Fourth Workshop on Trustworthy Scientific Cyberinfrastructure (TrustedCI@PEARC20)

Monday, July 27 • 8:00am - 12:00pm Pacific Time (11:00am - 3:00pm Eastern Time) (PEARC website)

Workshop Slides

Jump to workshop schedule

The Fourth Workshop on Trustworthy Scientific Cyberinfrastructure (TrustedCI@PEARC20) provides an opportunity for sharing experiences, recommendations, and solutions for addressing cybersecurity challenges in research computing. The workshop provides a forum for information sharing and discussion among a broad range of attendees, including cyberinfrastructure operators, developers, and users.

The workshop is organized according to the following goals:

  • Increase awareness of activities and resources that support the research computing community's cybersecurity needs.

  • Share information about cybersecurity challenges, opportunities, and solutions among a broad range of participants in the research computing community.

  • Identify shared cybersecurity approaches and priorities among workshop participants through interactive discussions.

Implementing cybersecurity for open science across the diversity of scientific research projects presents a significant challenge. There is no one-size-fits-all approach to cybersecurity for open science that the research community can adopt. Even NSF Major Facilities, the largest of the NSF projects, struggle to develop effective cybersecurity programs. To address this challenge, practical approaches are needed to manage risks while providing both flexibility for project-specific adaptations and access to the necessary knowledge and human resources for implementation. This workshop brings community members together to further develop a cybersecurity ecosystem, formed of people, practical knowledge, processes, and cyberinfrastructure, that enables research projects to both manage cybersecurity risks and produce trustworthy science.

Topics of interest for the workshop include but are not limited to:

  • cybersecurity program development for NSF projects and facilities

  • risk assessment results from NSF projects and facilities

  • identity and access management solutions for NSF projects and facilities

  • security challenges/experiences/solutions for science gateways

  • transition to practice of cybersecurity research

  • secure software development practices/experiences for research computing

  • developing compliance programs for research on campus

  • incident response lessons learned in the research computing community

  • new or emerging cybersecurity technologies applicable to research computing

  • cybersecurity outreach, education, and training

  • cybersecurity workforce development

Program Committee

Jim Basney (NCSA)
Kathy Benninger (PSC)
Dana Brunson (Internet2)
Barton Miller (UW-Madison)
Sean Peisert (LBNL)
Von Welch (Indiana University)

About the Workshop Series

This is the fourth workshop in the series. The workshop has been held previously at PEARC17, PEARC18, and PEARC19. There were 48 attendees at the workshop last year. Please visit https://trustedci.org/workshops for materials from prior workshops.

Workshop Schedule & Abstracts

Monday, July 27th 2020

8:00 am Pacific / 11:00 am Eastern
Community Survey Results from the Trustworthy Data Working Group

Presenters: Jim Basney, NCSA / Trusted CI; Jeannette Dopheide, NCSA / Trusted CI; Kay Avila, NCSA / Trusted CI; Florence Hudson, Northeast Big Data Innovation Hub / Trusted CI

Abstract: The Trustworthy Data Working Group is a collaborative effort of Trusted CI, the four NSF Big Data Innovation Hubs, the NSF CI CoE Pilot, the Ostrom Workshop on Data Management and Information Governance, the NSF Engagement and Performance Operations Center (EPOC), the Indiana Geological and Water Survey, the Open Storage Network, and other interested community members. The goal of the working group is to understand scientific data security concerns and provide guidance on ensuring the trustworthiness of data.

The working group recently completed an online survey of scientific researchers and the cyberinfrastructure professionals who support them on the topic of scientific data security concerns and practices. Representatives of the working group will present an analysis of the 111 responses received, including common themes identified in the responses, and they will discuss next steps for the working group in identifying sources of useful community guidance on the themes identified in the survey responses.

8:30 am Pacific / 11:30 am Eastern
Characterization and Modeling of Error Resilience in HPC Applications

Presenter: Luanzheng Guo, University of California-Merced

Abstract: As supercomputers continue to increase computational power and size, next- generation HPC systems are expected to incur a super higher failure rate than contemporary systems. Transient faults caused by high energy particle strikes, wear-out, etc. are becoming a critical contributor to in-field system failures. Transient faults can lead to Silent Data Corruption (SDC), which can impact scientific results without users realizing it. Thus, how to ensure scientific computing integrity in the presence of faults remains one of the grand challenges for large-scale HPC systems. In this talk, I will present and introduce how we understand nature error resilience in HPC applications, and how we characterize and model application resilience on data objects.

9:00 am Pacific / 12:00 pm Eastern
Trusted CI Fellows Panel

Moderator: Dana Brunson, Internet2
Panelists: Jerry Perez, University of Texas at Dallas; Laura Christopherson, Renaissance Computing Institute; Luanzheng Guo, University of California, Merced; Songjie Wang, University of Missouri; Smriti Bhatt, Texas A&M University - San Antonio; Tonya Davis, Alabama A&M University

Abstract: This panel will give all six of the 2020 Trusted CI fellows the opportunity to briefly present what they have learned about cybersecurity in the context of their respective disciplines. A 30 minute slot is requested to give a brief overview of the program by the moderator followed by a 3-minute presentation by each fellow leaving 10 minutes for Q&A and discussion. The Trusted CI Fellows program seeks to empower members of the scientific community with basic knowledge of cybersecurity and the understanding of Trusted CI’s services, and then have them serve as cybersecurity liaisons to their respective community. The Trusted CI Fellows program will establish and support a network of Fellows with diversity in both geography and scientific discipline. These fellows will have access to training and other resources to foster their professional development in cybersecurity. In exchange, they will champion cybersecurity for science in their scientific and geographic communities, and communicate challenges and successful practices to Trusted CI.

