Presentation is loading. Please wait.

Presentation is loading. Please wait.

CEBAF Control System Access

Similar presentations


Presentation on theme: "CEBAF Control System Access"— Presentation transcript:

1 CEBAF Control System Access
Title Page Design 1 CEBAF Control System Access Anthony Cuffe

2 What is ACE? The Accelerator Computing Environment (ACE) is a collection of network segments (enclaves and fiefdoms) maintained by the Accelerator Computing Group (ACG) dedicated to the control and support of Accelerator Operations. This includes isolated, self-sufficient fiefdoms and specialized computing enclaves dedicated to the: Control of Accelerator operations (CEBAF) Control of LERF, SRF and ITF operations Support of End Station operations Development of controls software and hardware related to these facilities. This also includes several non-isolated enclaves for: User desktops for Accelerator and Engineering support staff Windows Terminal Servers Site-Wide Services (logbooks, database, web services, …) Interior Page Design 1 Overview

3 Network Segmentation/Isolation
Segmentation of our Fiefdoms/Enclaves from the rest of site is implemented through Network based ACLs and Firewalls. Access to external internet is only allowed on non-operational networks. acenet (ACE Desktop Enclave) wintsnet ( Windows Terminal Server Network) Systems are grouped together in special networks by function to simplify Firewall/ACLs rules. Fiefdoms: opsnet, devnet, srfnet,… Special Networks: bkupnet, accupsnet, consrvnet, cagwnet, … Protection of vulnerable systems: plcnet, opsiocnet Interior Page Design 1

4 Network Segmentation (CNI to ACE)
Interior Page Design 1

5 Remote Access – Two Factor
Access from the outside is only allowed via ssh through a gateway system (acclogin). Remote logins (ssh) to Accelerator systems require two-factor authentication using crypto-tokens generated from a Smartphone App or CRYPTOCard keyfob. Management and assignment of the CRYPTOCards are done by both ACE and CNI. Faster response to user issues Tighter control over users with ACC access A separate Accelerator login account is also required to access the control system. Interior Page Design 1

6 Physical Security All critical and sensitive Accelerator systems reside within the confines of the Accelerator Site which is a fenced area with controlled access. All personnel must be badged. Access to specific areas is controlled by badge readers (CANS) that authorize entry only to those staff and users that have appropriate training and access privileges. Access is controlled by physical locks where CANS is not available. Access is logged and video taped in sensitive areas (MCC Datacenter). Backup systems and media are always kept under lock and key and backups are stored in an off-site safe. Visitors must have an escort. Interior Page Design 1

7 User and Group Accounts
Individuals access and manipulate the control system using their own accounts. General purpose logins (group accounts) are avoided whenever possible and normally utilized for long-running services. General purpose logins are controlled and logged using sudo. Local accounts are avoided at all costs. Passwords are changed at least every 6 months (enforced through Kerberos). User auditing is done continuously Interior Page Design 1

8 EPICS – Channel Access Security
Almost all ACC Control/SCDA Systems are based on EPICS. Channel Access is the command-and-control communication protocol used by EPICS. Provides the security layer for EPICS. Allows users to read, write and monitor real-time data from low-level controls. Allows for Host and User based access control (read and write). Interior Page Design 1

9 CA Security Measures Controlled by Network based ACLs/Firewalls in, out and between ACE networks. Read-access is granted to all users on local networks and made available to external network through CA gateways. Write-access during operational periods is authenticated by user (operations staff only) and host computer (strictly managed). Short-term access to non-operator support staff can be granted by the Crew Chief. Specially trained experts (MAC) can also be granted pre-defined, limited access by the Crew Chief with a short expiration. Approved Operators and MAC users are designated by OPS group leader. Write-access during non-operational periods is authenticated by host computer only (open channel access). Physical access controls are employed for Controls hardware. All control system writes are logged (caputlog and splunk). Interior Page Design 1

10 ? Interior Page Design 2


Download ppt "CEBAF Control System Access"

Similar presentations


Ads by Google