SlideShare uma empresa Scribd logo
1 de 3
Baixar para ler offline
UPDATE ON THE CERN
    COMPUTING AND NETWORK INFRASTRUCTURE FOR CONTROLS
                          (CNIC)
                       S. Lüders on behalf of the CNIC WG, CERN, Geneva, Switzerland

Abstract                                                            However, some means of security incorporated into
                                                                    standard IT equipment cannot be directly applied to
   Over the last few years modern accelerator and
                                                                    controls equipment since both differ in hardware but also
experiment control systems have increasingly been based
                                                                    in the concepts of availability and manageability.
on commercial-off-the-shelf products (VME crates, PLCs,
                                                                       At CERN, control systems are used for the operation of
SCADA systems, etc.), on Windows or Linux PCs, and on
                                                                    the whole accelerator complex, including the Large
communication infrastructures using Ethernet and TCP/IP.
                                                                    Hadron Collider (LHC), for the LHC experiments, as well
Despite the benefits coming with this (r)evolution, new
                                                                    as for the technical infrastructure (e.g. electricity, cooling
vulnerabilities are inherited too: Worms and viruses
                                                                    & ventilation) and for fixed-target experiments.
spread within seconds via the Ethernet cable, and
                                                                       In order to cope with the growing usage of standard IT
attackers are becoming interested in control systems.
                                                                    technologies in control systems at CERN, the
Unfortunately, control PCs cannot be patched as fast as
                                                                    corresponding operation principles have been reviewed
office PCs. Even worse, vulnerability scans at CERN
                                                                    taking the aspect of security into account. This paper will
using standard IT tools have shown that commercial
                                                                    give an update on the implementation of the Security
automation systems lack fundamental security
                                                                    Policy presented by the CERN Computing and Network
precautions: Some systems crashed during the scan,
                                                                    Infrastructure for Controls (CNIC) working group two
others could easily be stopped or their process data be
                                                                    years ago [2].
altered [1]. During the two years following the
presentation of the CNIC Security Policy at
                                                                               CNIC SECURITY POLICY
ICALEPCS2005 [2], a “Defense-in-Depth” approach has
been applied to protect CERN’s control systems. This                  The CNIC Security Policy gives directions on how to
presentation will give a review of its thorough                     secure CERN control systems. It is necessary to reduce
implementation and its deployment. Particularly,                    the overall risk to a minimum in order to obtain maximum
measures to secure the controls network and tools for               security, where “risk” is defined as:
user-driven management of Windows and Linux control
PCs will be discussed.                                                Risk = Threat × Vulnerability × Consequence
                    INTRODUCTION                                      The major part of the factor “threat” originates from
   The     enormous     growth     of     the     worldwide         outside CERN and cannot be significantly reduced. Thus,
interconnectivity of computing devices (the “Internet”)             protective measures have to be implemented to prevent
during the last decade offers computer users new means              external threats like viruses & worms or attackers
to share and distribute information and data. In industry,          penetrating CERN control systems. These protective
this results in an adoption of modern Information                   measures should also prevent insiders from (deliberate or
Technologies (IT) to their plants and, subsequently, in an          accidental) unauthorized access.
increasing integration of the production facilities, i.e. their       The “consequences” are inherent to the design of
process control and automation systems, and the data                CERN’s accelerators and the affiliated experiments. All
warehouses. Thus, information from the factory floor is             are running a wide variety of control systems, some of
now directly available at the management level (“From               them complex, some of them dealing with personnel
Shop-Floor to Top-Floor”) and can be manipulated from               safety, some of them controlling or protecting very
there.                                                              expensive or irreplaceable equipment. Thus, CERN’s
   Unfortunately, the adoption of standard modern IT in             assets and their proper operation are at stake. A security
distributed process control and automation systems* also            incident can lead to loss of beam time and physics data, or
exposes their inherent vulnerabilities to the world [1].            — even worse — damage to or destruction of unique
Furthermore, this world is by far more hostile than a local         equipment and hardware.
private controls network as the number and power of                   The “vulnerability” factor can be either minimized by
worms and viruses increase, and attackers start to become           guaranteeing a prompt fixing of published or known
interested in control systems. Partial protection can be            vulnerabilities, and/or by adding pro-active measures to
obtained through the usage of properly configured                   secure the unknown, potential or not-fixable
firewalls and through well-defined network architectures.           vulnerabilities.
                                                                      In order to protect such vulnerabilities against being
*
                                                                    exploited (either because there is no patch available or a
  Commonly denoted in the following as “control systems”, where a
“system expert” has the expertise in its configuration.             patch could not be applied), the Security Policy follows
the recommendations of the U.K. CPNI [3]. It is based on       configuration of the PCs of his system ― and full
a “Defense-in-Depth” approach, where pro-active security       responsibility for securing it. Such a scheme will also
measures must be applied to every possible level:              help the expert to recover e.g. from a security incident.
   • …of the security of the device itself;                      Schemes for the central installation of CERN Scientific
                                                               Linux and of Windows, respectively, have been created.
   • …of the firmware and operating system;
   • …of the network connections & protocols;
                                                               Linux For Controls (L4C)
   • …of the software applications;
                                                                  L4C is based on a bottom-up approach to the
   • …of third party software;
                                                               configuration of the PCs in a hierarchical manner, and
   • …together with users, developers, and operators.
                                                               uses the same techniques having proven to be successful
   “Defense-in-Depth” is, thus, based on four major
                                                               for managing Linux clusters in the CERN Computing
pillars: “Network Security”, “Central Installation
                                                               Centre, i.e. using Quattor (http://quattor.web.cern.ch) for
Schemes”, “Authorization & Authentication”, and “User
                                                               configuring PCs (“the nodes”). Settings that are specific
Training”.
                                                               to a node are defined in so-called “node templates”. The
   However, sufficient protection should not provide false
                                                               individual nodes join sets of PCs with a common
security. Incidents will happen. Therefore, the Security
                                                               configuration. These sets in turn can join super-sets. L4C
Policy also defines rules to deal with “Incident Response
                                                               supports CERN Scientific Linux 3 and 4, including all
& System Recovery”, as well as with regular security
                                                               regular security updates and enhancements. Basic
audits. The next chapters will outline the major
                                                               templates are maintained by L4C support, all other
implementations in detail.
                                                               templates by the system experts allowing him full
                                                               flexibility. The templates can be hosted in central or user
             NETWORK SECURITY                                  owned configuration databases (CDBs).
   In order to contain and control the network traffic, the       The Linux installation of a PC from scratch uses
CERN network has been separated into defined “Network          CERN’s “Automated Installation Management System”
Domains”. For example, each of the LHC experiments is          (AIMS) service and is based on RedHat’s “Kickstart”
now using such a dedicated Domain. CERN’s accelerator          software. Booting a Linux PC via the network using PXE
complex and the control systems which monitor and              Boot (Preboot Execution Environment) pulls the
control the technical infrastructure (e.g. electricity         “Kickstart” and configuration profile from the CDB.
distribution, cooling & ventilation, facility management       From this information, Quattor is able to perform a full
as well as safety and access control systems) use another.     automatic installation.
