Open Science in Cybersecurity: Real-World Impact
▼ Summary
– Scientific research environments prioritize openness and collaboration, which can create cybersecurity blind spots when infrastructure is initially designed by scientists without security input.
– Early collaboration between scientists and cybersecurity teams is crucial, as it allows for the creation of valuable scientific tools with managed risk and minimal negative impact.
– A significant challenge is public misunderstanding, as cybersecurity researchers often mistake Fermilab’s intentionally released public data for a security breach.
– In research settings, data availability and integrity are often more critical than confidentiality, allowing security controls to be adjusted, such as not encrypting publicly released data.
– Legacy and custom-built operational technology (OT) systems, like those in particle accelerators, pose long-term cyber risks due to extended refresh cycles, but these challenges can be addressed through specialized programs and workforce upskilling.
The world of scientific research operates on principles of openness and collaboration, where the free exchange of information fuels discovery. This creates a unique cybersecurity landscape where protecting sensitive data must be balanced with enabling global scientific progress. Security teams in these environments often prioritize system availability over strict confidentiality, a fundamental shift from standard enterprise models. We spoke with Matthew Kwiatkowski, Chief Information Security Officer at Fermilab, to explore the practical realities of securing complex, legacy-driven research infrastructure.
A common challenge arises when research infrastructure is initially designed by scientists rather than security engineers. Over the last decade, significant improvements have been made, particularly within the Department of Energy laboratory system, to better align commodity IT with specialized scientific computing. The core issue emerges from a lack of early collaboration. When security is not considered from the start, the result can be a brilliant scientific tool built with risky implementations. These risks are typically identified and mitigated through standard cybersecurity processes. However, when collaboration is planned into a project from its earliest stages, cybersecurity becomes a value-adding partner. The outcome is still a powerful scientific instrument, but one implemented with managed risk and minimal negative impact.
When people think of scientific infrastructure, universities and national labs come to mind. From a security perspective, these environments are frequently misunderstood. At Fermilab, a vast amount of information is intentionally released to the public, ranging from technical papers to terabytes of experimental data. This practice often leads to confusion. The laboratory receives about one report per month from concerned individuals or cybersecurity researchers who discover this publicly accessible data and mistakenly report it as a security breach. The laboratory clearly labels information authorized for public release, but some observers are quicker to file a report than to read the provided dissemination notices.
Certain assumptions about trust and openness within scientific communities can introduce security complexities. Fermilab has a responsibility to ensure that all affiliates and visiting researchers are properly authorized. In fields like high-energy physics, experiments can span five to ten years for data collection and analysis. Early-career scientists and academics often move between multiple institutions during this lengthy period. This constant movement requires the laboratory to repeatedly re-vet individuals and their new institutional affiliations, making it a daunting task to maintain active, secure collaborations over such extended timelines.
A defining characteristic of research security is the treatment of availability as more mission-critical than confidentiality. Fortunately, within standard security frameworks, the control sets for moderate integrity and availability are often the same as those for moderate confidentiality, reducing the need for a complete overhaul of approach. For information cleared for public release, there is little value in applying controls like encryption at rest, which is designed to prevent data loss when storage media leaves an organization’s control. Applying such controls to open data would incur unnecessary cost and effort without providing a security benefit. Conversely, Fermilab also manages typical business systems and proprietary data that do require a standard, confidentiality-focused cybersecurity approach.
Research environments frequently depend on highly specialized, aging, or custom-built systems. Fermilab’s particle accelerator, for instance, is a one-of-a-kind precision machine with many custom IT and operational technology (OT) components. These systems do not follow typical IT replacement schedules, leading to longer technology refresh cycles. The primary risk is the challenge of integrating modern cybersecurity tools into these older technology stacks. Agencies like the Department of Energy (DOE) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) provide essential guidance for these legacy systems. Internally, the DOE has established the Center of Excellence for Operational Technology (CoE4OT) to address this challenge across its complex. Initial findings indicate that with dedicated resources, these obstacles can be overcome through strategic workforce development, thoughtful architecture, proper configuration, and continuous monitoring.
(Source: HelpNet Security)
