trustworthy computational science: lessons learned and next steps
TRANSCRIPT
![Page 1: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/1.jpg)
Trustworthy Computational Science: Lessons Learned and Next Steps
Von Welch
2015 NSF Cybersecurity Summit for Large Facilities and CyberinfrastructureAugust 18th, 2015
trustedci.org
![Page 2: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/2.jpg)
2
wired.com
![Page 3: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/3.jpg)
3
Hitting close to home...
dailyprogress.com
![Page 4: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/4.jpg)
Any Good News?
Yes!
4
![Page 5: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/5.jpg)
5
wired.com
twofactorauth.org
continuousassurance.org
hackingtheuniverse.com
![Page 6: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/6.jpg)
6
Government and Courts increasing their role.
![Page 7: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/7.jpg)
7
How does computational sciencenavigate all of this?
![Page 8: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/8.jpg)
The Challenge for Science Cybersecurity
Shifting landscape of threats.
Constantly changing, often insecure, technology.
Very open, collaborative environment.
Need to demonstrate value to science productivity.
No one-size fits all silver bullet.
8
![Page 9: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/9.jpg)
Cybersecurity Program Goal
Minimize:
Cost of breaches/incidents +
Cost of cybersecurity program +
Negative impact on science productivity
9
Paraphrased from: “The Defender's Dilemma. Charting a Course Toward Cybersecurity” http://www.rand.org/pubs/research_reports/RR1024.html
![Page 10: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/10.jpg)
Treat Cyberthreats as other Disaster Risks
10
Not “if” but “when.”
If not you, then something you count on.
Prevention, detection, response, and recovery all important.
![Page 11: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/11.jpg)
Risk Assessment
Channeling Willie Sutton: Why do people hack computers?
Because that’s where the data is.
11
![Page 12: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/12.jpg)
Understand where to focus
Know key liabilities and assets critical to science mission and can put focus there.
12
![Page 13: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/13.jpg)
Caution:“Our data is public” doesn’t save the day
Reputation, trust, and other “intangibles” matter.
Integrity and availability of data
Illicit use of systems
Availability of instruments
Hacktivism
Etc.
13
![Page 14: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/14.jpg)
The Big Picture Cybersecurity Program
14
Non-critical assets.Apply baseline controls and practices
Critical assets.Deep thinkinghere.
![Page 15: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/15.jpg)
CI Threat Profile
CICI Cybersecurity Center of Excellence will develop a Threat Profile. My advice…
Think of how worse cases scenarios may arise where public loses trust in our science products.
Focus on understanding different data categories for different science communities and their confidentiality, integrity, availability risks.
Determine key points of CI that need hardening.
15
![Page 16: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/16.jpg)
Can we leverage Science’s controls?
16
Checks for bias, error….(Aka Insider Threat)
![Page 17: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/17.jpg)
Cybersecurity Resources for the NSF Community
17
![Page 18: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/18.jpg)
The NSF Bro Center of Excellence
• Bro support for NSF projects & Higher-Ed• Oct 2013 launch at Summit
• Development work for these communities• E.g. SDN & Science DMZ is important to them (PACF)
• Research• Can’t save 3 months of pcaps, run analysis live
• Outreach• BroCon & NSF Cybersecurity Summit• Partnering with CTSC & ESNet on projects• 1-on-1 engagements
• https://www.bro.org/nsf/
![Page 19: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/19.jpg)
Assistance ProvidedEngaged communities:
• LIGO
• National Center for Atmospheric Research
• Ice Cube
• Many universities...
• Troubleshooting & Optimizing
• Cluster setups & tap/agg aren’t easy
• CPU affinity and Hyper-threading?
• Planning & reviewing designs for NSM
• Where should I tap? What are pros/cons?
• How much hardware should I start with?
• Should I design for peak or average?
![Page 20: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/20.jpg)
20
Center for Trustworthy Cyberinfrastructuretrustedci.org
Cybersecurity program guide and program review
Secure software design/review
Peer review facilitation
Training, best practices, guidance
Engaged communities:
CyberGIS, DataONE, Pegasus, Globus, OOI, Gemini, HUBzero, DKIST, Ice Cube, LIGO, SciGaP, CC-NIE (Utah, PSU, Pittsburgh, Cincinnati, Oklahoma), NTF, PerfSonar...
![Page 21: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/21.jpg)
The Community
Ask for and share program documents, advice, lessons learned, etc.
Reciprocal peer reviews of cybersecurity programs.
Use this Summit CFP to share your experiences.
21
![Page 22: Trustworthy Computational Science: Lessons Learned and Next Steps](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a89/html5/thumbnails/22.jpg)
Thank You
Von Welch ([email protected])
trustedci.org@TrustedCI
We thank the National Science Foundation (grant 1234408) for supporting our work. The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of
the NSF.
Image credit: Thinkstock
22