The primary ongoing assurance activity is the review of incidents conducted by the cybersecurity program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the cyber program is functioning well and we continue to make adjustments to technical and administrative controls and policies as required by the environment.
Berkeley Lab’s overall cyber risk profile continues to remain primarily unchanged. For this trimester, we are highlighting the following three risks that pose the greatest risk to Berkeley Lab.
Web Servers Vulnerabilities, including SQL injections
These risks are not unique to Berkeley Lab and are typical cyber risks for any institution. They also do not necessarily pose a greater risk level when compared with other institutions. Berkeley Lab continues to explore new ways to address these risks and to share our results with the greater community.
1.1. Credential Theft
Credential thefts continue to be problematic from a cybersecurity perspective. Our existing emphasis on detecting and preventing privilege escalation continues to mitigate this risk. Credential theft is not unique to Berkeley Lab. It is an ongoing cybersecurity challenge facing all industries and institutions. Berkeley Lab continues to explore new ways to address this risk by leveraging our expertise in network monitoring and forensics.
1.2 Targeted Phishing
Targeted phishing is also ongoing cybersecurity challenge. The human factor component of this risk poses an especially unique challenge. Our primary mitigations continue to be user education, detection and preventing privilege escalation. During this performance period, LBL experienced several targeted phishing events including one that was notable in the extent to which individuals were drawn in. However, while somewhat time consuming, the controls we have in place for these events functioned as anticipated and no consequential damage or loss of information occurred.
1.3 Web Server Vulnerabilities including SQL Injection
Attacks caused by web server vulnerabilities is an ongoing risk facing Berkeley Lab. These attacks can occur via SQL injections, where the attacker sends a web server input that will allow the attacker to subsequently send SQL commands that can be used to manipulate data, such as exposing Personally Identifiable Information. Berkeley Lab performs vulnerability scans to identify web server vulnerabilities, however vulnerable web servers will also exist on our networks. Some vulnerabilities are not fixable and in some cases a web server may be missed by the scans. Berkeley Lab is exploring additional ways to address this risk and have proposed several solutions.
1.4. Emergent Security Risks and Evolving Threats
Supervisory Control and Data Acquisition (SCADA) systems. We continue to work with the Bro research team under the NSF grant to develop tools for monitoring SCADA. We are currently studying and characterizing the Backnet protocol on our facilities network that includes all of our Johnson Control systems (building automation system).
1.6. Policy and Oversight
The largest single unmitigated risk to Berkeley Lab in the area of cybersecurity continues to be the risk that compliance-oriented policy will have a negative effect on our core science mission. Compliance-oriented policy tends to undermine risk-based approaches to cybersecurity and to the extent that it directs scarce resources away from more severe threats, it represents a theoretical and actual risk to our continued management of the cyber security envelope.
2.0. Potential Risk
2.1. Staff Recruitment and Retention
Our philosophy of smart cyber security and detection require very smart people who are willing to work across institutional boundaries and develop new tools to accomplish our ends. These people are hard to find. There is a shortage of qualified cyber staff, especially in the Bay Area where we face stiff competition from Silicon Valley and other institutions.
3.0. LBNL Performance
3.1. Business Plan Performance
3.1.2. Communication and Outreach
Berkeley Lab’s cyber team continued to provide support to other Laboratory and University sites using Bro, through presentations at BroCon and Bro4Pros conferences, and 1:1 consulting with site cyber security teams. We have also consulted with private industry about our cyber program and Bro this trimester and gave a talk titled “Using intelligence in an intelligent way: Opportunities and Challenges” at the DOE Network Security Monitoring Technical Symposium.
During this trimester, Berkeley Lab cyber discussed Bro and our cyber approach with:
Berkeley Lab cyber also contributed to the following paper:
Providing Dynamic Control to Passive Network Security Monitoring (implementation & scripts), J. Amann, R. Sommer 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), November 2015
A talk for the 2016 EDUCAUSE Security Professional Conference was also accepted this trimester and will be presented in April 2016.
ESnet and CENIC launched a joint cyber security initiative led by Berkeley Lab researcher Sean Peisert. The initiative will identify new ways to protect R&E wide area networks as well as identify opportunities for R&E Networks to provide additional protection and services to Universities and Laboratories.
The University of California worked with Berkeley Lab cyber on strategies for identifying and preventing cyber breaches as a result of a major breach at the UCLA Medical Center. Berkeley Lab CIO is part of the select leadership team at UC that is structuring future security improvements for the entire UC system.
