The primary ongoing assurance activity is the review of incidents conducted by the cybersecurity program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the cyber program is functioning well and we continue to make adjustments to technical and administrative controls and policies as required by the environment.
1.0. Risks
Berkeley Lab’s overall cyber risk profile continues to remain primarily unchanged. Our primary major risks remain the same:
Credential Theft
Targeted Phishing
Drive-by-Downloads
These risks are not unique to Berkeley Lab and are typical cyber risks for any institution. They also do not necessarily pose a greater risk level when compared with other institutions. Berkeley Lab continues to explore new ways to address these risks and to share our results with the greater community.
1.1. Credential Theft
Credential thefts continue to be problematic from a cybersecurity perspective. Our existing emphasis on detecting and preventing privilege escalation continues to mitigate this risk. Credential theft is not unique to Berkeley Lab. It is an ongoing cybersecurity challenge facing all industries and institutions. Berkeley Lab continues to explore new ways to address this risk by leveraging our expertise in network monitoring and forensics.
1.2 Targeted Phishing
Targeted phishing is also ongoing cybersecurity challenge. The human factor component of this risk poses an especially unique challenge. Our primary mitigations continue to be user education, detection and preventing privilege escalation. During this performance period, LBL experienced several targeted phishing events including one that was notable in the extent to which individuals were drawn in. However, while somewhat time consuming, the controls we have in place for these events functioned as anticipated and no consequential damage or loss of information occurred.
1.3 Drive-by-download Infections
Drive-by infections continue to decrease, but they continue to be a source of risk given the low barrier for conducting an attack, difficulty in defending against an attack, and the large number of potentially vulnerable systems. Our existing mitigations (broad deployment of BigFix, isolating unpatched computers, and RPZ) continue to manage this risk to an acceptable level.
1.4. Emergent Security Risks and Evolving Threats
Supervisory Control and Data Acquisition (SCADA) systems. We continue to work with the Bro research team under the NSF grant to develop tools for monitoring SCADA. We are currently studying and characterizing the Backnet protocol on our facilities network that includes all of our Johnson Control systems (building automation system).
1.5. Policy and Oversight
The largest single unmitigated risk to Berkeley Lab in the area of cybersecurity continues to be the risk that compliance-oriented policy will have a negative effect on our core science mission. Compliance-oriented policy tends to undermine risk-based approaches to cybersecurity and to the extent that it directs scarce resources away from more severe threats, it represents a theoretical and actual risk to our continued management of the cyber security envelope.
2.0. LBNL Performance
2.1. Business Plan Performance
2.1.2. Communication and Outreach.
Berkeley Lab’s work in 100G network intrusion detection continues to be recognized. See Noteworthy Accomplishments for further information.
Berkeley Lab participated in BroCon 2015 with Vern Paxson providing the keynote speech and Berkeley Lab cyber staff presenting “P0wnage and Detection with Bro”.
2.1.3. CPP Sensors
Deployed and operational per direction from BSO.
2.2. Audits and Assessments
The Office of Inspector General FY15 Consolidated Financial Statement audit was conducted this trimester consisting of an audit of General IT Controls and a Network Vulnerability Assessment of the Berkeley Lab Financial Management System (FMS), a new version of which was brought online at the end of FY14. There were no findings for Berkeley Lab from this audit. A roll forward activity is scheduled to occur at the end of this trimester. The roll forward activity is part of the normal audit activity and we do not expect any findings as a result of it.
The audit required substantial reprogramming of resources towards audit preparation and management, including a significant effort to clarify the scope and purpose of the audit prior to its commencement.
An assessment of Berkeley Lab’s cyber security by the DOE Office of Enterprise Assessment (EA) is scheduled to commence at the start of FY16. This assessment is part of several assessments being conducted at several Labs and Plants. Berkeley Lab Cyber and IT Policy observed the EA assessment that was conducted at SLAC in June 2015 as invited guests.
A substantial reprogramming of effort and resources have been redirected to preparation for the assessment and management of the assessment.
