CEBAF Control System Access

Slides:

Advertisements

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Chapter 7 HARDENING SERVERS.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Installing and Configuring a Secure Web Server COEN 351 David Papay.

Accelerator Controls Brad Cumbia Anthony Cuffe December 1, 2010 Remote Access Review.

Network security policy: best practices

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

 What is intranet What is intranet  FeaturesFeatures  ArchitectureArchitecture  MeritsMerits  applicationsapplications  What is ExtranetWhat is.

Auditing Information Systems (AIS)

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 10 Case Study: Conducting an Information Systems Audit.

Small Business Security Keith Slagle April 24, 2007.

Module 11: Designing Security for Network Perimeters.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.

Purpose Present Drivers and Context for Firewalls Define Firewall Technology Present examples of Firewall Technology Discuss Design Issues Discuss Service.

CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.

Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,

Configuring and Deploying Web Applications Lesson 7.

Cryogenics Group Jonathan Creel December 1, 2010 Remote Access Review.

R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Types of computers Module 1.10 AS identifies and distinguishes between computer types and associated software. AS identifies the main hardware.

Onsite CRM Security

Blackboard Security System

Securing Network Servers

Stop Those Prying Eyes Getting to Your Data

Security Methods and Practice CET4884

Working at a Small-to-Medium Business or ISP – Chapter 8

Chapter One: Mastering the Basics of Security

Data and database administration

NETWORK SECURITY Cryptography By: Abdulmalik Kohaji.

Control system network security issues and recommendations

Computing infrastructure for accelerator controls and security-related aspects BE/CO Day – 22.June.2010 The first part of this talk gives an overview of.

Accelerator Network Safety at PSI

Active Directory Administration

Introduction to Networking

NERC CIP Implementation – Lessons Learned and Path Forward

File Transfer Olivia Irving and Cameron Foss

Chapter 27: System Security

Chapter 14: Protection.

An Introduction to Computer Networking

Goals Introduce the Windows Server 2003 family of operating systems

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

IS4680 Security Auditing for Compliance

What are IAM Key Processes.

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

Managing the IT Function

Module 2 OBJECTIVE 14: Compare various security mechanisms.

BACHELOR’S THESIS DEFENSE

PLANNING A SECURE BASELINE INSTALLATION

Designing IIS Security (IIS – Internet Information Service)

Test 3 review FTP & Cybersecurity

Unit 6 NT1330 Client-Server Networking II Date: 7/19/2016

Preventing Privilege Escalation

6. Application Software Security

Presentation transcript:

CEBAF Control System Access Title Page Design 1 CEBAF Control System Access Anthony Cuffe

What is ACE? The Accelerator Computing Environment (ACE) is a collection of network segments (enclaves and fiefdoms) maintained by the Accelerator Computing Group (ACG) dedicated to the control and support of Accelerator Operations. This includes isolated, self-sufficient fiefdoms and specialized computing enclaves dedicated to the: Control of Accelerator operations (CEBAF) Control of LERF, SRF and ITF operations Support of End Station operations Development of controls software and hardware related to these facilities. This also includes several non-isolated enclaves for: User desktops for Accelerator and Engineering support staff Windows Terminal Servers Site-Wide Services (logbooks, database, web services, …) Interior Page Design 1 Overview

Network Segmentation/Isolation Segmentation of our Fiefdoms/Enclaves from the rest of site is implemented through Network based ACLs and Firewalls. Access to external internet is only allowed on non-operational networks. acenet (ACE Desktop Enclave) wintsnet ( Windows Terminal Server Network) Systems are grouped together in special networks by function to simplify Firewall/ACLs rules. Fiefdoms: opsnet, devnet, srfnet,… Special Networks: bkupnet, accupsnet, consrvnet, cagwnet, … Protection of vulnerable systems: plcnet, opsiocnet Interior Page Design 1

Network Segmentation (CNI to ACE) Interior Page Design 1

Remote Access – Two Factor Access from the outside is only allowed via ssh through a gateway system (acclogin). Remote logins (ssh) to Accelerator systems require two-factor authentication using crypto-tokens generated from a Smartphone App or CRYPTOCard keyfob. Management and assignment of the CRYPTOCards are done by both ACE and CNI. Faster response to user issues Tighter control over users with ACC access A separate Accelerator login account is also required to access the control system. Interior Page Design 1

Physical Security All critical and sensitive Accelerator systems reside within the confines of the Accelerator Site which is a fenced area with controlled access. All personnel must be badged. Access to specific areas is controlled by badge readers (CANS) that authorize entry only to those staff and users that have appropriate training and access privileges. Access is controlled by physical locks where CANS is not available. Access is logged and video taped in sensitive areas (MCC Datacenter). Backup systems and media are always kept under lock and key and backups are stored in an off-site safe. Visitors must have an escort. Interior Page Design 1

User and Group Accounts Individuals access and manipulate the control system using their own accounts. General purpose logins (group accounts) are avoided whenever possible and normally utilized for long-running services. General purpose logins are controlled and logged using sudo. Local accounts are avoided at all costs. Passwords are changed at least every 6 months (enforced through Kerberos). User auditing is done continuously Interior Page Design 1

EPICS – Channel Access Security Almost all ACC Control/SCDA Systems are based on EPICS. Channel Access is the command-and-control communication protocol used by EPICS. Provides the security layer for EPICS. Allows users to read, write and monitor real-time data from low-level controls. Allows for Host and User based access control (read and write). Interior Page Design 1

CA Security Measures Controlled by Network based ACLs/Firewalls in, out and between ACE networks. Read-access is granted to all users on local networks and made available to external network through CA gateways. Write-access during operational periods is authenticated by user (operations staff only) and host computer (strictly managed). Short-term access to non-operator support staff can be granted by the Crew Chief. Specially trained experts (MAC) can also be granted pre-defined, limited access by the Crew Chief with a short expiration. Approved Operators and MAC users are designated by OPS group leader. Write-access during non-operational periods is authenticated by host computer only (open channel access). Physical access controls are employed for Controls hardware. All control system writes are logged (caputlog and splunk). Interior Page Design 1

? Interior Page Design 2