Problems to Overcome Implementation Issues at CERN Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan) October 11th 2009.

Slides:



Advertisements
Similar presentations
4 th Control System Cyber-Security Workshop Exchanging ideas on HEP security Dr. Stefan Lüders (CERN Computer Security Officer) 4 th (CS) 2 /HEP Workshop,
Advertisements

How things go wrong. The lucky one and the unlucky one Dr. Stefan Lüders (CERN Computer Security Officer) 3 rd (CS) 2 /HEP Workshop, Grenoble (France)
Configuration Management
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
3 rd Control System Cyber-Security Workshop A Summary of this year’s meeting Dr. Stefan Lüders (CERN Computer Security Officer) with contributions from.
Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Supervision of Production Computers in ALICE Peter Chochula for the ALICE DCS team.
System and Network Security Practices COEN 351 E-Commerce Security.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Stephen S. Yau CSE , Fall Security Strategies.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Installing and Configuring a Secure Web Server COEN 351 David Papay.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Website Hardening HUIT IT Security | Sep
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Intrusion Detection MIS ALTER 0A234 Lecture 11.
Information Systems Security Computer System Life Cycle Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
CERN’s Computer Security Challenge
Proposed mid-term Security Strategies for CERN Prepared by ad-hoc working group members: Lionel Cons, Francois Fluckiger, Denise Heagerty, Jan Iven, Jean-Michel.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Control System Cyber-Security Workshop A Summary of Yesterday’s Meeting Dr. Stefan Lüders (CERN IT/CO) with slides from P. Chochula (ALICE), S. Gysin (FNAL),
FNAL System Patching Design Jack Schmidt, Al Lilianstrom, Andy Romero, Troy Dawson, Connie Sieh (Fermi National Accelerator Laboratory) Introduction FNAL.
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
Information Security Awareness Training. Why Information Security? Information is a valuable asset for all kinds of business More and more information.
Peter Chochula ALICE DCS Workshop, October 6,2005 DCS Computing policies and rules.
Control Systems Under Attack !? …about the Cyber-Security of modern Control Systems Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop, Knoxville (U.S.)
11 SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL Chapter 9.
1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Note1 (Admi1) Overview of administering security.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Use of CERN’s Computing Facilities Why is security important? What are the rules? HR Induction Programme.
Cyber Security Awareness Why people are of N o 1 importance… CERN Computer Security Team (2009) L. Cons, S. Lopienski, S. Lüders, D. Myers “Protecting.
Microsoft Management Seminar Series SMS 2003 Change Management.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Cyber Security Awareness Academic Freedom vs. Operations vs. Security CERN Computer Security Team (2010) S. Lopienski, S. Lüders, R. Mollon, R. Wartel.
Control System Cyber-Security Workshop A Summary of Yesterday’s Meeting Dr. Stefan Lüders (CERN Computer Security Officer) with slides from B. Copy (CERN),
Overview of Network Security. Network Security2 New Challenges 1.Security does not focus on a “product” only; it is a process and focuses on the whole.
TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo.
3 rd Control System Cyber-Security Workshop Exchanging ideas on HEP security Dr. Stefan Lüders (CERN Computer Security Officer) 3 rd (CS) 2 /HEP Workshop,
Control System Cyber-Security Workshop Exchanging ideas on HEP security Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan)
CERN Computing and Network Infrastructure for Controls (CNIC) Status Report on the Implementation Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop,
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 Status and Challenges of Security in Distributed Computing Stefan.
Computer Security Sample security policy Dr Alexei Vernitski.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
Cyber Security Awareness Academic Freedom vs. Operations vs. Security CERN Computer Security Team (2010) S. Lopienski, S. Lüders, R. Mollon, R. Wartel.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Cybersecurity - What’s Next? June 2017
HARDENING CLIENT COMPUTERS
Control system network security issues and recommendations
Cyber Security Awareness
INFORMATION SYSTEMS SECURITY and CONTROL
12 STEPS TO A GDPR AWARE NETWORK
Information Security Awareness
Implementing Client Security on Windows 2000 and Windows XP Level 150
Agenda The current Windows XP and Windows XP Desktop situation
SBS 2008 – One year on David Overton
Presentation transcript:

Problems to Overcome Implementation Issues at CERN Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan) October 11th 2009

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Overview

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Why worry ?

