IT News & Events

News about IT at Indiana University and the world


IU receives $480K NSF grant to develop security tool prototype

Science DMZ project creates firewall to protect microscopes, MRIs and other instruments from data breaches

To address the vulnerability of valuable scientific and clinical instruments connected to the Internet, Indiana University will develop a working prototype for a mini-science DMZ through the support of a three-year, $480,000 National Science Foundation (NSF) grant.

Mini science DMZ infographic

Organizations such as hospitals, laboratories and universities are susceptible to network security breaches via instruments ranging from telescopes and microscopes to DNA sequencers and MRI machines. A science DMZ establishes a separate infrastructure from an organization’s larger network, improving security and networking for high-performance computing for utilities like file sharing and transferring, and storing and analyzing data.

Headed by Steven Wallace, IU enterprise network architect and technical adviser, the project will potentially upgrade the security of everything from big data to individual medical records in a unique fashion. In addition to performing tasks like ensuring data integrity and preventing sensitive information from being leaked, IU’s mini-science DMZ prototype would offer benefits beyond its basic job of providing secure data architecture.

"This will be based on completely open-source software. So if we do a good job, anybody can take what we did and apply it, and in fact, they can resell it. There’s no restriction on what they can do with it, so they can sell it as is or change it and sell it. This is a contribution, potentially, to commercial companies or other academic institutions," said Wallace. "We want to develop something researchers and others who use instruments like this can use. If a vendor decides they want to sell this, they can maintain its features in an open-source way, so there’s a critical mass of people who keep this alive—keep it current and updated, with new features and bug fixes." 

When developing the requirements for IU’s next network master plan, Wallace and colleague Mike Enyeart noticed that the instruments used by researchers were controlled by a PC that typically only vendors can update. Those PCs are responsible for keeping the instruments secure, converting what is recorded by the instrument into a digital image and transmitting that information over the network into the science workflow—or the process that turns data into more tangible knowledge—making troubleshooting a time-consuming effort.

That challenge led to the creation of a multifaceted plan for the mini-DMZ prototype, beginning with using a firewall to protect instruments connected to the Internet from network-based attacks. While the instruments themselves might not be affected in the case of every attack, botnets—computers that have been compromised in a way that users are unable to detect immediately—for example, could use an instrument such as a microscope to attack the network of a hospital through a distributed denial of service (DDoS) attack.

Another dimension of the prototype is the use of a fully programmable device to automatically send data into the science workflow. Instead of a multistep process requiring separate technology, the device itself would be automated to perform that task. Furthermore, the mini-DMZ could reduce troubleshooting issues.

The device would also be capable of having instruments digitally sign it—specifying, for instance, the project’s researcher, time, date or other relevant metadata—and the data produced by the instruments, using cryptographic technology. This would guarantee the origin and integrity of the information, and prevent it from being altered.

"I’m not aware of any device that has the capability of signing the data," said Wallace. "If you’re a researcher and your campus just wanted to buy a bunch of little boxes and put this software on them, you could do that. It would be something that would contribute to the security of those devices and ensure the integrity of the data they produce."