This was an outstanding year for the Berkeley Lab Cyber Security Program. In addition to our ongoing successful risk-management approach, three key accomplishments stand out:
Enterprise Assurance (EA): Despite a shaky start, Berkeley Lab completed a strong engagement with EA. The final report praised Berkeley Lab’s cyber program, stating that “overall, the LBNL technical security program/controls are well implemented" and that “EA’s testing and interviews identified very few vulnerabilities or weaknesses in LBNL’s networks. Most vulnerabilities that EA identified were mitigated by other controls such as Bro....” The EA team concluded that they “did not uncover any circumstances that warranted a finding or deficiency." The EA team did not interactively compromise any systems and were detected and automatically blocked by dozens of Berkeley Lab’s compensating controls.
Multifactor Authentication (MFA): Against a backdrop of evolving requirements and inflexible constraints, Berkeley Lab will be one of only half the SC labs to meet the September 30, 2016 Standard Users deadline - and it will do so against a relatively large pool of users. Berkeley Lab’s Privileged User implementation, which is unique in DOE, has been the subject of extensive oversight and has leveraged the Lab’s CAS assets to provide assurance to DOE regarding this specialized implementation. Berkeley Lab will meet the original deadlines for both Standard and Privileged Users and will do so without substantially degrading the user-experience or flexibility of our Standard or Privileged users.
Service: Berkeley Lab cyber and OCIO also performed extensive service and outreach to DOE as well as the general community this year. In almost all cases, Berkeley Lab OCIO and cyber were intentionally sought after for our expertise and assistance. The Lab was heavily involved in or led many DOE-wide activities, such as Multifactor Authentication, FITARA, data center consolidation and audits and assessments. Our staff were also actively sought after to speak and inspire the next generation of scientists and cyber analysts and to work with leading cyber researchers to further research into identifying, detecting and combating new cyber risks and threats.
In summary, this was a very strong year for the Laboratory’s cyber program, reflecting its commitments to excellent risk-management and to broad engagement with our peers in higher education and DOE to achieve a more science-friendly and secure cyber security environment for research.
RISKS AND MITIGATIONS
Berkeley Lab’s overall cyber risk profile continues to primarily remain unchanged. The following three risks have posed the greatest risk to Berkeley Lab this past year:
Credential Theft, and
Web Servers Vulnerabilities, including SQL injections.
These risks are not unique to Berkeley Lab and are typical cyber risks for any institution. They also do not necessarily pose a greater risk level when compared with other institutions. Berkeley Lab continues to explore new ways to address these risks and to share our results with the greater community.
Targeted phishing is an ongoing cybersecurity challenge, not only for Berkeley Lab, but for the entire cybersecurity community. The human factor component of this risk poses an especially unique challenge. Our primary mitigations continue to be user education, detection and preventing privilege escalation. This past year, the Lab experienced several targeted phishing events including one that was notable in the extent to which individuals were drawn in. However, while somewhat time consuming, the controls we have in place for these events functioned as anticipated and no consequential damage or loss of information occurred.
As an additional awareness and education control, we began testing simulated phishing attacks this year, where individuals can opt-in to receive simulated phishing emails. Individuals who click on the simulated phishing attachments are redirected to awareness material about phishing.
Closely associated with Targeted Phishing is Credential Theft and, like Targeted Phishing, Credential Theft continues to be one of our greatest risk. Our existing emphasis on detecting and preventing privilege escalation continues to mitigate this risk. Also like Targeted Phishing, Credential Theft is not unique to Berkeley Lab, it is an ongoing cybersecurity challenge facing all industries and institutions. Berkeley Lab continues to explore new ways to address this risk by leveraging our expertise in network monitoring and forensics. Multifactor authentication helps in mitigating this risk, however Berkeley Lab has been using multifactor authentication for many of its key systems for several years now, predating the current DOE MFA initiative.
Web Server Vulnerabilities including SQL Injection
Attacks caused by web server vulnerabilities is an ongoing risk facing Berkeley Lab. These attacks can occur via SQL injections, where the attacker sends a web server input that will allow the attacker to subsequently send SQL commands that can be used to manipulate data, such as exposing Personally Identifiable Information. Berkeley Lab performs vulnerability scans to identify web server vulnerabilities, however vulnerable web servers will always exist on our networks. Some vulnerabilities are not fixable and in some cases a web server may be missed by the scans. Berkeley Lab is exploring additional ways to address this risk and have proposed several solutions.
