trustworthy computational science: a multi-decade perspective
TRANSCRIPT
A Multi-decade Perspective!
Trustworthy Computational Science!
Von Welch!Indiana University!
Director, CACR!April 15, 2015!
About the Center for Applied Cybersecurity Research • Interdisciplinary applied research into cybersecurity.
• Bridge cybersecurity research and prac7ce across Indiana University.
• Externally facing, with projects funded by NSF, DOE, DHS, …
• Part of Pervasive Technology Ins7tute.
2
My talk: Cybersecurity and Science • The rise of scien7fic compu7ng. • Cybersecurity as risk management. • What are the risks to science? • What can science teach cybersecurity? • PuOng it all together. • How put this into prac7ce?
3
The “Good Old Days” Scientists were employees or students – physically co-located.
Image credit: Wikipedia
4
Then remote access… Scientists start being remote from the computers. But still affiliated with computing centers.
Image credit: All About Apple Museum Creative Commons Attribution-Share Alike 2.5 Italy
5
Growth of the scientific collaboration Number of scientists, institutions, resources. Large, expensive, rare/unique instruments. Increasing amounts of data.
Image credit: Ian Bird/CERN
6
Cyberinfrastructure!
Scientific Community!
Multiple Universities
and/or Research
Orgs!
Regional R&E and
Commercial Services!
Open Source and Scientific
Software!
R&E Networks,!
IRNCs,!Science DMZs!
…
The “Science Stack”
7
Cyberinfrastructure
PCs/Mobile
HPC
HTC
HPSS
Instruments
Science Data
Servers
Portals
Commodity Unique
Satellite Links
HPN
Science DMZ Cloud
Data Subjects
8
What is the Goal of Cybersecurity for Science?
9
Cybersecurity Historically!
Firewalls, IDS, encryption, logs, passwords, etc.!
!Not inspirational
to the science community "
(or many others).!
10
Contemporary Cybersecurity!
Cybersecurity supports the
organization’s mission by
managing risks to science.!
11
Maximizing Trustworthy Science
Trustworthy Science Output
Too much risk
Too little Science
Security
12
What are the risks to Science?
13
?
Trustworthy Science!
Integrity of data and computation are critical to
maintaining the trust of scientists and the public in CI.!
!Perception of integrity is often
just as important as reality.!!
14
Do No Harm!Cyberinfrastructure
represents some impressive cyber-
facilities.!!
Being used as a tool to harm others would be
very damaging to one’s reputation.
15
Collaboration is key to science. "
"Trust is key to collaboration.!
16
Identity Matters to Science…!
Scott Koranda/LIGO -‐ Oct’11
17
Specific Concerns!
Many science domains, communities, and
projects have particular concerns.!
!The risks related to
confidentiality, integrity, and
availability vary greatly, and go by their
own nomenclature.!
18
Cyberinfrastructure!
Scientific Community!
Multiple Universities
and/or Research
Orgs!
Regional R&E and
Commercial Services!
Open Source and Scientific
Software!
R&E Networks,!
IRNCs,!Science DMZs!
…
How do we manage these Risks?
19
Leverage services when possible • Leverage cybersecurity in these services. • Save effort for science-‐specific challenges. • Challenge: Quan7fy and manage residual risks from those services.
Multiple Universities
and/or Research
Orgs!
Regional R&E and
Commercial Services!
Open Source and Scientific
Software!
R&E Networks,!
IRNCs,!Science DMZs!
…
20
Commodity IT • Use baseline cybersecurity prac7ces from NIST and others. E.g. hXp://trustedci.org/guide/docs/commodityIT
21
Commodity IT
Unique IT/Instruments/Data/etc.
• Must understand and manage risk
• A custom task – can be helped with resources E.g. hXp://trustedci.org/guide/
22
Unique Assets
What about the Science itself?
• The mission we are ul7mately suppor7ng. • A source of risks.
But is that all?
Scientific Community!