9:30 - 10:30 am Pacific / 12:30 pm - 1:30 pm Eastern ***Break/Lunch***

10:30 am Pacific / 1:30 pm Eastern
Analysis of attacks targeting remote workers and scientific computing infrastructure during the COVID19 pandemic at NCSA/UIUC

Presenters: Phuong Cao, NCSA / University of Illinois at Urbana-Champaign; Yuming Wu, Coordinated Science Laboratory / University of Illinois at Urbana-Champaign; Satvik Kulkarni, University of Illinois at Urbana-Champaign; Alex Withers, NCSA / University of Illinois at Urbana-Champaign; Chris Clausen, NCSA / University of Illinois at Urbana-Champaign

Abstract: The goal of this project is to understand the latest attack techniques targeting computing infrastructure at the National Center for Supercomputing Applications at the University of Illinois. The significance of this project is to protect our remote workforce, most if not all workforce have been working from home during the COVID19 pandemic and need to access CI remotely on a daily basis.

The reason we started this project was because we observed an uptick of attack activities targeting Remote Desktop Protocols (port 3389) and SSH protocols (port 22). Our project will present analyses on the Bro/Zeek log of those protocols. For example, there were a total of 541,299 RDP attack attempts (Jan-May 2020) targeting NCSA internal web servers. Interestingly, many of those attacks were traced back to cloud providers, e.g., Aruba cloud in Italy, Azure cloud in Seoul, Alibaba cloud in China, that gave away computing credit for attackers to abuse and hide their original IP. These abuse IP addresses can be feedback to the Black Hole Router at the border of network campus to further block the attackers.

Our observation is consistent with some of the recent warnings of the FBI on attacks targeting research infrastructure in the U.S. We hope we could uncover some new insights that complements existing warnings of those attacks and present during the PEARC workshop.

11:00 am Pacific / 2:00 pm Eastern
Regulated Data Security and Privacy: DFARS/CUI, CMMC, HIPAA, and GDPR

Presenters: Erik Deumens, University of Florida; Gabriella Perez, University of Iowa; Anurag Shankar, Indiana University

Abstract: Growing cyber threats are forcing sponsors, both government and otherwise, to ask research institutions, often hard pressed for resources, to comply with challenging, new cybersecurity rules and regulations. There has been a slow but welcome accumulation of peers and expertise in this area in the last few years; however comprehensive sources of information are still lacking. This presentation is designed to fill this gap. Aimed at helping those new to the world of compliance as well as practitioners, it will cover the primary security and privacy compliance regimes that affect US research, provide tips on how to use effective risk management to tackle them, identify existing resources that can help comply, provide a forum to connect with peers, and provide latest compliance news and updates.

11:30 am Pacific / 2:30 pm Eastern
Securing Science Gateways with Custos Services

Presenters: Marlon Pierce, Indiana University; Enis Afgan, Johns Hopkins University; Suresh Marru, Indiana University; Isuru Ranawaka, Indiana University; Juleen Graham, Johns Hopkins University

Abstract: Science gateways support hundreds of thousands of users across the world, enabling reproducible online scientific computational experimentation, data access, and data analysis. Exemplified by the recent cyber-attacks on HPC systems in Europe, science gateways are potentially high-value targets for cybersecurity attacks through multiple attack surfaces, including user identity and password management, group membership and authorization, and access to secrets such as access tokens, keys, and other mechanisms used to access remote resources such as high performance and cloud computing resources. Such attacks may, for example, lead to compromised user passwords and SSH keys, unauthorized access to data, and inappropriate use of resources. More broadly, science gateways need security to remain viable and trusted resources for scientific research: users must trust gateways with their identities and scientific research, and resource providers must trust gateways to securely broker authorized access.

To address these issues, we introduce the Custos security services for science gateways. The Custos project is funded by the NSF to develop open-source software that can provide science gateways with user management, group management, access control, and secrets management for access to remote resources. The Custos team combines the expertise of the Apache Airavata science gateway middleware project, the CILogon project’s expertise in federated identity management, and the Galaxy Project’s worldwide community of science gateways in multiple fields of research. As an open source-licensed project, Custos provides transparent implementations of its capabilities, and developers can contribute to the code base.

As a centrally operated service, Custos leverages modern microservice and service mesh approaches to provide fault-tolerant, highly scalable services that can securely serve multiple science gateway tenants simultaneously. Custos clients are included in the Galaxy project’s software release and are in the process of being enabled on major public Galaxy servers.

In this presentation, we will review the security requirements for science gateways, discuss the Custos implementation, describe the Galaxy integration and use cases, and review incident response plans and other operational aspects of running the operated Custos service.