“Domain Administrators” were assigned to take full                From here, the CDB informs a node about any new
responsibility for a Domain. In particular, they supervise     changes in the configuration profile. Triggered by CDB, a
the stringent rules for connecting devices to it. Additional   local daemon then downloads the modified profile and
network segregation allows a system expert further to          subsequently applies the changes. For each node in the
protect vulnerable devices like Programmable Logic             CDB, a webpage shows the names, versions, hardware
Controllers (PLCs).                                            architecture and the repository from which all the
   Each Domain is interconnected with CERN’s “General          packages for a node are to be installed. However, in order
Purpose Network” used for office computing, and other          to verify that all packages are installed as foreseen the
Domains via dedicated network routers. The traffic             system expert has to log onto that node.
crossing any two Domains is restricted to a minimum by
                                                               Computer Management Framework (CMF)
the usage of routing tables, with only mandatory traffic
passing such boundaries. A large fraction of this traffic is      CMF [4], on the other hand, has implemented a top-
either dedicated data exchange with CERN’s Computing           down structure, focussing on sets of PCs with a defined
Centre, or currently inevitable due to the ongoing             configuration. The installation of PCs is handled through
commissioning of the LHC accelerator.                          a top-down tree of so-called “Named Sets of Computers”
   Windows Terminal Servers (WTS), and to a lesser             (NSCs). Each NSC assigns a list of applications to its
extent Linux-based application gateways, have become           members, where these members can be individual PCs or
the only means for remote user access.                         other, nested NSCs. A PC that is member of different
                                                               NSCs will receive the applications from any of them.
  CENTRAL INSTALLATION SCHEMES                                 CMF is taking care of clashes. Depending on the type of
                                                               NSC, the administrator of the NSC, i.e. the system expert
  From experience at CERN, only centrally managed and
                                                               who maintains that NSC, has full autonomy of his
patched PCs have shown to be secure in the long run.
                                                               configuration (“locally managed”), or CERN’s IT
However, since control PCs are very different in handling
                                                               department is still providing a basic configuration (i.e.
than office PCs, a more flexible installation and
                                                               that of an office PC), and takes care of patches.
management scheme was needed. While the operating
                                                                  A long list of basic applications has been provided as
systems, antivirus software, and basic software
                                                               CMF “packages”. Packages can be applications but also
applications should continue to be managed and
                                                               group policy settings, regular scheduled tasks, or Visual
maintained by the IT service providers, it is up to the
                                                               Basic scripts. NSC administrators can easily create
system expert to take over full flexibility of the
additional packages using the CMF web-interface and              dependent upon and/or whose responsibility it is to
simple scripting. The installation of a package can be           improve the security of SCADA and Control Systems.
either forced (“applied”), such that it is installed
automatically after a small notification period, “denied”,                  INCIDENT RESPONSE &
such that it cannot be installed at all, or offered                           SYSTEM RECOVERY
(“published”) to the interactive user. In the latter case, the
                                                                   Even with a stringent Security Policy incidents can
interactive user can use the CMF web-interface to
                                                                 never be prevented completely. Therefore, handling
select/deselect packages he wants to install/de-install.
                                                                 incidents on a Domain have been and will be jointly
   The installation of these packages is controlled via a
                                                                 performed by CERN’s Computer Security Team and the
small local program (the “CMF Agent”), being installed
                                                                 corresponding Domain Administrator. The acting
on every CMF Windows PC. It handles all pending
                                                                 Computer Security Officer has the right to take
(de)installation tasks, interacts with the user, and
                                                                 appropriate actions in justified emergency cases.
performs regular inventory checks which are passed back
                                                                   After incident analysis, the central installation schemes
to a central CMF configuration management database.
                                                                 CMF and L4C allow for a rapid system recovery by the
   The initial installation from scratch is based on the
                                                                 corresponding system expert.
Windows pre-installation environment and PXE Boot.
The preferred operating system (Windows XP SP2 or
                                                                                      SUMMARY
Windows 2003 terminal server) can either be chosen from
a list, or predefined for automatic installation on the CMF        Due to the continuing integration of common IT
web-interface. After the operating system has been               technology into control systems, the corresponding IT
installed, the CMF Agent controls the subsequent                 security vulnerabilities and cyber-attackers end up
installation of all packages being applied to that particular    threatening control systems, and, thus, CERN’s operation
PC.                                                              and assets. However, control systems demand a different
   With PXE Boot and the proper configuration of his             approach to security than office systems do.
NSCs, the system expert has full liberty to install sets of        This paper has presented a thorough rule-set to secure
PCs in parallel or to run pilot installations prior to mass      CERN’s control systems. Its implementation uses a
deployment. CMF ensures that all members of a NSC are            “Defense-in-Depth” approach based on network
identically configured, and that corrections or                  segregation, central installation schemes, authentication &
modifications are propagated accordingly. The                    authorization, user training, incident response & system
configuration database provides always an up-to-date             recovery, and security auditing.
status (e.g. PC hardware, operating system version, patch
levels, installed applications and their versions) via the                   ACKNOWLEGDMENTS
CMF web-page. Queries can be run to assess a particular
                                                                   The author would like to thank all his colleagues at
situation (e.g. listing all PCs missing patch XYZ).
                                                                 CERN involved in the realization of CNIC making it such
                                                                 a success; in particular A. Bland, P. Charrue, I. Deloose,
AUTHENTICATION & AUTHORIZATION                                   M. Dobson, U. Epting, N. Høimyr, S. Poulsen, and M.
  Several dedicated authentication & authorization               Schröder.
schemes have been developed at CERN serving the
accelerator complex [5] and LHC experiments [6]. These                              REFERENCES
are based mainly on general standards like Role-Based
                                                                 [1] S. Lüders, “Control Systems Under Attack ?”,
Access Control [5] or on commercial solutions [6].
                                                                     ICALEPCS, Geneva, October 2005.
Details can be found in these proceedings [5][6].
                                                                 [2] U. Epting et al., “Computing and Network
  Major challenges still to be overcome are the
                                                                     Infrastructure for Controls”, ICALEPCS, Geneva,
generalization to one common central scheme at CERN.
                                                                     October 2005.
                                                                 [3] Centre for the Protection of the National
                  USER TRAINING                                      Infrastructure (CPNI), “Good Practice Guidelines
  A series of awareness campaigns and training sessions              Parts 1-7”, London, 2006.
have been held for users, operators, and system experts at       [4] I. Deloose, “The Evolution of Managing Windows
CERN. Monthly CNIC meetings provide a forum for                      Computers at CERN”, HEPix, Rome, April 2006.
questions and discussions.                                       [5] S. Gysin et al., “Role-Based Access Control for the
  Furthermore, CERN has raised aspects of Control                    Accelerator Control System at CERN”; K. Kostro et
System Cyber Security at several conferences and                     al., “Role-Based Authorization in Equipment Access
workshops (e.g. at the CS2/HEP workshop [7]), interacted             at CERN”; and A. Petrov et al., “User Authentication
with major vendors of control systems, and is now                    for Role-Based Access Control”, these proceedings.
leading the “EuroSCSIE”, the European Information                [6] P. Chocula, “Cyber Security in ALICE”, these
Exchange on SCADA (Supervisory Control And Data                      proceedings.
Acquisition) Security, with members from European                [7] S. Lüders, “Summary of the Control System Cyber-
governments, industry, and research institutions that are            Security CS2/HEP Workshop”, these proceedings.