3.1.3. DOE Enterprise Defenses
Berkeley Lab’s ROE has the CPP Sensor program installed and participates actively in the cyber federated model. Berkeley Lab has indicated its willingness to participate in the DEX program but this program is on hold as it transitions to E3A. We continue to report all reportable incidents to JC3, including all reportable incidents this trimester.
3.1.4. Multifactor Authentication
Berkeley Lab continues to refine its implementation plan and exception requests for multifactor authentication (MFA) under SC direction. Provided that we receive clarity soon about exceptions and scope, we anticipate 100% compliance for privileged users by the end of FY16.
3.2. Audits and Assessments
The Office of Inspector General FY15 Consolidated Financial Statement audit concluded with roll-forward activity. This activity was planned and was not unexpected. There were no findings as a result of the activity.
An assessment of Berkeley Lab’s cyber security by the DOE Office of Enterprise Assessment (EA) was conducted during this trimester and was part of several assessments being conducted at several Labs and Plants. The assessment was divided into two parts, a review that occurred at the beginning of the trimester and a technical assessment that occurred in January. Berkeley Lab had initially planned for the review and technical assessment to occur at the same time and had redirected resources in preparation of this. A substantial reprogramming of effort and resources was redirected in preparation for the assessment and management of the assessment, especially in light of the unplanned change in schedule.
The final report of the assessment is due to be delivered to Berkeley Lab at the end of March, 2016.
Assuming that the final report mimics the in-person outbrief, Berkeley Lab did extremely well in this assessment. Critically, all areas for follow-up were already identified clearly in risk-assessments and self-assessments, providing some validation for the CAS in place for cyber security.
An internal Business Continuity Plan audit was also concluded this past trimester. No major findings were identified. One result of this audit was the initiation of discussions with the Office of Science and the Berkeley Site Office to reevaluate whether or not Berkeley Lab cyber is a Mission Essential Function.
Berkeley Lab CIO efforts to coordinate and represent Laboratory interests at the Federal level continues to be recognized, valued and sought out. This trimester has seen the development of efforts at the Federal level that could have a significant impact on the National Labs and Plants, especially in the areas of cyber. Berkeley Lab CIO has played a critical role in leading National Laboratory analysis and has significantly contributed directly to these efforts.
Berkeley Lab Deputy CIO is co-lead of the DOE-wide FITARA implementation working group.
Berkeley Lab Deputy CIO co-developed SC’s new Annual Lab Plan sections on Information Technology, including leading multiple calls with all SC and S4 labs on strategies for answering the new sections.
Berkeley Lab CIO is chair of NLCIO and has led National-Lab wide responses to dozens of initiatives ranging from cyber sprint activities including MFA to data center consolidation.
Berkeley Lab CIO co-led best practices sharing sessions on institutional HPC and bibliometric management strategies.
4.0 PEMP Goals, Objectives, Notable Outcomes
5.0 Noteworthy Accomplishments
5.1. National Laboratory CIO Leadership
Berkeley Lab CIO continues to play a significant role in National Laboratory CIO efforts to represent the interest of Laboratories at the Federal level. This leadership role has been prominent this trimester with Berkeley Lab’s input and participation sought after by DOE OCIO and the NLCIO on multiple occasion.
Berkeley Lab CIO played a significant and critical role in representing the Laboratories and coordinating NLCIO activities and responses to the multiple working groups launched last trimester to address cyber issues.
Berkeley Lab CIO efforts in the areas of multifactor authentication (MFA), FITARA, audits and critical (high value) systems enabled these working groups to more accurately reflect the needs of not only the Labs and Plants, but DOE in general. Specifically, Berkeley Lab CIO’s input was sought after and contributed to the development of DOE OCIO’s strategy to address multifactor authentication.
5.2. Multifactor Authentication
Berkeley Lab took a lead role in the development of the DOE Multifactor Implementation Plan. This included representing the Office of Science Labs and Plants in discussions and in the development of DOE-wide strategies to address multifactor authentication.
5.3. Cyber Audit Assessment Working Group
During this trimester, Rosio Alvarez has lead the DOE Cyber Audit Assessment Working Group to develop recommendations to coordinate and align the goals, strengthen the effectiveness, and enhance the impact of DOE audits, reviews and data collections but wherever possible decrease duplication and administrative burden. This working group encompasses members from across DOE, including the Laboratories and Plants, NNSA and DOE OCIO. The recommendations are meant to guide all of DOE.