Jefferson Lab Remote Access Review: Free-Electron Laser Wesley Moore FEL Computer Scientist 01 December 2010.

Slides:

Advertisements

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

Summary Role of Software (1 slide) ARCS Software Architecture (4 slides) SNS -- Caltech Interactions (3 slides)

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Network Security Testing Techniques Presented By:- Sachin Vador.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Agenda 1. Definition and Purpose of Data Governance

Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Module 14: Configuring Server Security Compliance

Module 9 Configuring Messaging Policy and Compliance.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

Protecting Personal Information at Fermilab. Outline F Why must we protect personal information? F What is Protected Personally Identifiable Information.

Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.

Information: Policy, Strategy and Systems Module Overview

Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Feb Material copied from the IOC Application Developer's.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Note1 (Admi1) Overview of administering security.

Module 6: Designing Security for Network Hosts

Chapter 2 Securing Network Server and User Workstations.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Site Security Policy Case 01/19/ : Information Assurance Policy Douglas Hines, Jr.

PCI Training for PointOS Resellers PointOS Updated September 28, 2010.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.

Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.

Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility Mike Memory.

Jefferson Lab Report Karen S. White 11/14/00. Overview  Status of Jefferson Lab Control System  Work In Progress  Transitioning to Operations.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

Strategic Agenda We want to be connected to the internet……… We may even want to host our own web site……… We must have a secure network! What are the.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

Role Of Network IDS in Network Perimeter Defense.

Slide 1/5 Safety of Operations Jefferson Lab operates the accelerators in accordance with the Accelerator Safety Order, DOE O 420.2B, guided by DOE G

Information Security tools for records managers Frank Rankin.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Jefferson Lab IT in the 12GeV Era - Review Free-Electron Laser and Photon Sciences Wesley Moore FEL Computer Scientist

Payment Card Industry (PCI) Rules and Standards

Securing Network Servers

Identity and Access Management

Module Overview Installing and Configuring a Network Policy Server

Computer Data Security & Privacy

CIS 349 Competitive Success/snaptutorial.com

CIS 349 Education for Service/snaptutorial.com

CIS 349 Teaching Effectively-- snaptutorial.com

Move this to online module slides 11-56

County HIPAA Review All Rights Reserved 2002.

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

IS4680 Security Auditing for Compliance

DEPLOYING SECURITY CONFIGURATION

PLANNING A SECURE BASELINE INSTALLATION

Cloud Security AWS as an example.

Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8

Presentation transcript:

Jefferson Lab Remote Access Review: Free-Electron Laser Wesley Moore FEL Computer Scientist 01 December 2010

What is the Free-Electron Laser (FEL)? FEL's relationship to sensitive information (SI) Outline adopted policies and procedures Remote Access to SI and control systems Quality Assurance Future plans FEL Presentation Objectives

The FEL is the world's most powerful free- electron laser. It is primarily an infrared laser, although it can also produce ultraviolet and other colors of laser light. The FEL also holds the world record as the brightest source of Terahertz (THz) light and is now in the process of characterizing it's kilowatt-scale ultraviolet capability. Description of JLab's FEL UV WigglerUV Lasing

Science and Technology (S&T) is typically considered to be sensitive if the S&T involves activities or items on the Military Critical Technologies List (MCTL) or if the S&T is included in the Department of State's International Traffic in Arms Regulations (ITAR). Sensitive S&T has consequent export control requirements by law, regulation and the JLab DOE contract. Please note there is no Classified Information involved with FEL activities at this point. Cause for Sensitive Information

Policies & Procedures The FEL wanted to maintain a proactive posture with respect to information security, not reactive. Early involvement of the Chief Information Officer (CIO) Obvious the FEL would become a moderate enclave Initiated compliance with JLab site wide policies and procedures for sensitive information Procedures used for the following: o Personnel security o Physical security o Handling of hard copies o Handling of electronic information

Sensitive Information Security Remote Access o 2-Factor Authentication o Restrictive inbound and outbound firewall configuration FOUO-ITAR documents are stored on a secure file server o File server provided by IT Core o Located in Computer Center with card reader access security

EPICS access security protects IOC databases from unauthorized Channel Access Clients. Access is based on the following*: Who: Userid of the channel access client. Where: Hostid where the user is logged on. This is the host on which the channel access client exists. Thus no attempt is made to see if a user is local or is remotely logged on to the host. What: Individual fields of records are protected. Each record has a field containing the Acess Secuirty Group (ASG) to which the record belongs... How: User Access Groups (UAG) and Host Access Groups (HAG) combine to create read/write permissions. Local IOC console is protected via physical security and telnet access protected via networking security. * extracted from EPICS Application Developer's Guide, Base Release Slide 7 Control System Security 1/2

Key Points to Remote Access: Once through the firewall, an accepted user and host has transparent remote access. Recall: o Who: Userid of the channel access client. o Where: Hostid where the user is logged on. This is the host on which the channel access client exists. Thus no attempt is made to see if a user is local or is remotely logged on to the host. Channel Access Security is granted by the System Owner (W. Moore) o Read/Write Access is role based (operator, user, student, etc.) Remote actions are administratively coordinated through the on-site Duty Officer and operators. Slide 7 Control System Security 2/2

Slide 7 Quality Assurance Active QA: o Network and system level QA (reliant on IT Core) o Security of FOUO-ITAR is periodically reviewed Gaps : o Some embedded IOCs are not using EPICS Channel Access security files. o Periodic audit of Channel Access security configuration. Remove old userids Changes in personnel o PLCs and other network capable devices??

Future... We are currently evaluating our readiness for future ITAR related experiments on the FEL. Things we must consider: o Machine hardware is not ITAR, configuration could be. o Effort required to "Black-box" the FEL's control system Is all Remote Access denied?? o Proper storage of machine parameters. o Staffing issues and requirements due to heightened information security. o Cost associated with protecting information.

Questions?