Mais conteúdo relacionado

Mais procurados

Cyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control SystemsCyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control SystemsIJEACS
 
3778975074 january march 2015 1
3778975074 january march 2015 13778975074 january march 2015 1
3778975074 january march 2015 1nicfs
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)Ivan Carmona
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...Power System Operation
 
20090106c Presentation Custom
20090106c   Presentation   Custom20090106c   Presentation   Custom
20090106c Presentation Customgkelley
 
Review on Honeypot Security
Review on Honeypot SecurityReview on Honeypot Security
Review on Honeypot SecurityIRJET Journal
 
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET Journal
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET Journal
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systemsRaghav S
 
Bryan Singer S4 Presentation
Bryan Singer   S4 PresentationBryan Singer   S4 Presentation
Bryan Singer S4 Presentationbsinger74
 
Ccna security prep from networkers
Ccna security prep from networkersCcna security prep from networkers
Ccna security prep from networkersIvana Veljkovic
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)sequi_inc
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 

Mais procurados (20)

50120140501013
5012014050101350120140501013
50120140501013
 
Cyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control SystemsCyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control Systems
 
3778975074 january march 2015 1
3778975074 january march 2015 13778975074 january march 2015 1
3778975074 january march 2015 1
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagram
 
RF_NEC
RF_NECRF_NEC
RF_NEC
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
 
20090106c Presentation Custom
20090106c   Presentation   Custom20090106c   Presentation   Custom
20090106c Presentation Custom
 
Review on Honeypot Security
Review on Honeypot SecurityReview on Honeypot Security
Review on Honeypot Security
 
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
 
ZONeSEC in ERNCIP
ZONeSEC in ERNCIPZONeSEC in ERNCIP
ZONeSEC in ERNCIP
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systems
 
Bryan Singer S4 Presentation
Bryan Singer   S4 PresentationBryan Singer   S4 Presentation
Bryan Singer S4 Presentation
 
Zonesec_ares
Zonesec_aresZonesec_ares
Zonesec_ares
 
Ccna security prep from networkers
Ccna security prep from networkersCcna security prep from networkers
Ccna security prep from networkers
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
 

Destaque (8)

Möten elever högstadiet Tofta
Möten elever högstadiet ToftaMöten elever högstadiet Tofta
Möten elever högstadiet Tofta
 
Viva El Carnaval
Viva El CarnavalViva El Carnaval
Viva El Carnaval
 
B08 C36c 19 Diapo Salles En
B08 C36c 19 Diapo Salles EnB08 C36c 19 Diapo Salles En
B08 C36c 19 Diapo Salles En
 
SCSE_seating plan_c1_slot
SCSE_seating plan_c1_slotSCSE_seating plan_c1_slot
SCSE_seating plan_c1_slot
 
Juego hable de..
Juego hable de..Juego hable de..
Juego hable de..
 
