Trust is critical to the process of science. Two decades ago the Internet and World Wide Web fostered a new age in computational science with the emergence of accessible and high performance computing, storage, software, and networking. More recent paradigms, including virtual organizations, federated identity, big data, and global-scale operations continue to evolve the way computing for science is performed. Advancing technologies, the need to coordinate across organizations and nations, and an evolving threat landscape are sources of ongoing challenges in maintaining the trustworthy nature of computational infrastructure and the science it supports. To address these challenges, a number of projects have focused on improving the cybersecurity and trustworthiness of scientific computing. Recent examples include the Center for Trustworthy Scientific Cyberinfrastructure funded by NSF, the Software Assurance Marketplace funded by DHS, and the Extreme Scale Identity Management for Science project funded by DOE. This presentation will give a 20 year retrospective together with a vision for the future of cybersecurity for computational science. It will describe the state of trust and cybersecurity for scientific computing, its evolution over the past twenty years, challenges it is facing today, how the exemplar projects are addressing those challenges, and a vision of cybersecurity for research and higher education in general augmenting each other in the future.

1. A Multi-decade Perspective!
Trustworthy Computational
Science!
Von Welch!
Indiana University!
Director, CACR!
April 15, 2015!

2. About
the
Center
for
Applied
Cybersecurity
Research
• Interdisciplinary
applied
research
into
cybersecurity.
• Bridge
cybersecurity
research
and
prac7ce
across
Indiana
University.
• Externally
facing,
with
projects
funded
by
NSF,
DOE,
DHS,
…
• Part
of
Pervasive
Technology
Ins7tute.
2

3. My
talk:
Cybersecurity
and
Science
• The
rise
of
scien7fic
compu7ng.
• Cybersecurity
as
risk
management.
• What
are
the
risks
to
science?
• What
can
science
teach
cybersecurity?
• PuOng
it
all
together.
• How
put
this
into
prac7ce?
3

4. The “Good Old Days”
Scientists were
employees or
students – physically
co-located.
Image credit: Wikipedia
4

5. Then remote access…
Scientists start being
remote from the
computers.
But still affiliated
with computing
centers.
Image credit: All About Apple Museum
Creative Commons Attribution-Share Alike 2.5 Italy
5

6. Growth of the scientific
collaboration
Number of scientists, institutions, resources.
Large, expensive, rare/unique instruments.
Increasing amounts of data.
Image credit: Ian Bird/CERN
6

7. Cyberinfrastructure!
Scientific Community!
Multiple
Universities
and/or
Research
Orgs!
Regional
R&E and
Commercial
Services!
Open Source
and Scientific
Software!
R&E
Networks,!
IRNCs,!
Science
DMZs!
…
The
“Science
Stack”
7

8. Cyberinfrastructure
PCs/Mobile
HPC
HTC
HPSS
Instruments
Science
Data
Servers
Portals
Commodity
Unique
Satellite
Links
HPN
Science
DMZ
Cloud
Data
Subjects
8

9. What
is
the
Goal
of
Cybersecurity
for
Science?
9

10. Cybersecurity Historically!
Firewalls, IDS,
encryption, logs,
passwords, etc.!
!
Not inspirational
to the science
community"
(or many others).!
10

11. Contemporary Cybersecurity!
Cybersecurity
supports the
organization’s
mission by
managing risks
to science.!
11

12. Maximizing
Trustworthy
Science
Trustworthy
Science
Output
Too much
risk
Too little
Science
Security
12

13. What
are
the
risks
to
Science?
13
?

14. Trustworthy Science!
Integrity of data and
computation are critical to
maintaining the trust of scientists
and the public in CI.!
!
Perception of integrity is often
just as important as reality.!
!
14

15. Do No Harm!
Cyberinfrastructure
represents some
impressive cyber-
facilities.!
!
Being used as a tool to
harm others would be
very damaging to one’s
reputation.
15

16. Collaboration
is key to
science. "
"
Trust is key to
collaboration.!
16

17. Identity Matters to Science…!
Scott
Koranda/LIGO
-­‐
Oct’11
17

18. Specific Concerns!
Many science domains,
communities, and
projects have particular
concerns.!
!
The risks related to
confidentiality,
integrity, and
availability vary
greatly, and go by their
own nomenclature.!
18

19. Cyberinfrastructure!
Scientific Community!
Multiple
Universities
and/or
Research
Orgs!
Regional
R&E and
Commercial
Services!
Open Source
and Scientific
Software!
R&E
Networks,!
IRNCs,!
Science
DMZs!
…
How
do
we
manage
these
Risks?
19

20. Leverage
services
when
possible
• Leverage
cybersecurity
in
these
services.
• Save
effort
for
science-­‐specific
challenges.
• Challenge:
Quan7fy
and
manage
residual
risks
from
those
services.
Multiple
Universities
and/or
Research
Orgs!
Regional
R&E and
Commercial
Services!
Open Source
and Scientific
Software!
R&E
Networks,!
IRNCs,!
Science
DMZs!
…
20

21. Commodity
IT
• Use
baseline
cybersecurity
prac7ces
from
NIST
and
others.
E.g.
hXp://
trustedci.org/guide/
docs/commodityIT
21
Commodity IT

22. Unique
IT/
Instruments/
Data/etc.
• Must
understand
and
manage
risk
• A
custom
task
–
can
be
helped
with
resources
E.g.
hXp://
trustedci.org/guide/
22
Unique Assets

