- Anita Nikolich outlines the state of security in the modern scientific workflow.
- Sensitive data sets and expensive instruments are vulnerable cybertargets.
- The US National Science Foundation (NSF) is investing in smart shields for these vital international interests.
Science in the 21st century is increasingly reliant on high-performance computation, boutique instrumentation, and low latency, high bandwidth research network connectivity. To shield scientific targets from cyber attacks, the US National Science Foundation (NSF) is fostering research to ensure the discoveries of tomorrow aren't stolen today. The Science Node spoke with Anita Nikolich, director of the NSF’s Cybersecurity Innovation for Cyberinfrastructure (CICI) program, about the state of cybersecurity in the modern scientific workflow and how the NSF is sponsoring innovations to secure this space for future discovery.
Where on the scientific workflow is security a concern?
The scientific workflow is becoming more complex as most science has evolved into a distributed and collaborative pursuit, with teams of scientists around the world simultaneously working on the same experiment using data that’s distributed globally and accessed and analyzed locally. Every step, from the point of collection onward, is a security risk.
More worrisome is the fact that these security risks can affect the integrity of the data. The instrument or sensor itself is often at risk since it wasn’t built or installed with security in mind so it might remain unprotected and accessible by untrusted parties. Software that then processes the data usually doesn’t go through vulnerability scanning in the development process. Data gets sent over multiple networks, often across the globe, which presents further risks. It arrives at a computing resource, which might be at a campus, in 'the cloud,' or at a national facility, all of which have disparate security procedures. Achieving data integrity across all these platforms is a complex endeavor!
What are some of the instruments at risk in the modern scientific work space?
We think of science as being conducted in the controlled environment of a lab, but the definition of scientific instrument is actually very broad. Scientific data is now collected not only by traditional large instruments like telescopes and particle accelerators, but also by smartphones, drones, balloons, and environmental sensors. Instruments such as genome sequencers are no longer cost prohibitive and have become within reach for many more scientists.
Additionally, there is a large movement called citizen science, in which the general public collects and inputs observational data into real research projects. The introduction of non-traditional instruments is perhaps the most challenging because their intended purpose was not to collect scientific data.
What are the biggest challenges to securing the scientific workflow?
The biggest challenge is social, not technical. People still think of security as synonymous with confidentiality, which is not as much of a concern for scientific data. As a result, security is not taken as a serious issue.
Data integrity, however, is something each scientist should worry about, so if we can help them understand this definition of security, and enable them to ask the right questions about their systems, that’s half the battle. The other big challenge is the fact that science is a collaborative and international effort involving multiple institutions, agencies and even commercial providers. Getting one's arms around this complexity is a challenge.
In what direction lie the best solutions?
Informed users are critical to the most comprehensive solutions. Bringing awareness to the scientists, not just the IT community, is how we’ll get the most momentum. Becoming more cognizant that your software could produce erroneous results and therefore should follow some software engineering principles and go through vulnerability scanning as it's developed would be a big win for us.
Technically, the best solutions are ones that are not just point solutions that solve a portion of the problem. Solutions that are collaborative are even better since you can have confidence in the fact that your data will be traversing a network or system that takes security equally as serious.
How can the CICI solicitation help secure the scientific workflow?
CICI requires a partnership with a domain scientist or science collaboration, which is essential to understanding that this not just an IT problem we’re solving. CICI also strongly encourages people to look at the totality of the scientific workflow, not just a particular problem area. CICI directly addresses the fact that scientists are integrating resources they own along with resources over which they may have little control. A solution addressing the end-to-end workflow, including this unique mix of assets, is imperative.
The NSF understands that campuses and collaborations need an ability to try out new techniques and technologies. We consider our awards to be opportunities to try out new things that might end up not being feasible in production. However, failure can provide an important feedback loop for more robust technologies.
In terms of the social challenge of implementing new solutions, our category Regional Cybersecurity Collaboration encourages the development of tools and methodologies that can work at a multi-institutional level and thus leverage each other’s small resources.
Any examples of centers promoting sound cybersecurity practices?
The NSF funds a Cybersecurity Center of Excellence at Indiana University, the Center for Trustworthy Scientific Cyberinfrastructure (CTSC). CTSC has been an invaluable resource for influencing the adoption of best practices within the scientific community. They do everything from reviewing the security posture of NSF-funded infrastructure to reviewing software code to providing input into security plans. And, best of all, their services are available to the community at no charge!