Ticket share mvp demo
Ticket share mvp demoTicket share mvp demo
Ticket share mvp demo
 
40 blz De Levenssteen
40 blz De Levenssteen40 blz De Levenssteen
40 blz De Levenssteen
 
Big Data
Big DataBig Data
Big Data
 

Semelhante a Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic). S. LüDers On Behalf Of The Cnic Wg, Cern, Geneva, Switzerland.

Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetIvan Carmona
 
Tech trendnotes
Tech trendnotesTech trendnotes
Tech trendnotesStudying
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)Byres Security Inc.
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilitiesNirmal Thaliyil
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesNetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesCoreTrace Corporation
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesKrishna Chennareddy
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureFiras Alsayied
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersIben Rodriguez
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkNathan Wallace, PhD, PE
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADAcsandit
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsYury Chemerkin
 
Todd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane
 
In Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical SystemsIn Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical SystemsDETER-Project
 

Semelhante a Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic). S. LüDers On Behalf Of The Cnic Wg, Cern, Geneva, Switzerland. (20)

Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
Tech trendnotes
Tech trendnotesTech trendnotes
Tech trendnotes
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesNetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for Utilities
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
ICS security
ICS securityICS security
ICS security
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
 
Ispe Article
Ispe ArticleIspe Article
Ispe Article
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systems
 
Industrial networks safety & security - e+h june 2018 ben murphy
Industrial networks safety & security - e+h june 2018   ben murphyIndustrial networks safety & security - e+h june 2018   ben murphy
Industrial networks safety & security - e+h june 2018 ben murphy
 
Todd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane's PhD Proposal
Todd Deshane's PhD Proposal
 
Tinysec
TinysecTinysec
Tinysec
 
Tinysec
TinysecTinysec
Tinysec
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
A Back Propagation Neural Network Intrusion Detection System Based on KVM
A Back Propagation Neural Network Intrusion Detection System Based on KVMA Back Propagation Neural Network Intrusion Detection System Based on KVM
A Back Propagation Neural Network Intrusion Detection System Based on KVM
 
In Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical SystemsIn Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical Systems
 

Mais de ESS BILBAO

22 05 09 El Economista
22 05 09   El Economista22 05 09   El Economista
22 05 09 El EconomistaESS BILBAO
 
ESS-Bilbao Initiative Workshop. SNS Studies towards a rotating solid target.
ESS-Bilbao Initiative Workshop. SNS Studies towards a rotating solid target.ESS-Bilbao Initiative Workshop. SNS Studies towards a rotating solid target.
ESS-Bilbao Initiative Workshop. SNS Studies towards a rotating solid target.ESS BILBAO
 
ESS-Bilbao Initiative Workshop. Overview of cryo-modules for proton accelerators
ESS-Bilbao Initiative Workshop. Overview of cryo-modules for proton acceleratorsESS-Bilbao Initiative Workshop. Overview of cryo-modules for proton accelerators
ESS-Bilbao Initiative Workshop. Overview of cryo-modules for proton acceleratorsESS BILBAO
 
ESS-Bilbao Initiative Workshop. Pulse forming devices for high duty factor op...
ESS-Bilbao Initiative Workshop. Pulse forming devices for high duty factor op...ESS-Bilbao Initiative Workshop. Pulse forming devices for high duty factor op...
ESS-Bilbao Initiative Workshop. Pulse forming devices for high duty factor op...ESS BILBAO
 
ESS-Bilbao Initiative Workshop. The CSNS rotating target concept and test pro...
ESS-Bilbao Initiative Workshop. The CSNS rotating target concept and test pro...ESS-Bilbao Initiative Workshop. The CSNS rotating target concept and test pro...
ESS-Bilbao Initiative Workshop. The CSNS rotating target concept and test pro...ESS BILBAO
 
ESS-Bilbao Initiative Workshop. Spokes vs. Elliptical cavities for medium-hig...
ESS-Bilbao Initiative Workshop. Spokes vs. Elliptical cavities for medium-hig...ESS-Bilbao Initiative Workshop. Spokes vs. Elliptical cavities for medium-hig...
ESS-Bilbao Initiative Workshop. Spokes vs. Elliptical cavities for medium-hig...ESS BILBAO
 
ESS-Bilbao Initiative Workshop. Concept and Technology of the PbBi-Target for...
ESS-Bilbao Initiative Workshop. Concept and Technology of the PbBi-Target for...ESS-Bilbao Initiative Workshop. Concept and Technology of the PbBi-Target for...
ESS-Bilbao Initiative Workshop. Concept and Technology of the PbBi-Target for...ESS BILBAO
 
ESS-Bilbao Initiative Workshop. Design concepts of and lessons learned from t...
ESS-Bilbao Initiative Workshop. Design concepts of and lessons learned from t...ESS-Bilbao Initiative Workshop. Design concepts of and lessons learned from t...
ESS-Bilbao Initiative Workshop. Design concepts of and lessons learned from t...ESS BILBAO
 
ESS-Bilbao Initiative Workshop.Pulse forming devices for high duty factor ope...
ESS-Bilbao Initiative Workshop.Pulse forming devices for high duty factor ope...ESS-Bilbao Initiative Workshop.Pulse forming devices for high duty factor ope...
ESS-Bilbao Initiative Workshop.Pulse forming devices for high duty factor ope...ESS BILBAO
 
ESS-Bilbao Initiative Workshop. Status of JSNS and R&D on mercury target.
ESS-Bilbao Initiative Workshop. Status of JSNS and R&D on mercury target.ESS-Bilbao Initiative Workshop. Status of JSNS and R&D on mercury target.
ESS-Bilbao Initiative Workshop. Status of JSNS and R&D on mercury target.ESS BILBAO
 
