Title: Journey to the Cybersecurity Framework Version 2.0
Absract: This session will focus on the journey to update the NIST Cybersecurity Framework to version 2.0 and highlight some of the significant changes. The session will also provide information on how NIST engages with stakeholders on the Cybersecurity Framework, including internationally.
Bio: Erik Deumens has a background as a researcher in computational nuclear and chemical physics. In that career he has worked on almost every supercomputer type ever built. He became a programmer and computer scientist as a side effect of computational science research. He is the designer of the super instruction architecture, an approach to computational chemistry programming that scales to multiple 10,000 cores. Since 2011 he has been the director of the Research Computing unit in IT at the University of Florida. In 2015, he was asked to take ownership and build out an environment for research on restricted data that meets requirements posed by HIPAA and ITAR, i.e. complies with NIST 800-53 moderate and 800-171, and now CMMC v2.
Bio: Dr. Rob Beverly is a Program Officer in NSF's Office of Advanced Cyberinfrastructure where he manages the office's cybersecurity research portfolio and transition efforts. Prior to the NSF, he was an Associate Professor of Computer Science at the Naval Postgraduate School where his group's research focused on network and system security and measurement.
Title: NSF HPC Cybersecurity Overview and Updates
Ashley Desgrange
Bio: Senior Information Technology Security Specialist for Bowhead Total Enterprise Solutions currently supporting the DoD High Performance Computing Modernization Program (HPCMP). Over 20 years of experience of both government and commercial IT and cybersecurity projects. Enjoys the challenging field of technology due to its ever-changing nature that it brings in terms of security. Experience and expertise is applied to guide and assist customers with sound security solutions to advance their projects and/or products.
Title: FedRAMP Overview
Abstract: The Federal Risk and Authorization Management Program (FedRAMP) facilitates the adoption of cloud computing within the federal government while ensuring security and compliance requirements are met. By utilizing a standardized and efficient process for assessing and authorizing cloud services, this allows federal agencies the ability to manage associated risks while benefiting from the use of cloud technology.
Title: Securing Frontier AI Model Weights
Title: Designing Secured MPI for HPC: Opportunities and Challenges
Rickey Gregg
Bio: Rickey Gregg is a DoD civilian from the Navy Information Warfare Center (NIWC) based in Charleston, SC. Rickey primarily supports the High Performance Computing Modernization Program (HPCMP) as the Cybersecurity Program Manager and is responsible for Risk Management Framework (RMF) implementation. Rickey has over 20 years of experience in DoD cybersecurity and risk management with a focus on non-standard security implementations supporting the RDT&E community and DoD.
Title: HPC RMF Implementation
Abstract: Security is often seen as a hindrance to RDT&E and too difficult to implement for HPC environments. This presentation will outline an overview of RMF and how it can be implemented to help support research projects and HPC users mitigate risk and maintain compliance for government projects.
Title: NIST Post-Quantum Cryptography Standardization
Abstract: Quantum computers will undermine current cryptographic defenses. This presentation introduces NIST Post-Quantum Cryptography (PQC) Standardization project. It reviews the progress made in the past seven years and provides an update on the status. The presentation highlights the importance of standardizing post-quantum cryptography and discusses strategies in achieving cybersecurity in quantum era.
Title: Monitoring HPC Security at LLNL
Abstract: A discussion on best practices for both security and operational monitoring of HPC systems. This includes security monitoring areas like baseline configurations, configuration management standards, user activity, and network behaviors, as well as operational and facility monitoring efforts that are being worked on at LLNL. Additionally, we will highlight several of the open source efforts that we are kicking off to create collaboration within the HPC community to visualize and monitor these systems.
Title: Cybersecurity Activities at PNNL
Abstract: Denial-of-Service (DoS) attacks are one of the most common and consequential cyber-attacks in computer networks. While existing research offers a plethora of detection methods, the issue of achieving scalability, a low false positive rate, and high detection accuracy remains open. In this presentation, I will discuss our DoS attack detection method, named as DoDGE. DoDGE is a differential method based on generalized entropy progression. In this method, we continuously fit the line of best fit to the entropy progression of the IP addresses and check if the derivative, that is, the slope of this line is less than the negative of the dynamically computed standard deviation of the derivatives. Furthermore, to distinguish from flash events, we leverage the symmetry that when a flash event occurs, the derivative of the entropy progression of source addresses is positive. With this design, we omit the usage of the thresholds. Our results show that DoDGE is effective in detecting attacks. After presenting DoDGE, if time permits, I will mention some of the related work we are doing at PNNL.
Title: Recent developments from the NIST HPC Security Working Group
Title: Outcomes of the Trusted CI Cybersecurity Framework HPC Cohort
Abstract: From July 2023 to December 2023, representatives of NCAR, NCSA, PSC, SDSC, and TACC composed a Trusted CI Cybersecurity Framework Cohort to review cybersecurity programs at these HPC centers and develop strategic plans for the future. This session will present the outcomes from the cohort.