Emergent Security Risks and Evolving Threats
Policy and Oversight
The largest single unmitigated risk to Berkeley Lab in the area of cybersecurity continues to be the risk that compliance-oriented policy will have a negative effect on our cyber program and our core science mission. Funding and expertise for cyber security remain limited resources, so any redirection of those resources reduces the effectiveness of our program.
Supervisory Control and Data Acquisition (SCADA) systems
We continue to make progress in reducing cybersecurity risk associated with SCADA systems. During this year, we worked with Berkeley Lab cyber researchers to provide data about SCADA systems which has resulted in a paper that has been submitted for publication.
We also conducted a preliminary assessment of SCADA use by scientists and researchers to refine our overall risk analysis and have worked closely with Berkeley Lab Facilities to reduce the risk exposure from new purchases of SCADA equipment.
Staff Recruitment and Retention
Our philosophy of smart cyber security and detection require very smart people who are willing to work across institutional boundaries and develop new tools to accomplish our ends. These people are hard to find and can be difficult to retain, this past year saw a key cyber analyst leave Berkeley Lab for a local startup company. There also continues to be a shortage of qualified cyber staff, especially in the Bay Area where we face stiff competition from Silicon Valley and other institutions.
PERFORMANCE: PEMP GOALS, OBJECTIVES AND NOTABLE OUTCOMES
Communication and Outreach
This past year, Berkeley Lab’s cyber team continued to provide support to other Laboratory and University sites using Bro, through presentations at BroCon and Bro4Pros conferences, and 1:1 consulting with site cyber security teams. We have also consulted with private industry about our cyber program and Bro this year.
During FY16, Berkeley Lab cyber discussed Bro and our cyber approach with:
In July 2016, Berkeley Lab cyber was invited to participate in a cyber review of recent improvements to the cyber security profile of LANL’s green network and their proposed road map to further enhance LANL’s cybersecurity. The review included a review of configuration management, vulnerability scanning and proposed centralization initiatives.
Presentations and talks by Berkeley cyber this past year include:
“Stopping Scanners Early and Quickly “, Bro4Pros, March 2016.
“p0wnage and Detections: 2015 Edition”, 2016 EDUCAUSE Security Professional Conference, April 2016.
“How-to-clusterize : Using scan-detection with NetControl”, BroCon 2016, September 2016.
Berkeley Lab cyber has also been working with cyber researchers on various research papers, including contributing to the following published research paper:
Providing Dynamic Control to Passive Network Security Monitoring (implementation & scripts), J. Amann, R. Sommer 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), November 2015.
This year, ESnet and CENIC launched a joint cyber security initiative led by Berkeley Lab researcher Dr. Sean Peisert. The initiative identifies new ways to protect R&E wide area networks as well as identify opportunities for R&E Networks to provide additional protection and services to Universities and Laboratories.
The University of California has also worked with Berkeley Lab cyber on strategies for identifying and preventing cyber breaches as a result of a major breach at the UCLA Medical Center this past year. The Berkeley Lab CIO is part of the select leadership team at UC that is structuring future security improvements for the entire UC system.
As part of Berkeley Lab’s outreach to the broader community, especially to showcase Berkeley Lab’s diversity in cyber, Berkeley Lab cyber participated in the following community events this past year:
Computer Networking and Information Technology Department Advisory Board member at Community College of San Francisco.
Albany High School Job Shadow Day 2016.
Albany High School Career Day 2015 as an invited speaker.
SULI, CCI and BLUR: Brown Bag Meeting #5 as an invited speaker.
‘Start a Career in Cybersecurity’ event at General Assembly as an invited speaker.
WonderWomenTech conference as an invited speaker https://wonderwomentech.com/speakers/
As part of the DOE-wide iJC3 effort, Berkeley Lab has been selected to lead the iJC3 Cyber R&D group and to be a partner in the iJC3 Data Fusion group. The Berkeley Lab iJC3 Cyber R&D effort is being led by Dr. Sean Peisert, however Berkeley Lab cyber will be lending its operational expertise with Bro and data fusion as part of the effort.
DOE Enterprise Defenses
Berkeley Lab’s ROE has the CPP Sensor program installed and participates actively in the cyber federated model. Berkeley Lab has indicated its willingness to participate in the DEX program but this program is on hold as it transitions to E3A. We continue to report all reportable incidents to JC3, including all reportable incidents since the mid-year report.
This past year, Berkeley Lab developed a Multifactor Authentication implementation plan, including exception requests, in alignment with DOE’s MFA Implementation Approach. Although our approach does not utilize PIV-I, it meets the NIST 800-63-2 Level of Assurance requirements for Privileged and Standard Users, is more suitable for an open science environment, is better integrated with our existing cyber program, and provides us with the flexibility to adapt to the changing cyber and risk environment.