ESS-Bilbao Initiative Workshop. PSI experience with high power beam handling,...
ESS-Bilbao Initiative Workshop. PSI experience with high power beam handling,...ESS-Bilbao Initiative Workshop. PSI experience with high power beam handling,...
ESS-Bilbao Initiative Workshop. PSI experience with high power beam handling,...ESS BILBAO
 
ESS-Bilbao Initiative Workshop.Review of SC spokes cavities for low-medium en...
ESS-Bilbao Initiative Workshop.Review of SC spokes cavities for low-medium en...ESS-Bilbao Initiative Workshop.Review of SC spokes cavities for low-medium en...
ESS-Bilbao Initiative Workshop.Review of SC spokes cavities for low-medium en...ESS BILBAO
 
ESS-Bilbao Initiative Workshop. High duty cycle RF Power Couplers
ESS-Bilbao Initiative Workshop. High duty cycle RF Power CouplersESS-Bilbao Initiative Workshop. High duty cycle RF Power Couplers
ESS-Bilbao Initiative Workshop. High duty cycle RF Power CouplersESS BILBAO
 
ESS-Bilbao Initiative Workshop. RF structure comparison for low energy accele...
ESS-Bilbao Initiative Workshop. RF structure comparison for low energy accele...ESS-Bilbao Initiative Workshop. RF structure comparison for low energy accele...
ESS-Bilbao Initiative Workshop. RF structure comparison for low energy accele...ESS BILBAO
 
ESS-Bilbao Initiative Workshop. Front Ends for High Intensity
ESS-Bilbao Initiative Workshop. Front Ends for High IntensityESS-Bilbao Initiative Workshop. Front Ends for High Intensity
ESS-Bilbao Initiative Workshop. Front Ends for High IntensityESS BILBAO
 
ESS-Bilbao Initiative Workshop. Low Energy Transport and space-charge compens...
ESS-Bilbao Initiative Workshop. Low Energy Transport and space-charge compens...ESS-Bilbao Initiative Workshop. Low Energy Transport and space-charge compens...
ESS-Bilbao Initiative Workshop. Low Energy Transport and space-charge compens...ESS BILBAO
 
ESS-Bilbao Initiative Workshop. Beam Dynamics Codes: Availability, Sophistica...
ESS-Bilbao Initiative Workshop. Beam Dynamics Codes: Availability, Sophistica...ESS-Bilbao Initiative Workshop. Beam Dynamics Codes: Availability, Sophistica...
ESS-Bilbao Initiative Workshop. Beam Dynamics Codes: Availability, Sophistica...ESS BILBAO
 
ESS-Bilbao Initiative Workshop. Beam dynamics: Simulations of high power linacs
ESS-Bilbao Initiative Workshop. Beam dynamics: Simulations of high power linacsESS-Bilbao Initiative Workshop. Beam dynamics: Simulations of high power linacs
ESS-Bilbao Initiative Workshop. Beam dynamics: Simulations of high power linacsESS BILBAO
 
ESS-Bilbao Initiative Workshop. SNS Linac experience
ESS-Bilbao Initiative Workshop. SNS Linac experienceESS-Bilbao Initiative Workshop. SNS Linac experience
ESS-Bilbao Initiative Workshop. SNS Linac experienceESS BILBAO
 
ESS-Bilbao Initiative Workshop. Charge to working group: accelerator componen...
ESS-Bilbao Initiative Workshop. Charge to working group: accelerator componen...ESS-Bilbao Initiative Workshop. Charge to working group: accelerator componen...
ESS-Bilbao Initiative Workshop. Charge to working group: accelerator componen...ESS BILBAO
 

Mais de ESS BILBAO (20)

22 05 09 El Economista
22 05 09   El Economista22 05 09   El Economista
22 05 09 El Economista
 
ESS-Bilbao Initiative Workshop. SNS Studies towards a rotating solid target.
ESS-Bilbao Initiative Workshop. SNS Studies towards a rotating solid target.ESS-Bilbao Initiative Workshop. SNS Studies towards a rotating solid target.
ESS-Bilbao Initiative Workshop. SNS Studies towards a rotating solid target.
 
ESS-Bilbao Initiative Workshop. Overview of cryo-modules for proton accelerators
ESS-Bilbao Initiative Workshop. Overview of cryo-modules for proton acceleratorsESS-Bilbao Initiative Workshop. Overview of cryo-modules for proton accelerators
ESS-Bilbao Initiative Workshop. Overview of cryo-modules for proton accelerators
 
ESS-Bilbao Initiative Workshop. Pulse forming devices for high duty factor op...
ESS-Bilbao Initiative Workshop. Pulse forming devices for high duty factor op...ESS-Bilbao Initiative Workshop. Pulse forming devices for high duty factor op...
ESS-Bilbao Initiative Workshop. Pulse forming devices for high duty factor op...
 
ESS-Bilbao Initiative Workshop. The CSNS rotating target concept and test pro...
ESS-Bilbao Initiative Workshop. The CSNS rotating target concept and test pro...ESS-Bilbao Initiative Workshop. The CSNS rotating target concept and test pro...
ESS-Bilbao Initiative Workshop. The CSNS rotating target concept and test pro...
 
ESS-Bilbao Initiative Workshop. Spokes vs. Elliptical cavities for medium-hig...
ESS-Bilbao Initiative Workshop. Spokes vs. Elliptical cavities for medium-hig...ESS-Bilbao Initiative Workshop. Spokes vs. Elliptical cavities for medium-hig...
ESS-Bilbao Initiative Workshop. Spokes vs. Elliptical cavities for medium-hig...
 
ESS-Bilbao Initiative Workshop. Concept and Technology of the PbBi-Target for...
ESS-Bilbao Initiative Workshop. Concept and Technology of the PbBi-Target for...ESS-Bilbao Initiative Workshop. Concept and Technology of the PbBi-Target for...
ESS-Bilbao Initiative Workshop. Concept and Technology of the PbBi-Target for...
 
