Find out more about our ambitious upgrade project, delivering more brightness, more coherence, and greater speed of analysis to UK science. More about Diamond-II
Find out more about Diamond's response to virus research.
Diamond plays a key role in global research, with over 14,000 researchers from around the world accessing its systems and data, around the clock. This constant access and the nature of its operations means Diamond faces unique security challenges.
Cheryn Tan, Senior Cybersecurity Officer at Diamond, shares how the facility is navigating these challenges while tailoring its security awareness initiatives to an audience composed largely of scientists and research support staff.
Diamond’s beamlines — 10 billion times brighter than the sun — operate 24 hours a day, six days a week, with specific time slots allocated to different research projects. Disruptions to the beamlines can cause significant delays for critical scientific work. “We have to make sure the facilities onsite are configured with resilience, and that we provide robust access and authentication methods for researchers working remotely,” Cheryn explains.
“Availability is what people at Diamond are most concerned about. If the beamlines are unavailable, researchers can’t complete their experiments — with a knock-on effect on their publication deadlines and even PhD completions.”
This need for constant availability informs how Cheryn and her colleagues design security awareness initiatives to maximise their effectiveness. “We try to target what people care about — in our case, that’s the availability of systems and data.”
“We help staff and researchers understand that security measures are in place to protect their ability to keep working without interruptions.” This includes defending against phishing emails that could lock down systems and addressing weak passwords that might allow unauthorised access to crucial data.
Diamond Light Source is an international research hubinfrastructure, with collaborators accessing its systems from all over the world. “Having people regularly logging in from different countries poses a challenge in securely managing remote access,” Cheryn says. “In a more locally based organisation, an unrecognised login from a non-UK IP address might be suspicious. But for us, it’s usually legitimate.”
The cybersecurity team must filter out malicious login attempts without blocking legitimate users. “We’re trying to find ways to improve and automate that process, but it still requires a bit of investigation. We need to ensure that security measures don’t block the researchers’ access to what they need, but instead enable them to continue working securely.”
Like many research institutions, Diamond faces resistance to security measures. Researchers focused on their work often see security steps as frustrating obstacles. “It’s difficult to avoid pushback,” Cheryn acknowledges. “Most people will be unhappy if you add more steps that feel like blockers.”
To mitigate this resistance, Diamond's cybersecurity team involves staff from various departments in testing new measures before implementation. “To minimise disruption, with security measures like multi-factor authentication we first test them with users from different departments and collect feedback before rolling out more broadly. We try to minimise exceptions, but if needed, we come up with secure alternative measures.”
Collaboration is key. “Maintaining open channels of communication and explaining the rationale behind security measures helps ease tensions.”
Diamond is also focusing on fostering secure development practices among its software engineers: “We want to build security into the software development process instead of it being an afterthought.” By engaging engineers and including security in the earliest stages of development, the team hopes to create more resilient systems overall.
Diamond’s workforce is as varied as its research projects, and the cybersecurity team must account for this when designing security awareness programmes.
“We implement mandatory staff training on security basics — password security, data protection, phishing emails, and social engineering — but we also supplement this with webinars, posters, and talks throughout the year," says Cheryn.
“We have a very diverse range of backgrounds at Diamond, from beamline technicians to software engineers to HR and finance staff. And all of them have different levels of technical knowledge and ability.”
This means that a one-size-fits-all approach to security awareness doesn’t work. Diamond uses interactive training programmes and personalised communications to engage staff and researchers with different skill levels. One particularly successful initiative was a "choose-your-own-adventure" training exercise with multiple-choice options.
“We put participants in scenario like: You’ve accidentally clicked on a phishing email — what do you do next? And then it spirals into seeing suspicious activity and systems going down. It helped bring home how quickly cyber attacks can escalate and have significant operational impacts.”
Cheryn and her colleagues plan to expand their awareness efforts by creating tailored messages targeting high-risk groups, such as researchers handling sensitive data. “We want to keep security front and centre without causing panic or security fatigue,” Cheryn adds.
After seeing ransomware attacks cripple other research facilities in the last couple of years, Diamond pivoted its focus to mitigating this risk.
“We identified ransomware as the biggest cybersecurity challenge facing Diamond Light Source. It’s now clear it’s not just something that affects large for-profit businesses — academic and research institutions are also being targeted.”
Taking a proactive approach, last year Diamond’s cybersecurity team ran a series of crisis simulations and tabletop exercises to prepare staff for ransomware attacks. These helped people understand the consequences of ransomware and how to respond effectively.
“The crisis simulation workshops — which we’re currently expanding to include our partners — helped to bring home the message that ransomware is something we need to be ready for.”
Cheryn highlights an unusual challenge at Diamond: distinguishing legitimate large data transfers from potential ransomware threats, as research projects often involve substantial data exfiltration. Since exfiltrations can precede encryption and ransom demands, Diamond’s staff are trained to identify legitimate transfers. They have also engaged 24/7 threat monitoring of key infrastructure by a managed service provider to strengthen their defences.
“Measuring the effectiveness of security awareness programmes is always tricky, and we’re still refining our approach,” Cheryn says. Diamond uses feedback surveys and tracks phishing-reporting rates, but they know these metrics don’t give the full story.
“It’s tempting to rely on easy measures like how many incidents we’ve had, but that’s not always the full picture. People are smart. They’re not just learning about security from us — they’re reading the news, talking to colleagues, and hearing about incidents at other institutions.”
An important element of Diamond’s security culture is creating a learning culture rather than a blame-oriented one.
“We don’t want to blame people if they fall for phishing attacks, but rather help them improve. Attackers are getting more sophisticated, and people make mistakes because they are tired or distracted. We want to make sure they feel supported.”
Diamond Light Source’s cybersecurity efforts illustrate the balance between maintaining security and enabling world-class research. While staff may sometimes feel that security adds obstacles to their work, Diamond’s approach is to show how these measures enhance, rather than impede, research progress.
As Cheryn emphasises, “We sympathise with how sometimes an additional step feels like a hurdle, but we always try to position security as an enabler of research, not a blocker.”
By delivering tailored security awareness initiatives, engaging exercises, and open communication alongside robust systems, Diamond’s cybersecurity team ensures that scientists can continue their vital work while staying secure.
Re-used with thanks to GÉANT, the collaboration of European National Research and Education Networks (NRENs).
Diamond Light Source is the UK's national synchrotron science facility, located at the Harwell Science and Innovation Campus in Oxfordshire.
Copyright © 2022 Diamond Light Source
Diamond Light Source Ltd
Diamond House
Harwell Science & Innovation Campus
Didcot
Oxfordshire
OX11 0DE
Diamond Light Source® and the Diamond logo are registered trademarks of Diamond Light Source Ltd
Registered in England and Wales at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom. Company number: 4375679. VAT number: 287 461 957. Economic Operators Registration and Identification (EORI) number: GB287461957003.