Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SC21: Addressing Cybersecurity Standards / Policies in HPC Environments

C416a04a16b233e65afd993815c167dd?s=47 Ian Lee
November 17, 2021

SC21: Addressing Cybersecurity Standards / Policies in HPC Environments

Applying security standards, configurations and policies originally designed for servers or workstations to something as functionally different as a supercomputing cluster can be a frustrating task. With rigorous interpretation, such efforts often present obstacles to approving a “functional” system, typically paint an inaccurate picture of the actual security posture of a given cluster, and always seem to involve large-scale exceptions to address misapplication. This meeting will consist of short presentations from three Department of Energy HPC centers; each one representing a unique perspective on methods used to meet a set of cybersecurity requirements in order to deliver mission critical systems.


Ian Lee

November 17, 2021


  1. LLNL-PRES-829250 This work was performed under the auspices of the

    U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE- AC52-07NA27344. Lawrence Livermore National Security, LLC Addressing Cybersecurity Standards / Policies in HPC Environments SC21: Birds of a Feather Ian Lee 2021-11-17
  2. 2 LLNL-PRES-829250 § A common operating system and computing environment

    for HPC clusters — Based on RHEL operating system — Modified RHEL Kernel § Methodology for building, quality assurance, integration, and configuration management § Add in customization for HPC specific needs — Consistent source and software across architectures: Intel, PowerPC, and ARM — High speed interconnect — Very large filesystems Tri-Lab Operating System Stack (TOSS)
  3. 3 LLNL-PRES-829250 § Security requirements often quite prescriptive — STIG

    > CIS Benchmark > Vendor Guideline > generic NIST 800-53 controls § Developing a STIG for the TOSS operation system with DISA (Work in Progress!) — Largely based on the RHEL 8 STIG, which TOSS 4 is derived from — Small tweaks: adjust some DoD specific language to make compatible for other Gov agencies — Larger requests: no explicit allow-listing of software on TOSS, being a software development OS — HPC specific: RHEL STIG says 10 concurrent sessions for DOS reasons, TOSS STIG proposed 256 Security Baseline
  4. 4 LLNL-PRES-829250 Security Dashboards – Operational and Compliance

  5. Disclaimer This document was prepared as an account of work

    sponsored by an agency of the United States government. Neither the United States government nor Lawrence Livermore National Security, LLC, nor any of their employees makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States government or Lawrence Livermore National Security, LLC. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States government or Lawrence Livermore National Security, LLC, and shall not be used for advertising or product endorsement purposes. Thank you! Looking forward to the discussion coming up. See you at: hpcsecurity-bof@sandia.gov