Date:July 26 , 2010
Introduction
For FY 2010 the Contractor Assurance System for Cyber Security and the Cyber Security Program overall are performing at acceptable levels. Risk is being managed appropriately to levels which were agreed to in the 2007 Authority to Operate. In addition, a number of initiative are underway which both represent the Laboratory's continuing adjustments in its control systems to respond to changing threats and patterns, as well as the unique skills which the University brings to bear in its management of LBL.
Assessments
(as listed in Assurance Plan Sections 2.0 and 3.0)
The primary form of assessment for Cyber Security is the ongoing review of incidents and the identification of vulnerabilities. This is an ongoing process which forms the basis of the Laboratory's Risk Management Approach. The year's overall analysis of incidents (at a summary level) is covered in the FY2010 Annual Self and Risk Assessment Report.
Completed This Year:
1. Internal Audit of Backup and Recovery at LBL
Internal audit conducted a review of backup and recovery practices and operations at LBL. A full report was provided to BSO. IA made seven observations about current practices and LBL management committed to ten improvement actions with due dates across the next year. Observations concerned currency of recovery procedures and testing, as well as broader observations about the state of LBL Business Continuity Planning with downstream impacts on expectations for IT systems.
2. Peer Review of IT Division (incuding cyber security).
Full results are limited to LBL management at this time; however, the review team praised verbally and in the final report the efforts of the Laboratory to find the right cyber security balance. Laboratory Management committed to improvement actions in eight areas in response to observations of the committee around communication, primarily around the development and management of enterprise systems projects, as well as issues regarding communication and scientific computing.
3. Special Risk Assessment for Google Apps Conversion
Conducted in coordination with UC, this assessment evaluated numerous factors which covered the unique risks of moving to an outsourced provider for core collaboration services. No action items or findings resulted from the review, but the review allowed us to demonstrate to internal and external customers and stakeholders that due diligence had been done. In addition, the review has been used by numerous other laboratories, agencies, and quasi-agencies to guide their analysis.
4. Annual Disaster Recovery Testing
Every enclave completed a Disaster Recovery test. In addition, the audit in #1 led to actions to improve disaster recovery. A set of improvement actions from the Tabletop Exercise are also being tracked. The full assurance statement was contained in an email to BSO/UCOP and is also contained here: https://commons.lbl.gov/display/cio/2010+DR+Testing+Report
5. Annual Self and Risk Assessment
Each year, LBL undertakes a substantive self and risk assessment. This year, the process has expanded to focus on evolving risks and threats. A hard copy of this will be provided to BSO at the PEMP meeting. Electronic copies are preserved here.
Performance Measures
(as listed in Assurance Plan )
1. Cyber Security Incident Analysis:
Incidents are reviewed under PEMP Notable Outcomes.
2. Customer Service and Response, System Availability and Function Data, System Configuration Data,
These are separately tracked as internal measures. No major issues, outages, or concerns.
3. Training:
- Security Intro/Refresher: 91% of target population.
- PII: 97% of target population.
- PII Validation: 97% of target population.
4. Training Feedback. Overall 3.77 for the quarter on a 5 scale.
PEMP Notable Outcomes
Outcome: Review Incidents Quarterly and Determine whether they are within our acceptable risk envelope.
Our review of FY10 incidents suggests nothing but exceedingly minor and recoverable disruption to scientific work, and nothing that is outside our acceptable risk envelope. Incident quantities and costs are well within expected numbers. No scientific data was lost in any of these efforts, and disruption was limited to the time needed to clean up compromised systems.
We continue to observe an increase in successful malicious code infections which are being caught quickly by a new device we have procured for this purpose. The impact of these infections has continued to be very limited and many of the infections are on guest/transient systems. Some of this increase is related to how these infections are being caught and recorded; specifically, more of these infections are now being caught by a particular cyber security perimeter detection device that may, before, have been caught and cleaned by antivirus (which might or might show up as an event depending on how quickly A/V caught the infection). The increase in hours from malicious code is substantially related to workstation use which has a more limited impact on scientific work then multi-user systems.