Since the mid-year report, we have begun our MFA implementation and it is proceeding smoothly across Berkeley Lab. We anticipate 100% compliance for Privileged and Standard Users by the end of FY16.
Berkeley Lab CIO efforts to coordinate and represent Laboratory interests at the Federal level continues to be recognized, valued and sought out. This year has seen the development of efforts at the Federal level that could have a significant impact on the National Labs and Plants, especially in the areas of cyber. Berkeley Lab CIO has played a critical role in leading National Laboratory analysis and has significantly contributed directly to these efforts.
Berkeley Lab Deputy CIO is co-lead of the DOE-wide FITARA implementation working group.
Berkeley Lab Deputy CIO co-developed SC’s new Annual Lab Plan sections on Information Technology, including leading multiple calls with all SC and S4 labs on strategies for answering the new sections.
Berkeley Lab CIO is chair of NLCIO and has led National Lab-wide responses to dozens of initiatives ranging from cyber sprint activities including MFA to data center consolidation and optimization.
National Laboratory CIO Leadership
Berkeley Lab CIO continues to play a significant role in National Laboratory CIO efforts to represent the interest of the National Labs at the Federal level. This leadership role has been prominent this year with Berkeley Lab’s input and participation sought after by DOE OCIO and the NLCIO on multiple occasions.
Berkeley Lab CIO played a significant and critical role in representing the National Labs and coordinating NLCIO activities and responses to the multiple working groups launched this year to address cyber issues.
Berkeley Lab CIO efforts in the areas of multifactor authentication, FITARA, audits, data center consolidation and optimization, and critical (high value) systems enabled these working groups to more accurately reflect the needs of not only the Labs and Plants, but DOE in general. Specifically, Berkeley Lab CIO’s input was sought after and contributed to the development of DOE OCIO’s strategy to address multifactor authentication.
Berkeley Lab took a lead role in the development of the DOE Multifactor Implementation Approach, representing the Office of Science Labs and Plants in discussions and in the development of DOE-wide strategies to address multifactor authentication and its impact on our mission.
Cyber Audit Assessment Working Group
During this year, Rosio Alvarez has lead the DOE Cyber Audit Assessment Working Group to develop recommendations to coordinate and align the goals, strengthen the effectiveness, and enhance the impact of DOE audits, reviews and data collections but wherever possible decrease duplication and administrative burden. This working group encompasses members from across DOE, including the Laboratories and Plants, NNSA and DOE OCIO. The recommendations are meant to guide all of DOE.
Status of Assessment
Program Review of Unclassified Cyber Security
Technical Review of Unclassified Cyber Security
OMB Circular A-123 - IT Controls
Unclassified Cyber Security (Advisory)
Quarterly Review of Cyber Controls
Risk Assessment Self Assessment
Multifactor Authentication Implementation (Advisory)
Integrated Assessment Highlights
An assessment of Berkeley Lab’s cyber security by the DOE Office of Enterprise Assessment (EA) was conducted during this year and was part of several assessments being conducted at several Labs and Plants. The assessment was divided into two parts, a review that occurred at the beginning of the fiscal year and a technical assessment that occurred in January 2016.
Berkeley Lab had initially planned for the review and technical assessment to occur at the same time and had redirected resources in preparation of this. A substantial reprogramming of effort and resources was redirected in preparation for the assessment and management of the assessment, especially in light of the unplanned change in schedule.
The final report of the assessment was delivered to Berkeley Lab at the end of May 2016. Berkeley Lab did extremely well in the assessment. All areas for follow-up were already identified clearly in risk-assessments and self-assessments, providing some validation for the CAS in place for cyber security.
The final report praised Berkeley Lab’s cyber program, stating that “overall, the LBNL technical security program/controls are well implemented" and that “EA’s testing and interviews identified very few vulnerabilities or weaknesses in LBNL’s networks. Most vulnerabilities that EA identified were mitigated by other controls such as Bro....” In conclusion, the EA report stated that "the EA team did not uncover any circumstances that warranted a finding or deficiency."
In FY16 Q4, the Berkeley Lab CIO requested that Berkeley Lab Internal Audit Services perform an advisory assessment of Berkeley Lab’s Multifactor Authentication Implementation Plan. The goal of this assessment was to provide a third party review of Berkeley Lab’s MFA Implementation Plan to validate meeting NIST 800-63-2 Level of Assurance requirements for Privileged Users and Standard Users as defined in the June 26, 2016 version of the DOE Multifactor Authentication Implementation Approach document. Although this assessment is not yet complete, we do not anticipate any significant deficiencies to be identified in our MFA implementation.