- Cybersecurity is increasingly becoming a concern for domain scientists
- The Open Science Cyber Security Profile joins the information security and domain science worlds
- Scientific integrity is at risk; we all benefit from a secure scientific workflow
We should value dictionaries more than we do.
When we travel to another part of the world, encounter a new concept, or hear a word for the first time, what do we do? We run to a dictionary to decipher what is meant by these strange new terms.
This is the same challenge scientists face today. As recent events have taught (e.g., the Stuxnet attack on Iranian centrifuges, the attack on the Ukrainian power grid), scientific research is dangerously vulnerable in the cyber age.
But when scientists look to cybersecurity experts to shore up these vulnerabilities, they find linguistic barriers. Words like confidentiality, availability, integrity — these terms don’t mean the same to information security professionals as they do to scientists.
So these domain researchers, not formally trained in information-technology-ese, find themselves casting around for language and concepts to help them better manage the risks facing open science today.
To bridge this linguistic divide, funding from National Science Foundation (NSF) and the Department of Energy (DOE) has launched the Open Science Cyber Risk Profile (OSCRP).
Coordinated between the NSF’s Cybersecurity Center of Excellence, the DOE’s Energy Sciences Network (ESnet), and the Center for Trustworthy Scientific Cyberinfrastructure (CTSC), the initiative is building a full risk profile for the open science community.
“Our motivation is to help ensure the trustworthy nature of scientific computing by better understanding the project risks posed to science from cyberattacks,” says OSCRP organizer and CTSC director Von Welch.
“We want to enable a scientist and an information security professional to discuss the scientific assets critical to a project, and then translate the technical risks associated with those assets into risks to the science mission.”
Translating between the partnering communities can stave off some serious problems. What happens when an environmentally controlled, Internet of Things-connected cooler with sensitive biological samples is turned off remotely?
What happens if code controlling a planetary lander is compromised and a descent thruster is not activated at the opportune moment?
At other times, consequences to compromised scientific efforts aren’t fatal. Sometimes scientists embargo their research data, reserving it from publication until scientific consensus is achieved.
“Our society is seeing an increasing level of sophistication in computer attacks that emulate scenarios one assumed were confined to Hollywood,” says Sean Peisert, staff scientist in the Computational Research Division at Lawrence Berkeley National Laboratories and co-organizer of the OSCRP.
“It is also increasingly common to see open science as a target, as it includes both politically sensitive topics, valuable intellectual property, and areas with increasing privacy ramifications such as genomics and urban sensing.”
More fundamentally, compromised data integrity places the entire scientific edifice at risk. A remote-controlled mountaintop telescope has one chance to catch a glimpse of a supernova; what is the cost to humanity if this event is missed?
What happens when corrupted data is discovered only after publication? Reputations, like Humpty-Dumpty, are notoriously difficult to repair.
“The number, variety, and sophistication of cyber threats are increasing, and any scientist overseeing cyberinfrastructure has an obligation and a vested interest in cybersecurity due diligence,” says Karen Stocks, director of the Geological Data Center at the Scripps Institution of Oceanography at the University of California San Diego.
An oceanographer by training, Stocks is part of the OSCRP working group. She leads a data center in California, and like many scientists today, views computation as an essential tool.
“If you want to understand global patterns of deep sea biodiversity, for example, you need aggregated global biodiversity data,” says Stocks.
What’s more, in a scientific environment with limited computational resources, the open science model of sharing solutions and resources creates efficiency that would have unattainable before the advent of modern research networks and high-performance computer centers.
But when researchers move into the brave new world of advanced scientific computing without the training to secure their work, we’re all put in jeopardy.
Herein lies the strength of the OSCRP. It allows an easy transition between the two domains, offering a common-sense framework for non-cybersecurity experts to understand the threats posed to their scientific assets.
“It is critical that our scientific infrastructure be reliable and trusted,” says Stocks. “The OSCRP provides the most accessible, focused, and practical guidance I know of for a scientist needing to evaluate and assess their cybersecurity.”
In effect, the OSCRP is a bridge between the language of the scientist and the language of the information security professional. It’s a dictionary for the cybersecurity-conscious scientist.
Dictionaries are constructed through the sustained input from a swath of experts. They are only as useful as the complexity they embody.
You know your science better than anybody else, so lend your expertise to help fill out the OSCRP. For more information how you can join the effort, visit the OSCRP GitHub page.