Trust is critical to the process of science. Two decades ago the Internet and World Wide Web fostered a new age in computational science with the emergence of accessible and high performance computing, storage, software, and networking. More recent paradigms, including virtual organizations, federated identity, big data, and global-scale operations continue to evolve the way computing for science is performed.
Advancing technologies, the need to coordinate across organizations and nations, and an evolving threat landscape are sources of ongoing challenges in maintaining the trustworthy nature of computational infrastructure and the science it supports. To address these challenges, a number of projects have focused on improving the cybersecurity and trustworthiness of scientific computing. Recent examples include the Center for Trustworthy Scientific Cyberinfrastructure funded by NSF, the Software Assurance Marketplace funded by DHS, and the Extreme Scale Identity Management for Science project funded by DOE.
This presentation will give a 20 year retrospective together with a vision for the future of cybersecurity for computational science. It will describe the state of trust and cybersecurity for scientific computing, its evolution over the past twenty years, challenges it is facing today, how the exemplar projects are addressing those challenges, and a vision of cybersecurity for research and higher education in general augmenting each other in the future.
2. About
the
Center
for
Applied
Cybersecurity
Research
• Interdisciplinary
applied
research
into
cybersecurity.
• Bridge
cybersecurity
research
and
prac7ce
across
Indiana
University.
• Externally
facing,
with
projects
funded
by
NSF,
DOE,
DHS,
…
• Part
of
Pervasive
Technology
Ins7tute.
2
3. My
talk:
Cybersecurity
and
Science
• The
rise
of
scien7fic
compu7ng.
• Cybersecurity
as
risk
management.
• What
are
the
risks
to
science?
• What
can
science
teach
cybersecurity?
• PuOng
it
all
together.
• How
put
this
into
prac7ce?
3
4. The “Good Old Days”
Scientists were
employees or
students – physically
co-located.
Image credit: Wikipedia
4
5. Then remote access…
Scientists start being
remote from the
computers.
But still affiliated
with computing
centers.
Image credit: All About Apple Museum
Creative Commons Attribution-Share Alike 2.5 Italy
5
6. Growth of the scientific
collaboration
Number of scientists, institutions, resources.
Large, expensive, rare/unique instruments.
Increasing amounts of data.
Image credit: Ian Bird/CERN
6
14. Trustworthy Science!
Integrity of data and
computation are critical to
maintaining the trust of scientists
and the public in CI.!
!
Perception of integrity is often
just as important as reality.!
!
14
18. Specific Concerns!
Many science domains,
communities, and
projects have particular
concerns.!
!
The risks related to
confidentiality,
integrity, and
availability vary
greatly, and go by their
own nomenclature.!
18
20. Leverage
services
when
possible
• Leverage
cybersecurity
in
these
services.
• Save
effort
for
science-‐specific
challenges.
• Challenge:
Quan7fy
and
manage
residual
risks
from
those
services.
Multiple
Universities
and/or
Research
Orgs!
Regional
R&E and
Commercial
Services!
Open Source
and Scientific
Software!
R&E
Networks,!
IRNCs,!
Science
DMZs!
…
20
21. Commodity
IT
• Use
baseline
cybersecurity
prac7ces
from
NIST
and
others.
E.g.
hXp://
trustedci.org/guide/
docs/commodityIT
21
Commodity IT
22. Unique
IT/
Instruments/
Data/etc.
• Must
understand
and
manage
risk
• A
custom
task
–
can
be
helped
with
resources
E.g.
hXp://
trustedci.org/guide/
22
Unique Assets
23. What
about
the
Science
itself?
• The
mission
we
are
ul7mately
suppor7ng.
• A
source
of
risks.
But
is
that
all?
Scientific Community!
23
24. Science
Manages
Risks
as
Well
• Biases
• Errors
24
http://www.ligo.org/news/blind-injection.php
26. Bias:
The
Ultimate
Insider
Threat
• “Insider
Threat”
–
dealing
with
risks
that
originate
from
inside
the
organiza7on.