Title: Prototype Pollution and Beyond: An Existential, Emerging Threat to the World Wide Web
Abstract: Prototype pollution is a relatively-new type of vulnerability specific to prototype-based languages, such as JavaScript, which allows an adversary to pollute a base object鈥檚 property, leading to further consequences such as Cross-site Scripting (XSS) and session fixation. In this talk, I am presenting our research works in the past five years, which detect and exploit prototype pollution vulnerabilities and the further consequences caused by prototype pollution across server- and client-side applications. Our works involve both static and dynamic analysis, i.e., (i) a flow- and context-sensitive JavaScript static analysis with hybrid branch-sensitivity and points-to information and (ii) a customized dynamic concolic execution engine. Our research discovered over 450 Node.js vulnerabilities with 102 CVE identifiers, 2,738 vulnerable websites, and 43 vulnerable browser extensions in total over the years.
Title: DevOps in HPC
Abstract: Over the past 5 years, Livermore Computing at LLNL has made significant strides forward in how we manage and deploy clusters and infrastructure in support of our HPC systems. We've seen migrations to newer technologies like Git and GitLab for managing code repositories (e.g. configuration management), the addition of CI/CD processes for the first time ever, and integration with new deployment approaches such as using GitLab CI + Ansible + Containers to deploy backend services. The end result is a significant improvement to the robustness of our cluster management processes, as well as quicker detection and remediation of issues and potential issues. This talk will provide an overview of these improvements, the challenges and opportunities they've provided, and outline the plans we have going forward in to the future.
Title: Player-Scalable, Fault-Tolerant Secure MultiParty Computation
Bio: Phuong Cao is a (Trusted CI) Fellow at the National Science Foundation (NSF) Cybersecurity Center of Excellence and a Research Scientist at National Center for Supercomputing Applications (NCSA). He is currently a Principal Investigator (PI), Co-PI, and personnel for several NSF, International Business Machine (IBM), and AFRL/NSA-funded awards to make supercomputers resilient and secure at NCSA and its partnering Leadership-Class Computing Facility (LCCF). He is currently serving as an editor for Frontiers journal鈥檚 special issue on Realizing Quantum Utility: Grand Challenges of Secure & Trustworthy Quantum Computing; a program committee member for the IEEE International Conference on Quantum Computing and Engineering (QCE); and a program co-chair for the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) 鈥 Industry Track. His PhD dissertation at ECE Illinois focuses on leveraging statistical tests and operator鈥檚 domain knowledge to preempt security attacks. He is a part of the VinUni-Illinois Smart Health Center working on accelerating and securing health analytics applications.
Title: Secure HPC Software Construction, Communication, and Computation: Demonstrated with Verified SciTokens, Quantum-resistant Cryptography, and Jupyter Notebook Auditing
Abstract: HPC security is being transformed by the rise of AI-driven workloads (e.g., Large Language Models), increased open network collaboration on exascale supercomputers, and the looming quantum computing threat to cryptography. These advancements, coupled with persistent threats like ransomware, misconfigurations, and inadequate encryption, pose a significant challenge to the U.S.'s leadership in developing and maintaining safe, transparent, and trustworthy cyberinfrastructure, including HPC systems and supercomputers. This talk will address these challenges by focusing on three key pillars of secure HPC systems. 1) Construction: Building verifiably correct software. We'll examine how to enhance the security of SciTokens, a critical authentication component in HPC applications, by translating its code into memory-safe languages like Rust. 2) Communication: Implementing state-of-the-art, quantum-resistant cryptography. We'll present measurements from NCSA on the adoption of quantum-resistant protocols across various network layers and protocols, such as SSH and TLS. 3) Computation: Ensuring secure collaboration among federated researchers. We'll highlight the security risks and challenges associated with Jupyter notebooks, a widely used interface for accessing HPC resources. Using a healthcare analytics case study on the Delta supercomputer, we'll demonstrate how these challenges manifest in real-world scenarios and explore potential solutions to secure HPC systems in this evolving threats.
Title: Managing HPC Security at LANL using Splunk and Nessus
Abstract: The use of different logging and security tools can lead to increased visibility of HPC assets, but it also requires time managing each of the tools. In complex environments, the time required to manage interacting with several tools for system and security personnel can become cumbersome. This time commitment can be reduced by integrating data from each logging and security tool in to a single tool. This has the added benefit of enabling correlation of data in a more automatic fashion. Once data has been integrated in to a single tool, focused interfaces can be used to allow more meaningful interaction with the data. These interfaces provide a more consistent usage experience, can be used to store stateful information about the data, and can provide controls of the underlying tool. This helps maximize productivity by minimizing the complexity of interacting with data. LANL HPC has leveraged Splunk to gather up its data and has been able to create interactive dashboards that can issue and track alerts, enable continuous security monitoring, showcase compliance status including admin input, and provide vulnerability management from reporting to requesting deviation.
Bio: Ben has been a HPC Systems engineer at NSF NCAR for close to10 years. He received BS in Computer Science from Rensselaer Polytechnic and MS in Computer Science from Univesity of Colorado at Boulder. Prior to his time at National Center for Atmospheric Research (NCAR), he was a research assistant in the Aerospace Department at University of Colorado at Boulder.
Title: Cray EX Security Experiences
Abstract: In this talk, I'll describe a series of vulnerabilities that we discovered on our Cray system during the first year of operation and our experiences with reporting and getting them fixed. I'll also present some potential mitigations and advice for avoiding similar issues as well as some general thoughts on testing and securing HPC systems.