• Subscribe

Mind the gap: Speaking like a cybersecurity pro

Speed read
  • Cybersecurity is increasingly becoming a concern for domain scientists
  • The Open Science Cyber Security Profile joins the information security and domain science worlds
  • Scientific integrity is at risk; we all benefit from a secure scientific workflow

We should value dictionaries more than we do.

When we travel to another part of the world, encounter a new concept, or hear a word for the first time, what do we do? We run to a dictionary to decipher what is meant by these strange new terms.

This is the same challenge scientists face today. As recent events have taught (e.g., the Stuxnet attack on Iranian centrifuges, the attack on the Ukrainian power grid), scientific research is dangerously vulnerable in the cyber age.

<strong>Scientist at work.</strong> When marine ecologist Emily Kelly gets out of the water, her data will be transferred to a digital world. The Open Science Cyber Risk Profile will help her place assets in an information security context. Courtesy Scripps Institution of Oceanography at UC San Diego; Don McLeish.

But when scientists look to cybersecurity experts to shore up these vulnerabilities, they find linguistic barriers. Words like confidentiality, availability, integrity — these terms don’t mean the same to information security professionals as they do to scientists.

So these domain researchers, not formally trained in information-technology-ese, find themselves casting around for language and concepts to help them better manage the risks facing open science today.

To bridge this linguistic divide, funding from National Science Foundation (NSF) and the Department of Energy (DOE) has launched the Open Science Cyber Risk Profile (OSCRP).

Coordinated between the NSF’s Cybersecurity Center of Excellence, the DOE’s Energy Sciences Network (ESnet), and the Center for Trustworthy Scientific Cyberinfrastructure (CTSC), the initiative is building a full risk profile for the open science community.

“Our motivation is to help ensure the trustworthy nature of scientific computing by better understanding the project risks posed to science from cyberattacks,” says OSCRP organizer and CTSC director Von Welch.

“We want to enable a scientist and an information security professional to discuss the scientific assets critical to a project, and then translate the technical risks associated with those assets into risks to the science mission.”

Rhetorical questions

Translating between the partnering communities can stave off some serious problems. What happens when an environmentally controlled, Internet of Things-connected cooler with sensitive biological samples is turned off remotely?

What happens if code controlling a planetary lander is compromised and a descent thruster is not activated at the opportune moment?

At other times, consequences to compromised scientific efforts aren’t fatal. Sometimes scientists embargo their research data, reserving it from publication until scientific consensus is achieved.

<strong>Lost in translation? </strong> Computer scientists are finding common language with domain scientists through the Open Science Cyber Risk Profile.

“Our society is seeing an increasing level of sophistication in computer attacks that emulate scenarios one assumed were confined to Hollywood,” says Sean Peisert, staff scientist in the Computational Research Division at Lawrence Berkeley National Laboratories and co-organizer of the OSCRP.

“It is also increasingly common to see open science as a target, as it includes both politically sensitive topics, valuable intellectual property, and areas with increasing privacy ramifications such as genomics and urban sensing.”

More fundamentally, compromised data integrity places the entire scientific edifice at risk. A remote-controlled mountaintop telescope has one chance to catch a glimpse of a supernova; what is the cost to humanity if this event is missed?

What happens when corrupted data is discovered only after publication? Reputations, like Humpty-Dumpty, are notoriously difficult to repair.

Taking stock

“The number, variety, and sophistication of cyber threats are increasing, and any scientist overseeing cyberinfrastructure has an obligation and a vested interest in cybersecurity due diligence,” says Karen Stocks, director of the Geological Data Center at the Scripps Institution of Oceanography at the University of California San Diego.

An oceanographer by training, Stocks is part of the OSCRP working group. She leads a data center in California, and like many scientists today, views computation as an essential tool.

“If you want to understand global patterns of deep sea biodiversity, for example, you need aggregated global biodiversity data,” says Stocks.

What’s more, in a scientific environment with limited computational resources, the open science model of sharing solutions and resources creates efficiency that would have unattainable before the advent of modern research networks and high-performance computer centers.

<strong>Tools of the trade. </strong> Scientific assets (such as the research vessel Sally Ride) are increasingly targets of cyber attack. The Open Science Cyber Risk Profile is helping domain scientists secure all aspects of their scientific work. Courtesy Scripps Institution of Oceanography at UC San Diego.

But when researchers move into the brave new world of advanced scientific computing without the training to secure their work, we’re all put in jeopardy.

Herein lies the strength of the OSCRP. It allows an easy transition between the two domains, offering a common-sense framework for non-cybersecurity experts to understand the threats posed to their scientific assets.

“It is critical that our scientific infrastructure be reliable and trusted,” says Stocks. “The OSCRP provides the most accessible, focused, and practical guidance I know of for a scientist needing to evaluate and assess their cybersecurity.”

In effect, the OSCRP is a bridge between the language of the scientist and the language of the information security professional. It’s a dictionary for the cybersecurity-conscious scientist.

Dictionaries are constructed through the sustained input from a swath of experts. They are only as useful as the complexity they embody.

You know your science better than anybody else, so lend your expertise to help fill out the OSCRP. For more information how you can join the effort, visit the OSCRP GitHub page.

Join the conversation

Do you have story ideas or something to contribute?
Let us know!

Copyright © 2017 Science Node ™  |  Privacy Notice  |  Sitemap

Disclaimer: While Science Node ™ does its best to provide complete and up-to-date information, it does not warrant that the information is error-free and disclaims all liability with respect to results from the use of the information.

Republish

We encourage you to republish this article online and in print, it’s free under our creative commons attribution license, but please follow some simple guidelines:
  1. You have to credit our authors.
  2. You have to credit ScienceNode.org — where possible include our logo with a link back to the original article.
  3. You can simply run the first few lines of the article and then add: “Read the full article on ScienceNode.org” containing a link back to the original article.
  4. The easiest way to get the article on your site is to embed the code below.