TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo.

Slides:

Advertisements

Similar presentations

ALICE DCS Workshop Day 10th September The Cooling and Ventilation Control System D. Blanc, Process Control Team and Project Leader CERN ST/CV-Design.

Advertisements

SCADA Security, DNS Phishing

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Trojan Horse Program Presented by : Lori Agrawal.

Supervision of Production Computers in ALICE Peter Chochula for the ALICE DCS team.

Ethernet as a field-network Renaud Barillère - CERN IT-CO.

Chapter 12 Network Security.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

IACT 901 Module 9 Establishing Technology Strategy - Scope & Purpose.

Computer Security: Principles and Practice

Session 3 – Information Security Policies

ST Technical Committee 15th October LHC Ventilation Control System migration D. Blanc ST-CV.

by Evolve IP Managed Services

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.

IT:Network:Microsoft Applications

VoIP Security Assessment Service Mark D. Collier Chief Technology Officer

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Term 2, 2011 Week 3. CONTENTS The physical design of a network Network diagrams People who develop and support networks Developing a network Supporting.

Information Systems Security Computer System Life Cycle Security.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.

הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

9th September 2001R. BARILLERE - IT-CO1 Industrial and Custom Front-End solutions for Process Controls.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Unit 5 CONTROL CENTERS AND POWER SYSTEM SECURITY.

Workshop on the Use of Ethernet as a Fieldbus CERN, 28 September 2001 Use of Ethernet in the control systems of the cooling and ventilation infrastructure.

1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Our Company What your are Getting If your workstation or laptop has been giving you problems, we can fix it and restore your productivity without adding.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Update on Windows 7 at CERN & Remote Desktop.

CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.

CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.

1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.

Module 11: Designing Security for Network Perimeters.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Private Branch eXchange (PBX)

1LHC COOP, Uwe EPTING, CERN, ST/MO LHC - Technical Infrastructure Monitoring Uwe EPTING CERN, ST/MO.

Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.

Computing and Network Infrastructure for Controls CNIC Context? Why CNIC? What is CNIC? CNIC Phases and Definitions CNIC Status and Manpower Conclusion.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

CEA DSM Irfu SIS LDISC 18/04/2012 Paul Lotrus 1 Control Command Overview GBAR Collaboration Meeting Paul Lotrus CEA/DSM/Irfu/SIS.

AB/CO Review, Interlock team, 20 th September Interlock team – the AB/CO point of view M.Zerlauth, R.Harrison Powering Interlocks A common task.

CERN - IT Department CH-1211 Genève 23 Switzerland t Operating systems and Information Services OIS Proposed Drupal Service Definition IT-OIS.

13th May 2004Uwe Epting - TS/CSE-CO1 TS-CSE Outline –TCR and TS-CSE-CO mandate –Applications –Console layout –Hardware and Operating System –Strategy –Conclusion.

CERN Computing and Network Infrastructure for Controls (CNIC) Status Report on the Implementation Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop,

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

TCR Remote Monitoring for the LHC Technical Infrastructure 6th ST Workshop, Thoiry 2003U. Epting, M.C. Morodo Testa, S. Poulsen1 TCR Remote Monitoring.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.

Supervision of production computers DCS security Remote access to DCS Peter Chochula 9 th DCS Workshop, March 15, 2004 Geneva.

Information Systems Security

Chapter 6: Securing the Cloud

CV PVSS project architecture

the CERN Electrical network protection system

Using An Isolated Network to Teach Advanced Networks and Security

INFORMATION SYSTEMS SECURITY and CONTROL

Global One Communications

Presentation transcript:

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo Testa (TS/CV)

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department2 Security Problems General: EVERY computer connected to a network is exposed to security risks! 2 types of threats –Accidental “attacks” Human errors Security scans –Malicious attacks Aggression –Login/passwords stolen –Sabotage –Switching equipment on or off Viruses and worms –Automatic propagation –Data damage or manipulation –Denial of service attacks

