Computing and Network Infrastructure for Controls CNIC Context? Why CNIC? What is CNIC? CNIC Phases and Definitions CNIC Status and Manpower Conclusion.

Slides:

Advertisements

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Advertisements

Remote access to PVSS projects and security issues DCS computing related issues Peter Chochula.

An Introduction to System Administration Chapter 1.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Supervision of Production Computers in ALICE Peter Chochula for the ALICE DCS team.

Security Controls – What Works

Information Security Policies and Standards

Network Security Testing Techniques Presented By:- Sachin Vador.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Computer Security: Principles and Practice

Stephen S. Yau CSE , Fall Security Strategies.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.

CERN’s Computer Security Challenge

Proposed mid-term Security Strategies for CERN Prepared by ad-hoc working group members: Lionel Cons, Francois Fluckiger, Denise Heagerty, Jan Iven, Jean-Michel.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Rwanda GovNet Xuan Pan Nkusi Issa Claude Hakizimana Joakim Slettengren Innocent Nkurunziza Xuan Pan Nkusi Issa Claude Hakizimana Joakim Slettengren Innocent.

Mobile Device Management Central Management of Wintel Laptop Software and Hardware in a Secure Environment.

SFT group meeting Desktop Forum report Alberto AIMAR

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

Update on Database Issues Peter Chochula DCS Workshop, June 21, 2004 Colmar.

Peter Chochula ALICE DCS Workshop, October 6,2005 DCS Computing policies and rules.

The NICE 2000 Web Services Ivan Deloose, Frédéric Hemmer, Alberto Pace, Maciej Sobczac, and others Information Technology Division - CERN.

NiceFC and CMF Introduction Ivan Deloose IT-IS Custom Windows Services for Controls Applications.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Engineering Essential Characteristics Security Engineering Process Overview.

Note1 (Admi1) Overview of administering security.

Status of Exchange deployment Alberto Pace for the IT/IS group Desktop Forum, April 3 rd 2003.

Chapter 2 Securing Network Server and User Workstations.

CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.

Module 11: Designing Security for Network Perimeters.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

UPDATE ON THE CERN COMPUTING AND NETWORK INFRASTRUCTURE FOR CONTROLS (CNIC) ABSTRACT Over the last few years modern accelerator and experiment control.

17 Establishing Dial-up Connection to the Internet Using Windows 9x 1.Install and configure the modem 2.Configure Dial-Up Adapter 3.Configure Dial-Up Networking.

MICROSOFT TESTS /291/293 Fairfax County Adult Education Courses 1477/1478/1479.

Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

CERN - IT Department CH-1211 Genève 23 Switzerland t Operating systems and Information Services OIS Proposed Drupal Service Definition IT-OIS.

R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo.

CNIC Stefan Lüders IT/CO JCOP Team Meeting ― July 7th, 2005 ► CyberThreats on the Horizon ► The CNIC Mandate ► CNIC Tools for Control Systems & Networks.

CERN Computing and Network Infrastructure for Controls (CNIC) Status Report on the Implementation Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop,

IS3220 Information Technology Infrastructure Security

Information Security tools for records managers Frank Rankin.

Support for Technical Infrastructure operations P. Sollander, AB/OP/TI.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Chapter 7. Identifying Assets and Activities to Be Protected

CV PVSS project architecture

Stefan Lüders IT/CO JCOP Team Meeting ― July 7th, 2005

Computing infrastructure for accelerator controls and security-related aspects BE/CO Day – 22.June.2010 The first part of this talk gives an overview of.

An Introduction to System Administration

Presentation transcript:

Computing and Network Infrastructure for Controls CNIC Context? Why CNIC? What is CNIC? CNIC Phases and Definitions CNIC Status and Manpower Conclusion Uwe Epting on behalf of the CNIC-WG

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV2 Context Control Systems –Increasing use of standard IT equipment Before –Specific hard- and software solutions Today: –Workstations and PCs –Windows or Linux operating systems –Increasing use of standard networks (Ethernet, TCP/IP) Before –Private networks and fieldbuses Today –Large use of Ethernet and remote monitoring also for control systems

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV3 Why CNIC? Security problems –Increasing risk of virus infections –Instabilities due to port scans or denial of service attacks (DOS) –Access and equipment manipulation by error (e.g. wrong IP address) –Old “unsecure” equipment No security implemented Security updates not available –Time constraints Equipment stop not always possible for applying patches Important number of equipment needs to be updated at the same time Beam and physics operation relies on a stable and secure environment

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV4 What is CNIC? –Working Group delegated by the CERN Controls Board Mandate covers only control systems, not office computing –Working group for the definition of CERN wide security policy CERN wide networking aspects Operating systems configuration (Windows and Linux) Services and support –Members should cover all CERN controls domains and activities Service providers (mainly IT department) Service users (mainly Accelerator and Technical Departments)

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV5 CNIC mandate Tools for system maintenance (NICEFC and LINUXFC). Tools for setting up and maintaining many different Controls Network domains. A domain is defined to be a collection of systems under a single management responsibility. Rules and policies for what can be connected to a domain and an authorization procedure. For example, this should cover wireless communications and portable computers. Ground rules, policies and mechanisms for inter-domain communications. Ground rules, policies and mechanisms for communications between controls domains and the Campus Network (and hence the Internet). Document all domains of use and in each case obtain from the group(s) concerned the name of the person designated to have technical responsibility, the person with hierarchical responsibility for giving the necessary authorization and their backups. Investigate with help from IT/CS what technical means could be provided to ensure the defined policies are complied with, and propose an implementation plan.