ESS-Bilbao Initiative Workshop. Design concepts of and lessons learned from t...
ESS-Bilbao Initiative Workshop. Design concepts of and lessons learned from t...ESS-Bilbao Initiative Workshop. Design concepts of and lessons learned from t...
ESS-Bilbao Initiative Workshop. Design concepts of and lessons learned from t...
 
ESS-Bilbao Initiative Workshop.Pulse forming devices for high duty factor ope...
ESS-Bilbao Initiative Workshop.Pulse forming devices for high duty factor ope...ESS-Bilbao Initiative Workshop.Pulse forming devices for high duty factor ope...
ESS-Bilbao Initiative Workshop.Pulse forming devices for high duty factor ope...
 
ESS-Bilbao Initiative Workshop. Status of JSNS and R&D on mercury target.
ESS-Bilbao Initiative Workshop. Status of JSNS and R&D on mercury target.ESS-Bilbao Initiative Workshop. Status of JSNS and R&D on mercury target.
ESS-Bilbao Initiative Workshop. Status of JSNS and R&D on mercury target.
 
ESS-Bilbao Initiative Workshop. PSI experience with high power beam handling,...
ESS-Bilbao Initiative Workshop. PSI experience with high power beam handling,...ESS-Bilbao Initiative Workshop. PSI experience with high power beam handling,...
ESS-Bilbao Initiative Workshop. PSI experience with high power beam handling,...
 
ESS-Bilbao Initiative Workshop.Review of SC spokes cavities for low-medium en...
ESS-Bilbao Initiative Workshop.Review of SC spokes cavities for low-medium en...ESS-Bilbao Initiative Workshop.Review of SC spokes cavities for low-medium en...
ESS-Bilbao Initiative Workshop.Review of SC spokes cavities for low-medium en...
 
ESS-Bilbao Initiative Workshop. High duty cycle RF Power Couplers
ESS-Bilbao Initiative Workshop. High duty cycle RF Power CouplersESS-Bilbao Initiative Workshop. High duty cycle RF Power Couplers
ESS-Bilbao Initiative Workshop. High duty cycle RF Power Couplers
 
ESS-Bilbao Initiative Workshop. RF structure comparison for low energy accele...
ESS-Bilbao Initiative Workshop. RF structure comparison for low energy accele...ESS-Bilbao Initiative Workshop. RF structure comparison for low energy accele...
ESS-Bilbao Initiative Workshop. RF structure comparison for low energy accele...
 
ESS-Bilbao Initiative Workshop. Front Ends for High Intensity
ESS-Bilbao Initiative Workshop. Front Ends for High IntensityESS-Bilbao Initiative Workshop. Front Ends for High Intensity
ESS-Bilbao Initiative Workshop. Front Ends for High Intensity
 
ESS-Bilbao Initiative Workshop. Low Energy Transport and space-charge compens...
ESS-Bilbao Initiative Workshop. Low Energy Transport and space-charge compens...ESS-Bilbao Initiative Workshop. Low Energy Transport and space-charge compens...
ESS-Bilbao Initiative Workshop. Low Energy Transport and space-charge compens...
 
ESS-Bilbao Initiative Workshop. Beam Dynamics Codes: Availability, Sophistica...
ESS-Bilbao Initiative Workshop. Beam Dynamics Codes: Availability, Sophistica...ESS-Bilbao Initiative Workshop. Beam Dynamics Codes: Availability, Sophistica...
ESS-Bilbao Initiative Workshop. Beam Dynamics Codes: Availability, Sophistica...
 
ESS-Bilbao Initiative Workshop. Beam dynamics: Simulations of high power linacs
ESS-Bilbao Initiative Workshop. Beam dynamics: Simulations of high power linacsESS-Bilbao Initiative Workshop. Beam dynamics: Simulations of high power linacs
ESS-Bilbao Initiative Workshop. Beam dynamics: Simulations of high power linacs
 
ESS-Bilbao Initiative Workshop. SNS Linac experience
ESS-Bilbao Initiative Workshop. SNS Linac experienceESS-Bilbao Initiative Workshop. SNS Linac experience
ESS-Bilbao Initiative Workshop. SNS Linac experience
 
ESS-Bilbao Initiative Workshop. Charge to working group: accelerator componen...
ESS-Bilbao Initiative Workshop. Charge to working group: accelerator componen...ESS-Bilbao Initiative Workshop. Charge to working group: accelerator componen...
ESS-Bilbao Initiative Workshop. Charge to working group: accelerator componen...
 

Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic). S. LüDers On Behalf Of The Cnic Wg, Cern, Geneva, Switzerland.