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department3 Hardware Servers –Mostly UNIX based (HP-UX, Solaris, Linux) –Very important for service, critical component –Less risk for attacks (today!) PCs –Windows or Linux –Widely used –Very high risk –Frequent updates and patches necessary PLCs and I/O cards –Very robust –Little protection possible (today)

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department4 Network Ethernet at CERN –General purpose network Very hostile and exposed to outside world Frequent attacks from outside –Technical network Only accessible inside CERN BUT: connected to General Purpose network (today) –“Private” networks Profibus Modbus

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department5 Guidelines CERN wide –Operational Circular No 5 accepted by every computer user at CERN –Security guidelines CERN's Computer Security Recommendations Password Recommendations at CERN Risks and how you can help to reduce them

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department6 Control System Issues Awareness campaign Risk Impacts Solutions Review critical systems Network segregation Firewalls Remote access through terminal servers Monitoring Project engagement Commitment from the beginning

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department7 Strategy 1.Understand the risk and engage projects early 2.Implement Quick Win security improvements 3.Manage third party risks −Vendors −Integrators 4.Establish security governance and response capability 5.Raise awareness and skills 6.Implement Long Term improvements −Network segregation, etc.

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department8 Example: LHC ventilation 1.Migration of LEP control system into LHC configuration −~100 PLCs (+ ~50 micro-PLCs) −Motivations for upgrade: Migration of the process control to the LHC functionality Integration of systems Replacement of obsolescent hardware and software Recover and document the system know-how 2.Integration of control equipment for new LHC structures −~25 new PLCs (+ ~125 new micro-PLCs) 3.Inter-point communication and CCC remote monitoring −8 new master PLCs + 8 new SCADA platforms

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department9 Technical Option #1 Every PLC is connected to the CERN TCP/IP network CERN TCP/IP Technical Network Master P8 Master P2 Master P1 Master P7 Master P6 Master P5 Master P4 Master P3 PLC #i P8 PLC #j P8 PLC #j P1 PLC #i P1 PLC #j P2 PLC #i P2 PLC #i P3

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department10 Technical Option #2 CERN TCP/IP Technical Network Master P8 Master P2 Master P1 Master P7 Master P6 Master P5 Master P4 Master P3 PLC #i P8 PLC #j P8 PLC #j P1 PLC #i P1 PLC #k P2 PLC #j P2 PLC #i P2 PLC #i P3 Profibus DP fieldbus Every PLC is connected to a dedicated industrial fieldbus At each LHC point, only the master PLC is connected to the TCP/IP network

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department11 Technical Options Slave i CERN TCP/IP Technical Network Master (SU) SCADA (SU) Requirement / constraint DPTCP Need (  ) Availability Very Good ESS Security Good Needs plan ESS Remote accessibility (to slave PLCs) Good Very Good DES Project scheduling (time constraint) Good ESS Cost efficiency Good ESS (  ) ESS, Essential; DES, Desirable Profibus DP Slave i CERN TCP/IP Technical Network Master (SU) SCADA (SU) Understand the risk: vulnerability increases with number of network connections  Quick win improvement: Profibus DP allows a compromise between openness and engagement to secure process control

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department12 Operational Aspects Access to process control PLCs is now restricted  Provisions are made to avoid limitations on the operational features 1. An operation panel at each process control cubicle 2. A supervision application at each LHC point (SUi) 3. Local operation is possible from a laptop computer connected to the Profibus DP network (only intended for maintenance) 1. TIM interfaces with the master PLC at each LHC point 2. Transmission of some relevant alarms and data from each LHC point by the means of a 2 nd. path (MMD) 3. Supervision application (SCADA) mimic diagrams web- published for remote information of operation teams Local operation Remote operation

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department13 Conclusion Security issues are becoming a serious problem also at CERN “Quick Win” solutions do not require major investments if considered already in the design phase “Long-Term” solutions require clear CERN wide guidelines and regulations for the implementation of control systems Strategy to keep the systems up-to-date must be settled from the beginning. Continuous follow-up is needed to ensure secure O&M within the available and often limited resources

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department14 Questions ? ?