Cybersecurity In-Depth

The Edge

Hypothesis: Cyber Attackers Are After Your Scientific Research

From COVID-19 treatment to academic studies, keeping research secure is more important than ever. The ResearchSOC at Indiana University intends to help.

(Continued from previous page)

A Research Supply Chain
Welch describes the modern scientific process as one in which one group of researchers focuses on gathering data and others focus on developing algorithms for analyzing the data. Still, other groups might then take the data and algorithms and develop software to run on high-performance computing platforms to generate information that informs conclusions and papers.

"It's a very dynamic set of scenarios that sort of makes it tough to concretely lock down who should have access at any one time. You end up having a lot of distributed autonomy and a lot of trust relationships," he says.

The distributed nature of the research is recognized in those formal papers that now can have hundreds of recognized authors, Welch says. But enterprise security professionals must recognize that each relationship, each point at which data is passed from one researcher or research entity to another, creates another attack surface that can be exploited.

Todt has questions about how best practices can be developed for research: "The question would be, can this sector come together to create secure platforms? Do companies need to do it by themselves? And is there a role for the United States government to work collaborating to create and improve the security of those platforms?"

Work has begun in that direction, Welch says.

"There certainly have been a couple of framework developments in the EU largely built around the CERN community," he explains. "They have pulled together some some best practices here in the US. We also have some cybersecurity program guides that are actually working on building a framework.

But the very nature of science, in which different types of research differ widely from one another, means the frameworks have to be just different, too, with specific protection mechanisms developed for each research project.

The final challenge is making the principal investigator (PI) of each project -- a person with enormous responsibility and autonomy in the research world -- understand the importance of security.

"Principal investigators, just like CEOs or other C-suite level folks, typically don't come from a cybersecurity background," Welch says. "They're astronomers or physicists or other domain scientists. And their No. 1 goal is getting their science mission done, just like a CEO is trying to run their bank or get their startup launched or whatnot."

The key, he says, is language.

"If you go in there and tell them how this particular cybersecurity issue is a risk to their science mission, and you're able to communicate that so they understand how it relates to their scientific mission, now you'll start getting somewhere," Welch says. "You have to be able to have that communication with your principal investigator as you would with any leadership team, and [you have to] translate between these cybersecurity concerns and the risks to the mission."