23. What
about
the
Science
itself?
• The
mission
we
are
ul7mately
suppor7ng.
• A
source
of
risks.
But
is
that
all?
Scientific Community!
23

24. Science
Manages
Risks
as
Well
• Biases
• Errors
24
http://www.ligo.org/news/blind-injection.php

25. http://cms.web.cern.ch/news/blinding-
and-unblinding-analyses
25
https://theoreticalecology.wordpress.com/2012/06/22/statistical-
analysis-with-blinded-data-a-way-to-go-for-ecology/

26. Bias:
The
Ultimate
Insider
Threat
• “Insider
Threat”
–
dealing
with
risks
that
originate
from
inside
the
organiza7on.
• Science
has
been
dealing
with
the
risk
of
bias
for
a
long
7me.
• Mature
science
projects
bring
a
lot
of
risk
management
around
bias
that
should
be
leveraged
by
cybersecurity.
• What
is
the
residual
risk
in
computa7onal
science
a^er
bias
management?
26

27. 27

28. Cyberinfrastructure!
Scientific Community!
Multiple
Universities
and/or
Research
Orgs!
Regional
R&E and
Commercial
Services!
Open Source
and Scientific
Software!
R&E
Networks,!
IRNCs,!
Science
DMZs!
…
Putting
it
all
together…
Leverage science
processes,
understand risks.
Baseline controls,
risk management.
Leverage services
and cybersecurity to
conserve effort,
understand and
manage residual
risks.
28

29. How
do
we
put
this
into
practice?
29

30. http://science.energy.gov/~/media/ascr/ascac/pdf/charges/ASCAC_Workforce_Letter_Report.pdf
DOE
Advanced
ScientiPic
Computing
Advisory
Committee
Workforce
Subcommittee
Letter
“In
par7cular,
the
findings
reveal
that:
All
large
DOE
na7onal
laboratories
face
workforce
recruitment
and
reten7on
challenges
in
the
fields
within
Compu7ng
Sciences
that
are
relevant
to
their
mission
(…),
including
Algorithms
(both
numerical
and
non-­‐numerical);
Applied
Mathema7cs;
Data
Analysis,
Management
and
Visualiza7on;
Cybersecurity;
So^ware
Engineering
and
High
Performance
So^ware
Environments;
and
High
Performance
Computer
Systems.“
30

31. http://blog.ted.com/bridging-the-gulf-in-mental-health-care-vikram-patel-at-tedglobal2012/
Maximizing
Limited
Expertise
31

32. SUNDAR
• Simplify
the
message
• UNpack
the
treatment
• Deliver
it
where
people
are
• Affordable
and
available
human
resources
• Realloca7on
of
specialists
to
train
and
supervise
32

33. Center for Trustworthy Scientific
Cyberinfrastructure"
TrustedCI.org!
!
Increase the NSF community’s understanding of
cybersecurity for science, and advance its
implementation.!
Three-year project funded by NSF ACI.!
33

34. CTSC Activities!
Engagements!
LIGO, SciGAP, IceCube, Pegasus, CC-NIE peer reviews, DKIST, LTERNO,
DataONE, SEAD, CyberGIS, HUBzero, Globus, LSST, OOI, NEON.!
Education and Training!
Guide to Developing Cybersecurity Programs for NSF Science and
Engineering Projects, Securing Commodity IT in Scientific CI Projects,
Baseline Controls and Best Practices, Training for CI professionals.!
Leadership!
Organized 2013, 2014 & 2015 Cybersecurity Summits for Large Facilities
and CI, vulnerability awareness, Cybersecurity for Large Facilities Manual.!
34

35. Cybersecurity Program Guide!
Baseline
prac7ces
and
risk
management,
tailored
for
science
projects
with
guidance
and
templates.
http://trustedci.org/guide/
35

36. Please Join Us!!
!
2015 NSF Cybersecurity Summit for !
Large Facilities and Cyberinfrastructure.!
August 17-19, 2015. Arlington, VA!
!
!
Email lists, details and CFP coming soon at
trustedci.org!
36

37. In conclusion…!
Cybersecurity
for
science
is
about
managing
risks
for
science
to
maximize
trustworthy
science.
Science
itself
has
much
to
offer
in
the
process
if
we
can
figure
out
how
the
worlds
of
cybersecurity
and
science
interact.
By
leveraging
our
specialists
for
training
and
maximum
impact,
we
can
overcome
workforce
constraints
to
make
this
a
reality.
37

38. Acknowledgements
• Colleagues
at
CACR,
CTSC,
XSIM
who
make
all
this
work
possible.
• Mike
Corn,
Adam
Lyon
for
discussions
and
feedback.
• Department
of
Energy
Next-­‐Genera7on
Networks
for
Science
(NGNS)
program
(Grant
No.
DE-­‐
FG02-­‐12ER26111).
• Na7onal
Science
Founda7on
(Grant
1234408).
The
views
and
conclusions
contained
herein
are
those
of
the
author
and
should
not
be
interpreted
as
necessarily
represen7ng
the
official
policies
or
endorsements,
either
expressed
or
implied,
of
the
sponsors
or
any
organiza7on
38

39. Notes
• Science
Output
• Science
has
error
management
• SUNDAR
==
Beau7ful
in
Indian
• Need
to
clarify
Science/cybersecurity
risk
management
rela7onship.
39