A quick Internet search for cybersecurity solutions will yield many pages of results, with dozens of commercial firms happy to secure networks, email servers, and other enterprise cyberinfrastructure.
So why then is it so difficult to find workable cybersecurity solutions for open science research projects, especially projects such as those conducted by universities and government organizations such as the National Science Foundation?
The answer is that cybersecurity for open science differs from cybersecurity for the enterprise because of the very nature of research projects. Where enterprises IT systems are guided by top-down policies, have confidential data, a limited and controlled set of users, and industry-standard infrastructure, open science research projects are, well, just different.
The research community is large, highly collaborative, represents science domains, and uses diverse infrastructure. This infrastructure often includes highly specialized, purpose-built, and one-of-a-kind instruments such as genome sequencers, telescopes, control networks, sensors, and high performance computing resources, to name but a few.
Research projects:
- Are often not well served by compliance. Often, many open science research projects, data is not subject to compliance requirements such as HIPPA or the National Institute of Standards and Technology (NIST) Special Publication 800-171. There is, for example, no Personally Identifiable Information (PII) in the micromeasurement data of the earth’s crust’s movements in geodesy experiments or the variance in radio wave signal strength from a black hole. While this data has value (and requires protection to ensure availability, data integrity, and experiment reproducibility), such data is usually outside the scope of compliance requirements.
- Feature rapid, often global collaboration by many collaborators. Research projects often have large sets of contributors, and those contributors cross institutional and geographic boundaries. This seamless collaboration is a factor in making great discoveries. Moreover, the set of contributors changes over time, as researchers come and go and as new projects use existing equipment.
- Rely on scientific cyberinfrastructure that has more to contend with than just commodity IT. To the standard enterprise IT mix of laptops, desktops, servers, networks, and mobile devices, research projects add sensors and sensor nets, drones, research vehicles, network-connected lab equipment, supercomputers, telescopes, and one-off, purpose-built specialized items. Further, take these unique infrastructure items and distribute them around the country or around the world. Then realize that some of these instruments run legacy or specialized software applications that were never designed to be compatible with modern operating systems or security features, and providing cybersecurity for this mix rapidly becomes an extraordinary challenge.
The impact of these differences is clear and significant. When there are no or few regulatory requirements, there are few yardsticks to measure compliance, or other “sticks” to motivate appropriate behavior. Access control and management are challenges when doors, real or virtual, must remain wide open and when the list of those authorized to who pass through those doors changes frequently. Securing unique cyberinfrastructure assets–from the operating systems of giant telescopes to networked electron microscopes–defies off-the-shelf cybersecurity solutions designed for commodity equipment, systems, and networks.
These differences, plus others that stem from differences in open research culture and funding, make providing effective cybersecurity for open research projects a different animal altogether,
The Research Security Operations Center (ResearchSOC) is a collaborative security response center that addresses the unique cybersecurity concerns of the research community. ResearchSOC helps make scientific computing resilient to cyberattacks and capable of supporting trustworthy, productive research. For more information on the ResearchSOC, visit our website or email rsoc@iu.edu.
Leave a Reply