2.3 Service
Berkeley Lab CIO efforts to coordinate and represent Laboratory interests at the Federal level continues to be recognized, valued and sought out. This trimester has seen the development of efforts at the Federal level that could have a significant impact on the National Labs and Plants, especially in the areas of cyber. Berkeley Lab CIO has played a critical role in leading National Laboratory analysis and has significantly contributed directly to these efforts.
Berkeley Lab CIO led National Laboratory analysis on the impact of the Federal Information Technology Acquisition Reform Act (FITARA) and has contributed to the development of the National Lab CIO’s and DOE’s responses.
Berkeley Lab CIO continues to lead National Lab CIO efforts to provide coordinated multi-lab reporting on several topics to DHS on behalf of SC, NNSA, and the DOE CIO.
Berkeley Lab CIO represented Laboratory interests on NLCIO and Cyber Councils.
Berkeley Lab has represented Laboratory interests and made significant contributions to the DOE cyber sprint and OCIO working groups (see Noteworthy Accomplishments).
3.0 PEMP Goals, Objectives, Notable Outcomes
None defined.
4.0 Noteworthy Accomplishments
Bro
Berkeley Lab continues to be recognized for its expertise in network intrusion systems. The prototype Bro network intrusion detection system that is capable of monitoring 100G network won several awards this past trimester.
2015 University of California Larry L. Sautter Award - “Enabling Science through Cyber Security at 100G”.
2015 Department of Energy, Office of the Chief Information Officer (OCIO) Innovative Technical Achievement Award.
A technical paper titled “100G Intrusion Detection” was also published and made available in August 2015, detailing Berkeley Lab’s research into 100G Intrusion Detection. The technical paper is also a guide for other sites in deploying a 100G intrusion detection system.
Papers and presentations related to 100G Bro this trimester:
"100G Network Monitoring at Berkeley Lab", DOE Cyber Security Training Conference, Kansas City, MO
"Finding badness in my 100G network", EDUCause Security Professionals Conference, Minneapolis, MN
"Scaling up your Network Monitoring, ESnet/Internet2 Technology Exchange, Indianapolis, IN
"100G Network Monitoring with Bro and Time Machine", 2015 CENIC Annual Conference, Irvine, CA
"100G Monitoring", Bro4Pros, San Francisco, CA
National Laboratory CIO Leadership
Berkeley Lab CIO continues to play a significant role in National Laboratory CIO efforts to represent the interest of Laboratories at the Federal level. This leadership role has been prominent this trimester with Berkeley Lab’s input and participation sought after by DOE OCIO and the NLCIO on multiple occasion.
During this past trimester, DOE launched multiple working groups to address cyber issues as part of DOE’s cyber sprint that resulted from the OPM breach. Representation and input from the Laboratories in these efforts was and continues to be critical and Berkeley Lab CIO played a significant role in representing the Laboratories and coordinating NLCIO activities and responses.
Berkeley Lab CIO efforts in the areas of multifactor authentication (MFA), FITARA, audits and critical (high value) systems enabled these working groups to more accurately reflect the needs of not only the Labs and Plants, but DOE in general. Specifically, Berkeley Lab CIO’s input was sought after and contributed to the development of DOE OCIO’s strategy to address multifactor authentication.
During this trimester, Rosio Alvarez was asked to lead the DOE Cyber Audit Assessment Working Group to develop recommendations to coordinate and align the goals, strengthen the effectiveness, and enhance the impact of DOE audits, reviews and data collections but wherever possible decrease duplication and administrative burden. This working group encompasses members from across DOE, including the Laboratories and Plants, NNSA and DOE OCIO. The recommendations are meant to guide all of DOE.
Assistance to SLAC
Berkeley Lab continues to provide substantial technical assistance to SLAC to assist with their implementation of Bro and overall review of their cybersecurity and IT modernization programs. In addition to the technical assistance, Berkeley Lab’s Chief Information Officer and Chief Information Security Officer are also members of SLAC”s Independent Review Board.