Pacific Northwest National Lab Does CybersecurityPacific Northwest National Lab Does Cybersecurity

Jerry Johnson, CIO of one of the country's top national laboratories, is "amazed" at the level of insecurity that persists at many organizations. More CIOs should consider protecting their data like this world-class research institution does. Pacific Northwest National Laboratory, a U.S.Department of Energy Office of Science lab, provides foundational science and applied research in energy, the environment, and national security for DOE, other government agencies, universities, and industry. So its intellectual property is its lifeblood.

That IP also is extremely valuable, one reason PNNL is under constant cyberattack. On a "quiet day," Johnson estimates, the lab's firewalls block 50,000 to 100,000 malicious connections per HOUR -- everything from script kiddies banging on its network to denial of service attacks to attempts by foreign entities to steal information pertinent to national security. In addition, PNNL's firewall turns away another 800,000 spam messages per day, he says.

PNNL deploys a classic "defense in depth" to protect its information assets. First, it divides its network into security "enclaves" based on the sensitivity of information and the assessed threat levels. Its extranet enclave hosts publicly accessible servers, and several internal enclaves are segmented by wired network, wireless network, enterprise services (databases, servers), and others housing the most sensitive information.

On the Internet perimeter and between intranet enclaves, PNNL uses conventional network-layer firewalls to manage access. Two-factor authentication is required for all intranet access from locations not under the lab's physical control. At the next layer are application-layer firewalls for extranet Web services and for Internet mail that scan and eliminate known malware attacks before they reach a server or user's workstation. All servers and workstations have host-based antivirus protection, and all workstations have host-based firewalls and intrusion detection software. Rounding out PNNL's defenses are patch management, vulnerability scanning, and log analysis systems.

But the most important layer of PNNL's defense strategy, Johnson maintains, is the organization's end users. All employees must go through an internally developed cybersecurity program, updated and renewed every year. The program includes interactive online training, as well as exercises that apply the course material to real-world situations. Awareness campaigns -- focused on phishing, downloading peer-to-peer software, and other common pitfalls -- feature postcards mailed to each employee and matching posters placed in common areas. (Read what one imprisoned cyberpunk says about how he regularly cracked commercial systems.)

PNNL's user awareness program has had a measurable impact. For example, less than 1% of employees responded to a targeted phishing message recently generated by a security review team, Johnson says, compared with the 15% response rate typical in other organizations.

PNNL has no chief information security officer per se, but Johnson works closely with his peer at the lab's Safeguards & Security organization, who's responsible for both physical and logical security. PNNL has about six full-time infosec professionals.

For its fiscal year ended last Sunday, about 6% of PNNL's $45 million IT budget was spent on cybersecurity. Excluding research computing -- that is, looking at cybersecurity costs relative only to business computing, office automation, and core infrastructure -- that percentage rises to nearly 8%.

Given the nature of PNNL's business, it's money well spent. But you don't have to be a world-class research lab to take security so seriously.

Find out more about Johnson's security strategies and other priorities in our video interview.