  • 1. UPDATE ON THE CERN COMPUTING AND NETWORK INFRASTRUCTURE FOR CONTROLS (CNIC) S. Lüders on behalf of the CNIC WG, CERN, Geneva, Switzerland Abstract However, some means of security incorporated into standard IT equipment cannot be directly applied to Over the last few years modern accelerator and controls equipment since both differ in hardware but also experiment control systems have increasingly been based in the concepts of availability and manageability. on commercial-off-the-shelf products (VME crates, PLCs, At CERN, control systems are used for the operation of SCADA systems, etc.), on Windows or Linux PCs, and on the whole accelerator complex, including the Large communication infrastructures using Ethernet and TCP/IP. Hadron Collider (LHC), for the LHC experiments, as well Despite the benefits coming with this (r)evolution, new as for the technical infrastructure (e.g. electricity, cooling vulnerabilities are inherited too: Worms and viruses & ventilation) and for fixed-target experiments. spread within seconds via the Ethernet cable, and In order to cope with the growing usage of standard IT attackers are becoming interested in control systems. technologies in control systems at CERN, the Unfortunately, control PCs cannot be patched as fast as corresponding operation principles have been reviewed office PCs. Even worse, vulnerability scans at CERN taking the aspect of security into account. This paper will using standard IT tools have shown that commercial give an update on the implementation of the Security automation systems lack fundamental security Policy presented by the CERN Computing and Network precautions: Some systems crashed during the scan, Infrastructure for Controls (CNIC) working group two others could easily be stopped or their process data be years ago [2]. altered [1]. During the two years following the presentation of the CNIC Security Policy at CNIC SECURITY POLICY ICALEPCS2005 [2], a “Defense-in-Depth” approach has been applied to protect CERN’s control systems. This The CNIC Security Policy gives directions on how to presentation will give a review of its thorough secure CERN control systems. It is necessary to reduce implementation and its deployment. Particularly, the overall risk to a minimum in order to obtain maximum measures to secure the controls network and tools for security, where “risk” is defined as: user-driven management of Windows and Linux control PCs will be discussed. Risk = Threat × Vulnerability × Consequence INTRODUCTION The major part of the factor “threat” originates from The enormous growth of the worldwide outside CERN and cannot be significantly reduced. Thus, interconnectivity of computing devices (the “Internet”) protective measures have to be implemented to prevent during the last decade offers computer users new means external threats like viruses & worms or attackers to share and distribute information and data. In industry, penetrating CERN control systems. These protective this results in an adoption of modern Information measures should also prevent insiders from (deliberate or Technologies (IT) to their plants and, subsequently, in an accidental) unauthorized access. increasing integration of the production facilities, i.e. their The “consequences” are inherent to the design of process control and automation systems, and the data CERN’s accelerators and the affiliated experiments. All warehouses. Thus, information from the factory floor is are running a wide variety of control systems, some of now directly available at the management level (“From them complex, some of them dealing with personnel Shop-Floor to Top-Floor”) and can be manipulated from safety, some of them controlling or protecting very there. expensive or irreplaceable equipment. Thus, CERN’s Unfortunately, the adoption of standard modern IT in assets and their proper operation are at stake. A security distributed process control and automation systems* also incident can lead to loss of beam time and physics data, or exposes their inherent vulnerabilities to the world [1]. — even worse — damage to or destruction of unique Furthermore, this world is by far more hostile than a local equipment and hardware. private controls network as the number and power of The “vulnerability” factor can be either minimized by worms and viruses increase, and attackers start to become guaranteeing a prompt fixing of published or known interested in control systems. Partial protection can be vulnerabilities, and/or by adding pro-active measures to obtained through the usage of properly configured secure the unknown, potential or not-fixable firewalls and through well-defined network architectures. vulnerabilities. In order to protect such vulnerabilities against being * exploited (either because there is no patch available or a Commonly denoted in the following as “control systems”, where a “system expert” has the expertise in its configuration. patch could not be applied), the Security Policy follows
  • 2. the recommendations of the U.K. CPNI [3]. It is based on configuration of the PCs of his system ― and full a “Defense-in-Depth” approach, where pro-active security responsibility for securing it. Such a scheme will also measures must be applied to every possible level: help the expert to recover e.g. from a security incident. • …of the security of the device itself; Schemes for the central installation of CERN Scientific Linux and of Windows, respectively, have been created. • …of the firmware and operating system; • …of the network connections & protocols; Linux For Controls (L4C) • …of the software applications; L4C is based on a bottom-up approach to the • …of third party software; configuration of the PCs in a hierarchical manner, and • …together with users, developers, and operators. uses the same techniques having proven to be successful “Defense-in-Depth” is, thus, based on four major for managing Linux clusters in the CERN Computing pillars: “Network Security”, “Central Installation Centre, i.e. using Quattor (http://quattor.web.cern.ch) for Schemes”, “Authorization & Authentication”, and “User configuring PCs (“the nodes”). Settings that are specific Training”. to a node are defined in so-called “node templates”. The However, sufficient protection should not provide false individual nodes join sets of PCs with a common security. Incidents will happen. Therefore, the Security configuration. These sets in turn can join super-sets. L4C Policy also defines rules to deal with “Incident Response supports CERN Scientific Linux 3 and 4, including all & System Recovery”, as well as with regular security regular security updates and enhancements. Basic audits. The next chapters will outline the major templates are maintained by L4C support, all other implementations in detail. templates by the system experts allowing him full flexibility. The templates can be hosted in central or user NETWORK SECURITY owned configuration databases (CDBs). In order to contain and control the network traffic, the The Linux installation of a PC from scratch uses CERN network has been separated into defined “Network CERN’s “Automated Installation Management System” Domains”. For example, each of the LHC experiments is (AIMS) service and is based on RedHat’s “Kickstart” now using such a dedicated Domain. CERN’s accelerator software. Booting a Linux PC via the network using PXE complex and the control systems which monitor and Boot (Preboot Execution Environment) pulls the control the technical infrastructure (e.g. electricity “Kickstart” and configuration profile from the CDB. distribution, cooling & ventilation, facility management From this information, Quattor is able to perform a full as well as safety and access control systems) use another. automatic installation. “Domain Administrators” were assigned to take full From here, the CDB informs a node about any new responsibility for a Domain. In