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 LHC First Beam Day Hmm… A defaced web-page at an LHC experiment… A “flame” message to some Greek “competitors”… …on 10/09/2008: Just coincidence ?

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Violation of Basic Principles ! Configuration well documented in Google… Neglected “Rule of Least Privileges”: Everyone could upload whatever he/she wants… Lack of input validation & sanitization

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Defense-in-Depth

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Separate Networks Deploy different networks for different purposes: ► …for accelerator, experiments, offices ► …no Internet connectivity ► …controlled remote access ► …no wireless nor (GPRS) modems However: ► LHC status data needs to be transmitted to experiments (e.g. run info) ► Informational web-sites need to be visible to the inside and outside (logbooks, status pages, expert instructions) ► Developers need sufficient access for further development & debugging (“This is an all-time, permanent prototype.”) ► Laptops needed in vast underground areas for commissioning ► Some remote sites are not connected by the “right” network (or at all)

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Hacked oscilloscope at CERN (running Win XP SP2 unpatched) Patch, Patch, Patch !!! Ensure prompt security updates: ► Pass flexibility and responsibility to the experts ► They decide when to install what on which control PC ► Integrate resilience to rebooting PCs ► NOT patching is NOT an option ► Harden systems (e.g. with firewall, AV) However: ► Under pressure priorities are different ► Many sensitive systems which need proper maintenance schedule – rare now ! ► Oscilloscopes might be patched, but lack proper procedures issued by the corresponding vendor… ► “Cry Wolf”: more downtime due to patching than due to attacks… ► Lack of test & connection procedures of 3 rd party PCs

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 “At CERN, several Windows control PCs were compromised... Analysis indicated that a [THIRD PARTY CONTROLS SOFTWARE] installed silently an MS-SQL database account and left the password empty by default...” (Not at CERN ) Follow “Rule of Least Privilege”: ► Restrict all access to minimum ► Ensure traceability (who, when, and from where) ► Deploy role-based access system However: ► Typing passwords vs. convenience ► Is “I know you” an authentication factor ? ► Developers need elevated privileges ► “Rule of Least Privilege” not always known/followed, e.g. when publishing data ► Difficult to integrate commercial hardware ► Remote access for too many developers and experts is a nightmare Control (Remote) Access

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 “Your software license has expired.” (Not at CERN ) Protecting PLCs and other controls devices: ► Run vulnerability tools on everything ► Harden configuration settings ► Deploy additional protective measures if needed (VPN, ACL, …) However: ► Protection difficult in “mesh-type” inter-communications… ► …and under complex dependencies ► Vulnerability scans can do harm ! ► Hardening not always supported by system ► Lack of integrated access control inside the device is challenging ! Increase Robustness CERN 2007

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 A Boeing 777 uses similar technologies to Process Control Systems Review Development Life Cycle Review procedures for ►...development of hardware & applications ►...testing & deployment ►...operation ►...maintenance & bug fixing ► Use software versioning systems, configuration management, and integration frameworks (CVS, SVN, Git) However, ► Lack of proper test-benches, which are 100% realistic & cover all aspects (“This is an all-time, permanent prototype”) ► (Secure) Software Development Life-Cycles require a change-of-culture ► Static source code analysers & code reviews necessary......but either for low-hanging-fruits or expensive !

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Make security an objective ► Get management buy-in (security has a cost – successful attacks, too) Bring together control & IT experts: ► Win mutual trust ► Gain synergy effects Train users and raise awareness However: ► Difficult to get buy-in when developers & management are under pressure ► Old (negative) feelings and perceptions difficult to eradicate ► Duplication of services part of the “academic freedom” Foster Collaboration & Policies

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Force the Vendors on Board Manufacturers and vendors are part of the solution ! ► Security demands must be included into orders and call for tenders “Procurement Language” document ► “… collective buying power to help ensure that security is integrated into SCADA systems.” However: ► This will increase the visible costs ► Who takes the responsibility ? ► Manufacturers not always prepared to handle such demands ► What if no vendor will/can deliver ?

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Summary

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Thank you very much !!! Quiz: Which link leads to ? %2e%31%33%38%2e%31%33%37%2e%31%37%37/p?uh3f223d ► ► co_partnerid=2&usage=0&ru=http%3A%2F%2Fwww.ebay.com&rafId=0 &encRafId=default ►

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.