• Science
has
been
dealing
with
the
risk
of
bias
for
a
long
7me.
• Mature
science
projects
bring
a
lot
of
risk
management
around
bias
that
should
be
leveraged
by
cybersecurity.
• What
is
the
residual
risk
in
computa7onal
science
a^er
bias
management?
26
30. http://science.energy.gov/~/media/ascr/ascac/pdf/charges/ASCAC_Workforce_Letter_Report.pdf
DOE
Advanced
ScientiPic
Computing
Advisory
Committee
Workforce
Subcommittee
Letter
“In
par7cular,
the
findings
reveal
that:
All
large
DOE
na7onal
laboratories
face
workforce
recruitment
and
reten7on
challenges
in
the
fields
within
Compu7ng
Sciences
that
are
relevant
to
their
mission
(…),
including
Algorithms
(both
numerical
and
non-‐numerical);
Applied
Mathema7cs;
Data
Analysis,
Management
and
Visualiza7on;
Cybersecurity;
So^ware
Engineering
and
High
Performance
So^ware
Environments;
and
High
Performance
Computer
Systems.“
30
32. SUNDAR
• Simplify
the
message
• UNpack
the
treatment
• Deliver
it
where
people
are
• Affordable
and
available
human
resources
• Realloca7on
of
specialists
to
train
and
supervise
32
33. Center for Trustworthy Scientific
Cyberinfrastructure"
TrustedCI.org!
!
Increase the NSF community’s understanding of
cybersecurity for science, and advance its
implementation.!
Three-year project funded by NSF ACI.!
33
34. CTSC Activities!
Engagements!
LIGO, SciGAP, IceCube, Pegasus, CC-NIE peer reviews, DKIST, LTERNO,
DataONE, SEAD, CyberGIS, HUBzero, Globus, LSST, OOI, NEON.!
Education and Training!
Guide to Developing Cybersecurity Programs for NSF Science and
Engineering Projects, Securing Commodity IT in Scientific CI Projects,
Baseline Controls and Best Practices, Training for CI professionals.!
Leadership!
Organized 2013, 2014 & 2015 Cybersecurity Summits for Large Facilities
and CI, vulnerability awareness, Cybersecurity for Large Facilities Manual.!
34
35. Cybersecurity Program Guide!
Baseline
prac7ces
and
risk
management,
tailored
for
science
projects
with
guidance
and
templates.
http://trustedci.org/guide/
35
36. Please Join Us!!
!
2015 NSF Cybersecurity Summit for !
Large Facilities and Cyberinfrastructure.!
August 17-19, 2015. Arlington, VA!
!
!
Email lists, details and CFP coming soon at
trustedci.org!
36
37. In conclusion…!
Cybersecurity
for
science
is
about
managing
risks
for
science
to
maximize
trustworthy
science.
Science
itself
has
much
to
offer
in
the
process
if
we
can
figure
out
how
the
worlds
of
cybersecurity
and
science
interact.
By
leveraging
our
specialists
for
training
and
maximum
impact,
we
can
overcome
workforce
constraints
to
make
this
a
reality.
37
38. Acknowledgements
• Colleagues
at
CACR,
CTSC,
XSIM
who
make
all
this
work
possible.
• Mike
Corn,
Adam
Lyon
for
discussions
and
feedback.
• Department
of
Energy
Next-‐Genera7on
Networks
for
Science
(NGNS)
program
(Grant
No.
DE-‐
FG02-‐12ER26111).
• Na7onal
Science
Founda7on
(Grant
1234408).
The
views
and
conclusions
contained
herein
are
those
of
the
author
and
should
not
be
interpreted
as
necessarily
represen7ng
the
official
policies
or
endorsements,
either
expressed
or
implied,
of
the
sponsors
or
any
organiza7on
38
39. Notes
• Science
Output
• Science
has
error
management
• SUNDAR
==
Beau7ful
in
Indian
• Need
to
clarify
Science/cybersecurity
risk
management
rela7onship.
39