OSCRP: The Open Science Cyber Risk Profile

Our Product: The Open Science Risk Profile

About OSCRP

Welcome to OSCRP, a community project led by Trusted CI, the NSF Cybersecurity Center of Excellence.

Over the course of 2016, Trusted CI and the Department of Energy’s Energy Sciences Network (ESnet) collaborated with research and education community leaders to develop a “risk profile for open science” to formally capture and benchmark this expertise, allowing other organizations to apply these best practices more broadly. The risk profile is a categorization of scientific assets and their common risks to science to greatly expedite risk management for open science projects and improve their cybersecurity.

The risk profile is scoped to science projects that are “open,” that is unclassified, such as projects funded by the National Science Foundation (NSF), the DOE Office of Science, and the National Institutes of Health (NIH). (They may be under limited-time scientific embargo, however, and may include PHI, such as with NIH research).

We took an asset/impact-oriented approach. Explicitly, we are not concerned about threat actors or specific attack methods, but what assets open science projects have, what harms could befall those assets, and what the impacts from those harms would be to the project.

“An asset/impact-oriented approach starts with the identification of impacts or consequences of concern and critical assets, possibly using the results of a mission or business impact analyses and identifying threat events that could lead to and/or threat sources that could seek those impacts or consequences.” (NIST Special Publication 800-30)

For assets that are commodity IT or for which a risk profile already exists, this effort references that profile and does not duplicate it, except where the “open science” aspect is in conflict with the existing risk profile.

What is an asset?

“Assets” are computing systems, data storage systems, networking, digital sensors, scientific and other advanced instruments, scientific data, personnel, and an interoperable suite of software services and tools, including data repositories, visualization environments, and analytic environments. Assets also include the computer-controlled, network-connected elements of physical plants responsible for the safety and security of these systems, such as power and HVAC.

How to Contribute?

This document is hosted in GitHub to encourage the community to make contributions of new Assets and other improvements. One needs a free GitHub account to contribute. Your options for doing so are:

  1. Point out a problem or make a suggestion by creating a issue.
  2. Author changes or additions by creating a fork and push your changes.

Current Maintainer

Sean Peisert, Berkeley Lab

2016 Working Group and Original Authors

Core members:
RuthAnne Bevier, California Institute of Technology
Rich LeDuc, Northwestern University
Pascal Meunier, Purdue University / HUBzero
Steve Schwab, USC Information Sciences Institute
Karen Stocks, UC San Diego / Scripps Institution of Oceanography

Contributing members:
Ilkay Atlintas, UC San Diego / San Diego Supercomputer Center
James Cuff, Harvard University
Warren Raquel, UIUC / National Center for Supercomputing Applications
Reagan Moore, University of North Carolina / iRods

Organizers: Sean Peisert, Berkeley Lab / ESnet
Von Welch, Indiana University
Andrew Adams, Pittsburgh Supercomputing Center
Michael Dopheide, ESnet
Susan Sons, Indiana University (former)

Questions?

Contact us by emailing oscrp@trustedci.org

Trusted CI Logo LBNL Logo ESnet Logo