Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Slides:

Advertisements

Similar presentations

Computer Security set of slides 10 Dr Alexei Vernitski.

Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Firewall Configuration Strategies

Chapter 12 Network Security.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Payment Card Industry (PCI) Data Security Standard

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Course 201 – Administration, Content Inspection and SSL VPN

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Technology Solutions Conference School Security Technology Solutions Conference School Security.

Intranet, Extranet, Firewall. Intranet and Extranet.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Chapter 7: Using Windows Servers to Share Information.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

CERN’s Computer Security Challenge

Proposed mid-term Security Strategies for CERN Prepared by ad-hoc working group members: Lionel Cons, Francois Fluckiger, Denise Heagerty, Jan Iven, Jean-Michel.

Honeypot and Intrusion Detection System

VNC Greg Fankhanel Jessica Nunn Jennifer Romero. What is it? Stands for Virtual Network Computing It is remote control software which allows you to view.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Security at NCAR David Mitchell February 20th, 2007.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Note1 (Admi1) Overview of administering security.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.

NetTech Solutions Protecting the Computer Lesson 10.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Computer Security Sample security policy Dr Alexei Vernitski.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct

Getting Connected to NGS while on the Road…

Securing Network Servers

Working at a Small-to-Medium Business or ISP – Chapter 8

Chapter 27: System Security

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

Firewalls Routers, Switches, Hubs VPNs

Getting Connected to NGS while on the Road…

Cloud Security AWS as an example.

Cloud Security AWS as an example.

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003

Incident Summary, Incident Type System compromised (intruder has control) security holes in software (e.g. ssh, ftp, telnet, ICQ,…) Compromised CERN accounts sniffed or guessed passwords Serious Viruses several new viruses are released each day Unauthorised use of file servers insufficient access controls Serious SPAM incidents CERN addresses are regularly forged Miscellaneous security alerts Total Incidents

Conclusions  Intruders or serious viruses were detected on a total of 77 CERN systems during 2002 Firewall blocks many attempts per day Intrusions succeed almost weekly  Security patches for all software need to be applied in a timely fashion A balance is needed between risk and stability, but for systems directly exposed outside the firewall the risk is extremely high (the patch may come too late)  Exposing sensitive systems (e.g. controls) directly outside the firewall is a recipe for disaster They will be targeted continually by hostile code, which even if unsuccessful, has a performance and stability impact

Recommendations for remote access to control systems  Strictly limit access to a minimal set of clearly identified and authorised users Individual usernames are essential even if software or data is shared Logs of connections and actions are needed for incident identification and correction  Provide remote access via independent systems Separate remote access from the control systems and clearly define the interaction to reduce risks Ensure sufficient security on the remote access systems Minimal configuration which can be exposed in the firewall at low risk Active management and monitoring with timely patches applied LXPLUS and VPN servers offer remote access to CERN A remote access service dedicated to control systems may be required for strengthened security in the LHC era

Solutions for Remote Access  Control screens and applications can be managed remotely via encrypted tunnels Locally installed applications encrypted inside SSH ( VNC (Virtual Network Computing) encrypted inside SSH ( CERN VPN encrypted connections ( allow remote computers to connect as if running on the CERN Campus Networkhttp://cern.ch/vpn

Encrypting applications with SSH  An application(s) on the remote workstation is configured to connect locally to ssh  Ssh is configured to route the local client application to a CERN server application  An ssh connection is opened to CERN (e.g. lxplus) and the client application is launched as if running at CERN.

VPN (Virtual Private Network)  A remote computer can connect to the Internet using an arbitrary Internet Service Provider (ISP) and have an IP Address in the Internet.  The VPN client software on the remote computer exchanges data through an encrypted tunnel with a dedicated VPN server at CERN  The remote computer acts as if it was on the CERN Intranet and can run applications transparently through the tunnel

Securing VPN Client access  Protect the computer Anti-virus updated at least daily (for Windows PCs) Operating system and installed applications kept secure for all known security holes Firewall for home computers with permanent connections (e.g. ADSL) System restricted to only run essential applications games, music and freely copied software are targets for viruses  Protect the account & password Require registration (no default access) Verify that VPN passwords cannot be cracked Require at least 128 bit encryption Limit unsuccessful login attempts CERN’s VPN Security Requirements are at: CERN’s VPN Security Requirements are at:

Summary  Avoid direct off-site Internet access for control systems Use technical network or TCP/IP Connectivity = NONE Discuss requirements with Campus Network team  Configure control systems securely and apply patches in a timely fashion The balance between stability and risk needs to take account of almost weekly on-site intrusions  Provide remote access via independent systems with strict security and clearly defined interaction with control systems Implement user level access controls and logging LXPLUS and VPN servers provide remote access to CERN. Enhanced solutions may be needed for the LHC era.