Overall, LBL is managing to the risk profile we have agreed to, and we continue to observe the risks and demonstrated vulnerabilities
Outcome: Review program to ensure it does not unduly or inefficiently disrupt scientific work.
The FY10 IT Division Peer Review commended Berkeley Lab for how it has achieved an appropriate balance between cyber security and scientific freedom. The Peer Reviewers came from industry, academia, and other Laboratories and interviewed researchers from half the scientific divisions as well as business managers and operations staff from across the Laboratory.
Additional Notable Outcomes:
Section 8:
The Berkeley Lab Cyber Security Program made notable contributions in
two key areas during the performance period.
First, Berkeley Lab has been an early adopter of new cloud
technologies and provided leadership and consulting to other National
Laboratories, other Federal Agencies, and peer large research
institutions. For example, Google Apps was rolled out during the
performance period to all Laboratory Employees. It includes numerous
many new capabilities (covered in Section 6) and new security measures
including the ability to remove known malicious emails that are
already delivered to users, a robust, 24/7 security and operations
team dedicated to maintaining the security of the platform, and the
ability to preview "thick-client" documents like PDFs and Microsoft
Office Documents without opening the applications themselves (which
are a source of vulnerabilities). In addition to specific security
improvements, Berkeley Lab was among the first of its peer
institutions to fully analyze the security, privacy, and legal
implications of the move. In a whitepaper written with
representatives from several UC campuses, dozens of key issues are
addressed and assessed for risks. This analysis and our experience
have been used by at least four other National Laboratories, as well
as by at least five other Federal Agencies including NSF and the
Smithsonian. By being early adopters and analyzers of this
technology, we have enabled other institutions to speed up their
evaluation and, in some cases, deployment. However, Google Apps is
only part of our cloud efforts. As early adopters, we have also had
the experience to provide direct security and policy assistance to
high profile scientific projects. By sharing configuration
guidelines, risk analysis, and working directly with scientific and
programming staff, we have been able to securely leverage these
cost-effective technologies directly in support of the Laboratory's
mission.
Second, the Laboratory has been aggressive in adopting new
technologies to address the changing threat environment.
Beginning in FY08, the Laboratory began putting into place a series of
measures designed to address the changing threat of malicious code.
In FY09, we deployed new application patching software to address
known vulnerabilities in applications such as Adobe Reader and Flash
in response to the growing number of vulnerabilities in these
applications. In FY10, we expanded this program to more systems at
the Laboratory. More importantly, we fully deployed a new advanced
malware detection system to address new zero-day malware infections.
As a result of this deployment, the Laboratory is now able to catch
malware infections much earlier and, in many cases, reduce the total
downtime of the user by avoiding the need to fully rebuild a system
due to the ability to use more targeted fixes to address the
infection. This results in increased availability of systems for end
users, improving mission performance and reducing downtime.
Likewise, the NERSC enclave, which is at great risk from stolen
credential attacks, has developed and now fully deployed to major and
minor production systems, a custom system for detecting stolen
credential attacks. The system, which is able to look inside
encrypted sessions for signs of attempts to utilize credentials
improperly, now catches numerous attempts to utilize these credentials
far in advance of when they previously would have been detected - in
many cases, within a few minutes of the initial attempt by the
attacker. As a result, major downtime has been avoided by NERSC which
directly improves their ability to serve scientific customers around
the world.
Other Issues/ Concerns
- Expected transition to Risk Management Approach and CAS will require close coordination with BSO to meet everyone's needs.
- Expected transition of S&S Cyber to Overhead and uncertainty regarding WFO tax may present challenges.
- Growth of Laboratory leads to new employees - need to make sure we maintain a security aware culture.
- Some proposed legislation would require OMB to monitor agencies at the level of minutae. If applied to Laboratories, will be highly costly and misleading. Transition of cyber security locus of responsibility in .gov to DHS presents unknown challenges/complexities.
- Continued changes to the malicious code environment may require additional investments in protection.
- Budget pressures expected to intensify in FY12 may put strain on the ISSM model (but it has survived this before).