23
Science Manages Risks as Well
• Biases • Errors
24
http://www.ligo.org/news/blind-injection.php
http://cms.web.cern.ch/news/blinding-and-unblinding-analyses
25
https://theoreticalecology.wordpress.com/2012/06/22/statistical-analysis-with-blinded-data-a-way-to-go-for-ecology/
Bias: The Ultimate Insider Threat • “Insider Threat” – dealing with risks that originate from inside the organiza7on.
• Science has been dealing with the risk of bias for a long 7me.
• Mature science projects bring a lot of risk management around bias that should be leveraged by cybersecurity.
• What is the residual risk in computa7onal science a^er bias management?
26
27
Cyberinfrastructure!
Scientific Community!
Multiple Universities
and/or Research
Orgs!
Regional R&E and
Commercial Services!
Open Source and Scientific
Software!
R&E Networks,!
IRNCs,!Science DMZs!
…
Putting it all together…
Leverage science processes, understand risks.
Baseline controls, risk management.
Leverage services and cybersecurity to conserve effort, understand and manage residual risks.
28
How do we put this into practice?
29
http://science.energy.gov/~/media/ascr/ascac/pdf/charges/ASCAC_Workforce_Letter_Report.pdf
DOE Advanced ScientiPic Computing Advisory Committee Workforce Subcommittee Letter
“In par7cular, the findings reveal that: All large DOE na7onal laboratories face workforce recruitment and reten7on challenges in the fields within Compu7ng Sciences that are relevant to their mission (…), including Algorithms (both numerical and non-‐numerical); Applied Mathema7cs; Data Analysis, Management and Visualiza7on; Cybersecurity; So^ware Engineering and High Performance So^ware Environments; and High Performance Computer Systems.“
30
http://blog.ted.com/bridging-the-gulf-in-mental-health-care-vikram-patel-at-tedglobal2012/
Maximizing Limited Expertise
31
SUNDAR • Simplify the message • UNpack the treatment • Deliver it where people are • Affordable and available human resources • Realloca7on of specialists to train and supervise
32
Center for Trustworthy Scientific Cyberinfrastructure"
TrustedCI.org!!
Increase the NSF community’s understanding of cybersecurity for science, and advance its
implementation.!
Three-year project funded by NSF ACI.!
33
CTSC Activities!
Engagements!LIGO, SciGAP, IceCube, Pegasus, CC-NIE peer reviews, DKIST, LTERNO, DataONE, SEAD, CyberGIS, HUBzero, Globus, LSST, OOI, NEON.!
Education and Training!Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects, Securing Commodity IT in Scientific CI Projects, Baseline Controls and Best Practices, Training for CI professionals.!
Leadership!Organized 2013, 2014 & 2015 Cybersecurity Summits for Large Facilities and CI, vulnerability awareness, Cybersecurity for Large Facilities Manual.!
34
Cybersecurity Program Guide!
Baseline prac7ces and risk management, tailored for science projects with guidance and templates.
http://trustedci.org/guide/
35
Please Join Us!!
!2015 NSF Cybersecurity Summit for !
Large Facilities and Cyberinfrastructure.!August 17-19, 2015. Arlington, VA!
!!
Email lists, details and CFP coming soon at trustedci.org!
36
In conclusion…!
Cybersecurity for science is about managing risks for science to maximize trustworthy science. Science itself has much to offer in the process if we can figure out how the worlds of cybersecurity and science interact. By leveraging our specialists for training and maximum impact, we can overcome workforce constraints to make this a reality.
37
Acknowledgements • Colleagues at CACR, CTSC, XSIM who make all this
work possible. • Mike Corn, Adam Lyon for discussions and feedback. • Department of Energy Next-‐Genera7on Networks for
Science (NGNS) program (Grant No. DE-‐FG02-‐12ER26111).
• Na7onal Science Founda7on (Grant 1234408).
The views and conclusions contained herein are those of the author and should not be interpreted as necessarily represen7ng the official policies or endorsements,
either expressed or implied, of the sponsors or any organiza7on
38
Notes • Science Output • Science has error management • SUNDAR == Beau7ful in Indian • Need to clarify Science/cybersecurity risk management rela7onship.
39