomics
Cyberwar
Digital currencies
Education
Forensics
Formal methods
Governance
Hardware security
Healthcare security
Insider threat
Intrusion detection
Mobile security
Network security
Operating systems
Personalization
Privacy
Provenance
Security usability
Situational awareness
Smart Grid
Social networks
Sociology of security
Software security
Vehicle security
Verifiable computation
Voting systems security
Web security
5
SaTC: Transition to Practice (TTP)
Supports later stage activities in the research and development
lifecycle such as prototyping and experimental deployment
 ACI Funded
 Looking for early adopters
 Review Criteria:

 Impact on deployed environment
 Value in terms of needed capability and potential impact across the
NSF community
 Feasibility, utility, and interoperability in operation
 Project plan including goals, milestones, demonstration and
evaluation
 Tangible metrics to evaluate effectiveness of capabilities developed
6
Center for Trustworthy Scientific
Cyberinfrastructure (CTSC)
PI: Von Welch, Indiana University



Mission: Establish a coherent cybersecurity ecosystem
for NSF computational science and engineering, while
allowing projects to focus on their science endeavors.
Trustedci.org - webinars, project documents, best
practices, online free training, etc
Hosts annual Large Facilities Cybersecurity
Summit, 120+ attendees
7
CTSC Community Engagements
No cost outside of time and effort.
 Can be answering a question, a phone call to
advise, a day-long review, or week-to-month of
collaboration.
 Examples:

•
•
•
•
•
Building or reviewing a cybersecurity plan
Software assessment
Design review
Advanced challenges (federated IdM, delegation,
etc.)
Topics as needed by the community.
trustedci.org
8
CTSC: Security Training
For PI’s or Technical Staff
Secure coding
• Identity Management/InCommon
• Developing a cybersecurity plan
• Present at existing conferences (XSEDE, SC, NSF
Cybersecurity Summit, etc.) or can come to you
 TrustedCI Forum for users:
•
https://trustedci.groupsite.org
Questions, discussions regarding NSF cybersecurity
•
* Did I mention it’s at no cost to you? Contact
ask@trustedci.org
9
Cybersecurity Innovation for
Cyberinfrastructure (CICI) NSF 15-549
Activities that impact the security of science, engineering
and education environments
Target community is operational cyberinfrastructure

FY15 $11M/13 awards. FY15 Areas:
 Cybersecurity Center of Excellence ($5M award, still
pending)
 Secure Data Provenance ($500K awards)
 Secure Architecture Design ($500K awards)

10
Cybersecurity Innovation for
Cyberinfrastructure (CICI)
FY16 Areas TBD
 Focus on security of scientific workflow and
operational cyberinfrastructure
 What are your greatest privacy, security,
identity management challenges?

11
Examples of ACI Funded Security
Projects





Bro IDS - ubiquitous at large sites and campuses
ShellOS Malware Detection – UNC-Chapel Hill deploys in
production . More accurate and useful than off the shelf
appliances.
CICI: Mini Science DMZ for Scientific Instruments (IU)
CICI: Provenance-Based Trust Management for
Collaborative Data Curation (UPenn)
CICI: CapNet: Secure Scientific Workloads with
Capability Enabled Networks (Utah)
12
Security within ACI programs
Data/DIBBs – Focus on privacy and integrity
of data sets
 Software/SI2 – Focus on trustworthy
software. Vulnerability assessments
throughout process
 HPC – Focus on integrity of results and
secure interoperability of computing
resources
 LWD – Integration of training and education
through CICI

13
How Can NSF Help?
Tell me your biggest security challenge – lack of
tools? Lack of people? Lack of time to think
about security? Not wanting to impede the
scientific workflow?
Talk to me today
or email me:
anikolic@nsf.gov
14