The primary ongoing assurance activity is the review of incidents conducted by the cybersecurity program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the cyber program is functioning well and we continue to make adjustments to technical and administrative controls and policies as required by the environment.
1.0. Risks
1.1. Credential Theft
Credential thefts continue to be problematic from a cybersecurity perspective. Our existing emphasis on detecting and preventing privilege escalation continues to mitigate this risk. Credential theft is not unique to Berkeley Lab. It is an ongoing cybersecurity challenge facing all industries and institutions. Berkeley Lab continues to explore new ways to address this risk by leveraging our expertise in network monitoring and forensics.
1.2 Targeted Phishing
Targeted phishing is also ongoing cybersecurity challenge. The human factor component of this risk poses an especially unique challenge. Our primary mitigations continue to be user education, detection and preventing privilege escalation. During this performance period, LBL experienced several targeted phishing events including one that was notable in the extent to which individuals were drawn in. However, while somewhat time consuming, the controls we have in place for these events functioned as anticipated and no consequential damage or loss of information occurred.
1.3 Drive-by-download Infections
Drive-by infections continue to decrease, but they continue to be a source of risk given the low barrier for conducting an attack, difficulty in defending against an attack, and the large number of potentially vulnerable systems. Our existing mitigations (broad deployment of BigFix, isolating unpatched computers, and RPZ) continue to manage this risk to an acceptable level.
1.4. Emergent Security Risks and Evolving Threats
Supervisory Control and Data Acquisition (SCADA) systems. We continue to work with the Bro research team under the NSF grant to develop tools for monitoring SCADA. We are currently studying and characterizing the Backnet protocol on our facilities network that includes all of our Johnson Control systems (building automation system).
1.5. Policy and Oversight
The largest single unmitigated risk to Berkeley Lab in the area of cybersecurity continues to be the risk that compliance-oriented policy will have a negative effect on our core science mission. Compliance-oriented policy tends to undermine risk-based approaches to cybersecurity and to the extent that it directs scarce resources away from more severe threats, it represents a theoretical and actual risk to our continued management of the cyber security envelope.
2.0. LBNL Performance
2.1. Business Plan Performance
2.1.1. Border Router
Our new border router continues to function with increased block capacity (amount and duration). This new blocking capacity has allowed us to easily block new risks (IPMI, NTP) as well as extend our blocking to additional protocols.
2.1.2. Communication and Outreach.
Berkeley Lab’s work in 100G network intrusion detection continues to be recognized. Five papers and talks have been accepted this trimester as a direct result. See Noteworthy Accomplishments for further information.
2.1.3. CPP Sensors
Deployed and operational per direction from BSO.
2.2. Audits
The Office of Inspector General FY15 Consolidated Financial Statement audit occurred during this trimester. Activities related to preparation for this audit occurred during this trimester, requiring a substantial reprogramming of resources towards audit preparation and audit management.
2.3 Service
Berkeley Lab led the National Lab CIO effort to provide a coordinated multi-lab reporting on several topics to DHS on behalf of SC, NNSA, and the DOE CIO.
Berkeley Lab CIO led National Laboratory analysis and input on FITARA.
Berkeley Lab CIO represented Laboratory interests on NLCIO and Cyber Council.
3.0 PEMP Goals, Objectives, Notable Outcomes
None defined.
4.0 Noteworthy Accomplishments
Berkeley Lab continues to be recognized for its expertise in network intrusion systems. A prototype Bro network intrusion detection system that is capable of monitoring 100G network has been developed. Four academic talks and papers have been published or accepted for publication during this trimester.
Bro4Pros, February 2015, "Monitoring 100G links
CENIC Annual Conference, March 2015, "100G Open Source Network Monitoring with Bro and Time Machine"
DOE Cyber Security Training Conference in April, 2015, "100G Monitoring Solution"
Educause Security Professionals Conference in May 2015, "Finding Badness in My 100G Network"
Berkeley Lab continues to provide substantial technical assistance to SLAC to assist with their implementation of Bro and overall review of their cybersecurity and IT modernization programs. In addition to the technical assistance, Berkeley Lab’s Chief Information Officer and Chief Information Security Officer are also members of SLAC”s Independent Review Board.