particular, they supervise changes in the configuration profile. Triggered by CDB, a the stringent rules for connecting devices to it. Additional local daemon then downloads the modified profile and network segregation allows a system expert further to subsequently applies the changes. For each node in the protect vulnerable devices like Programmable Logic CDB, a webpage shows the names, versions, hardware Controllers (PLCs). architecture and the repository from which all the Each Domain is interconnected with CERN’s “General packages for a node are to be installed. However, in order Purpose Network” used for office computing, and other to verify that all packages are installed as foreseen the Domains via dedicated network routers. The traffic system expert has to log onto that node. crossing any two Domains is restricted to a minimum by Computer Management Framework (CMF) the usage of routing tables, with only mandatory traffic passing such boundaries. A large fraction of this traffic is CMF [4], on the other hand, has implemented a top- either dedicated data exchange with CERN’s Computing down structure, focussing on sets of PCs with a defined Centre, or currently inevitable due to the ongoing configuration. The installation of PCs is handled through commissioning of the LHC accelerator. a top-down tree of so-called “Named Sets of Computers” Windows Terminal Servers (WTS), and to a lesser (NSCs). Each NSC assigns a list of applications to its extent Linux-based application gateways, have become members, where these members can be individual PCs or the only means for remote user access. other, nested NSCs. A PC that is member of different NSCs will receive the applications from any of them. CENTRAL INSTALLATION SCHEMES CMF is taking care of clashes. Depending on the type of NSC, the administrator of the NSC, i.e. the system expert From experience at CERN, only centrally managed and who maintains that NSC, has full autonomy of his patched PCs have shown to be secure in the long run. configuration (“locally managed”), or CERN’s IT However, since control PCs are very different in handling department is still providing a basic configuration (i.e. than office PCs, a more flexible installation and that of an office PC), and takes care of patches. management scheme was needed. While the operating A long list of basic applications has been provided as systems, antivirus software, and basic software CMF “packages”. Packages can be applications but also applications should continue to be managed and group policy settings, regular scheduled tasks, or Visual maintained by the IT service providers, it is up to the Basic scripts. NSC administrators can easily create system expert to take over full flexibility of the
  • 3. additional packages using the CMF web-interface and dependent upon and/or whose responsibility it is to simple scripting. The installation of a package can be improve the security of SCADA and Control Systems. either forced (“applied”), such that it is installed automatically after a small notification period, “denied”, INCIDENT RESPONSE & such that it cannot be installed at all, or offered SYSTEM RECOVERY (“published”) to the interactive user. In the latter case, the Even with a stringent Security Policy incidents can interactive user can use the CMF web-interface to never be prevented completely. Therefore, handling select/deselect packages he wants to install/de-install. incidents on a Domain have been and will be jointly The installation of these packages is controlled via a performed by CERN’s Computer Security Team and the small local program (the “CMF Agent”), being installed corresponding Domain Administrator. The acting on every CMF Windows PC. It handles all pending Computer Security Officer has the right to take (de)installation tasks, interacts with the user, and appropriate actions in justified emergency cases. performs regular inventory checks which are passed back After incident analysis, the central installation schemes to a central CMF configuration management database. CMF and L4C allow for a rapid system recovery by the The initial installation from scratch is based on the corresponding system expert. Windows pre-installation environment and PXE Boot. The preferred operating system (Windows XP SP2 or SUMMARY Windows 2003 terminal server) can either be chosen from a list, or predefined for automatic installation on the CMF Due to the continuing integration of common IT web-interface. After the operating system has been technology into control systems, the corresponding IT installed, the CMF Agent controls the subsequent security vulnerabilities and cyber-attackers end up installation of all packages being applied to that particular threatening control systems, and, thus, CERN’s operation PC. and assets. However, control systems demand a different With PXE Boot and the proper configuration of his approach to security than office systems do. NSCs, the system expert has full liberty to install sets of This paper has presented a thorough rule-set to secure PCs in parallel or to run pilot installations prior to mass CERN’s control systems. Its implementation uses a deployment. CMF ensures that all members of a NSC are “Defense-in-Depth” approach based on network identically configured, and that corrections or segregation, central installation schemes, authentication & modifications are propagated accordingly. The authorization, user training, incident response & system configuration database provides always an up-to-date recovery, and security auditing. status (e.g. PC hardware, operating system version, patch levels, installed applications and their versions) via the ACKNOWLEGDMENTS CMF web-page. Queries can be run to assess a particular The author would like to thank all his colleagues at situation (e.g. listing all PCs missing patch XYZ). CERN involved in the realization of CNIC making it such a success; in particular A. Bland, P. Charrue, I. Deloose, AUTHENTICATION & AUTHORIZATION M. Dobson, U. Epting, N. Høimyr, S. Poulsen, and M. Several dedicated authentication & authorization Schröder. schemes have been developed at CERN serving the accelerator complex [5] and LHC experiments [6]. These REFERENCES are based mainly on general standards like Role-Based [1] S. Lüders, “Control Systems Under Attack ?”, Access Control [5] or on commercial solutions [6]. ICALEPCS, Geneva, October 2005. Details can be found in these proceedings [5][6]. [2] U. Epting et al., “Computing and Network Major challenges still to be overcome are the Infrastructure for Controls”, ICALEPCS, Geneva, generalization to one common central scheme at CERN. October 2005. [3] Centre for the Protection of the National USER TRAINING Infrastructure (CPNI), “Good Practice Guidelines A series of awareness campaigns and training sessions Parts 1-7”, London, 2006. have been held for users, operators, and system experts at [4] I. Deloose, “The Evolution of Managing Windows CERN. Monthly CNIC meetings provide a forum for Computers at CERN”, HEPix, Rome, April 2006. questions and discussions. [5] S. Gysin et al., “Role-Based Access Control for the Furthermore, CERN has raised aspects of Control Accelerator Control System at CERN”; K. Kostro et System Cyber Security at several conferences and al., “Role-Based Authorization in Equipment Access workshops (e.g. at the CS2/HEP workshop [7]), interacted at CERN”; and A. Petrov et al., “User Authentication with major vendors of control systems, and is now for Role-Based Access Control”, these proceedings. leading the “EuroSCSIE”, the European Information [6] P. Chocula, “Cyber Security in ALICE”, these Exchange on SCADA (Supervisory Control And Data proceedings. Acquisition) Security, with members from European [7] S. Lüders, “Summary of the Control System Cyber- governments, industry, and research institutions that are Security CS2/HEP Workshop”, these proceedings.