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV6 Requirements and Definitions Operating System Network I CNIC Phases ImplementationOperation IIIII Phase I - CNIC policy: –“DESIGN, SETUP AND OPERATION OF THE CERN CONTROL SYSTEM ENVIRONMENT” Description of concepts Definition of terms Definition of policies Main Chapters - Security Policy - Networking - Operating System and Tools - Services 09/200401/200507/ /2006

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV7 Security Policy Network Domains –Physical network segregation + Functional Sub-Domains (FSD) Hardware Devices –No USB, modems, CDs, wireless … Operation System –Central installation + Strategy for security patches Software –Development guidelines, installation and test procedures Logins and passwords –Traceability, no generic accounts, strong passwords Training Security Incidents and Reporting

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV8 Networking General Purpose Network (GPN) –Desktop Computing, testing, access from outside, … Technical and Experiment Network (TN and EN) –Only operational devices –Authorization procedure Inter domain communications –Application Gateways + Trusted services Network monitoring and intrusion detection –Performance and statistics –Disconnection on “breakpoints” Testing –TOCSSiC (hostile network environment)

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV9 Operating System and Tools NICEFC and LINUXFC –Centrally managed and distributed Today: Windows XP SP2 (NICE XP), Scientific Linux CERN 3 (SLC3) Named Set of Computers (NSC) –Groups of computers with identical basic configuration –Responsible persons will be contacted in case of emergency and if security patches etc. need to be applied. Configuration –Version management database Operating System (LINUXFC or NICEFC) User defined software packages (e.g. PVSS, …) –Rollback to previous version possible

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV10 Services Operation and Maintenance –IT support for: Standard equipment Network connections (24h/d, 365d/year) Operating System installation Security patches Test Environment –Vulnerability Tests (TOCSSiC) –Integration Tests (test bench per domain necessary) Hardware Support –Standard PCs (e.g. office) –“Industrial” PCs (a few models should cover most requirements)

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV11 Phase II: Implementation Deployment of CNIC policy IIIIII CNIC PolicyApproval Training on policy and tools Deployment PilotDev. PilotDev. PilotDev. Spec’s NICEFC: Spec’s LinuxFC: Networking: 09/200401/ /200501/200607/2006 WTS: Awareness campaign Implementation of tools for configuration, management & maintenance Installation of Windows Terminal Servers User Training Install.PilotOperation

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV12 CNIC Manpower 09/ / / / / / / / / / / / / / / / / / / / / / / 2006 CNIC policy Awareness campaign approval Spec NETWORK tools Spec LINUXFC tools Spec NICEFC tools develop NETWORK develop LINUXFC develop NICEFC pilot NETWORK pilot LINUXFC pilot NICEFC NETWORK tools operational LINUXFC tools operational NICEFC tools operational Installpilotoperation WTS: TRAINING: CNIC policy and tools deploy CNIC policy CNIC policy in operation: Packaging support - NICEFC - LINUXFC Proposal: IT 1 person (missing) WTS Installation, support Proposal: IT 1 person (planned) CNIC operation - administration - user support Proposal: domains Foresee 1 person/domain Tools - development, support Proposal: IT 3 persons assigned to IT. Tools - development, support Proposal: IT 3 persons assigned to IT. Tools - development, support Proposal: IT 3 persons assigned to IT.

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV13 Conclusion Awareness and acceptance for changes is very important –Investment vs. advantages Decisions and proposals must be backed up by management –Availability of manpower and resources Very constructive attitude in the CNIC-WG –Once people understood the reasons Many technical questions and reservations from the “users” –Treated as Use Cases –Must be answered with real/practical solutions ! Difficult to get acceptance … –… before tools and examples can be shown.

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV14 Questions ? Check the CNIC website for more information: ?

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV15 CNIC members TS –Uwe EPTING - TS/CSE –Søren POULSEN - TS/EL AB –Pierre CHARRUE - AB/CO –Mike LAMONT - AB/OP –Patrick LIENARD - AT/MAS IT/CO –Bruce FLOCKHART - IT/CO –Stefan LÜDERS - IT/CO Experiments –Beat JOST - PH-LBC –Guiseppe MORNACCHI - PH/ATD –Martti PIMIÄ - PH/CMC –Peter CHOCHULA - PH/AIT Network –David FOSTER - IT/CS –Jean-Michel JOUANIGOT - IT/CS –Nils HØIMYR - IT/CS –Nuno CERVAENS COSTA - IT/CS NICEFC –Alberto PACE - IT/IS –Ivan DELOOSE - IT/IS LINUXFC –Jan IVEN - IT/ADC –Matthias SCHRÖDER - IT/ADC Security –Denise HEAGERTY - IT/DI –Lionel CONS - IT/DI

Computing and Network Infrastructure for Controls CNIC Uwe Epting on behalf of the CNIC-WG

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV17 Use Case 1 - Office connection Connection to controls monitoring system (e.g. PVSS) from office PC –Connection to application gateway (e.g. Windows Terminal Server). –Open session to application (e.g. PVSS) with connection to controls machine and PLCs.

11 October 2005CNIC at ICALEPCS Uwe Epting, CERN, TS/CV18 Use Case 2 - Sensitive equipment Vulnerable devices (e.g. PLCs) must be protected against security risks from the network –Group them in Functional Sub-Domains (FSD) –Access only possible from the host system that controls them External access to the host system via application gateway