Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Published byAdrian Palmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003."— Presentation transcript:

1 Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003

2 Incident Summary, 2000-2002 200020012002 Incident Type 165931 System compromised (intruder has control) security holes in software (e.g. ssh, ftp, telnet, ICQ,…) 864225 Compromised CERN accounts sniffed or guessed passwords 91121 Serious Viruses several new viruses are released each day 181321 Unauthorised use of file servers insufficient access controls 91516 Serious SPAM incidents CERN email addresses are regularly forged 17119 Miscellaneous security alerts 155151123 Total Incidents

3 Conclusions  Intruders or serious viruses were detected on a total of 77 CERN systems during 2002 Firewall blocks many attempts per day Intrusions succeed almost weekly  Security patches for all software need to be applied in a timely fashion A balance is needed between risk and stability, but for systems directly exposed outside the firewall the risk is extremely high (the patch may come too late)  Exposing sensitive systems (e.g. controls) directly outside the firewall is a recipe for disaster They will be targeted continually by hostile code, which even if unsuccessful, has a performance and stability impact

4 Recommendations for remote access to control systems  Strictly limit access to a minimal set of clearly identified and authorised users Individual usernames are essential even if software or data is shared Logs of connections and actions are needed for incident identification and correction  Provide remote access via independent systems Separate remote access from the control systems and clearly define the interaction to reduce risks Ensure sufficient security on the remote access systems Minimal configuration which can be exposed in the firewall at low risk Active management and monitoring with timely patches applied LXPLUS and VPN servers offer remote access to CERN A remote access service dedicated to control systems may be required for strengthened security in the LHC era

5 Solutions for Remote Access  Control screens and applications can be managed remotely via encrypted tunnels Locally installed applications encrypted inside SSH (http://cern.ch/security/ssh/encrypt_connections.htm)http://cern.ch/security/ssh/encrypt_connections.htm VNC (Virtual Network Computing) encrypted inside SSH (http://cern.ch/security/ssh/encrypt_vnc.htm)http://cern.ch/security/ssh/encrypt_vnc.htm CERN VPN encrypted connections (http://cern.ch/vpn) allow remote computers to connect as if running on the CERN Campus Networkhttp://cern.ch/vpn

6 Encrypting applications with SSH  An application(s) on the remote workstation is configured to connect locally to ssh  Ssh is configured to route the local client application to a CERN server application  An ssh connection is opened to CERN (e.g. lxplus) and the client application is launched as if running at CERN.

7 VPN (Virtual Private Network)  A remote computer can connect to the Internet using an arbitrary Internet Service Provider (ISP) and have an IP Address in the Internet.  The VPN client software on the remote computer exchanges data through an encrypted tunnel with a dedicated VPN server at CERN  The remote computer acts as if it was on the CERN Intranet and can run applications transparently through the tunnel

8 Securing VPN Client access  Protect the computer Anti-virus updated at least daily (for Windows PCs) Operating system and installed applications kept secure for all known security holes Firewall for home computers with permanent connections (e.g. ADSL) System restricted to only run essential applications games, music and freely copied software are targets for viruses  Protect the account & password Require registration (no default access) Verify that VPN passwords cannot be cracked Require at least 128 bit encryption Limit unsuccessful login attempts CERN’s VPN Security Requirements are at: http://cern.ch/vpn/security CERN’s VPN Security Requirements are at: http://cern.ch/vpn/security

9 Summary  Avoid direct off-site Internet access for control systems Use technical network or TCP/IP Connectivity = NONE Discuss requirements with Campus Network team  Configure control systems securely and apply patches in a timely fashion The balance between stability and risk needs to take account of almost weekly on-site intrusions  Provide remote access via independent systems with strict security and clearly defined interaction with control systems Implement user level access controls and logging LXPLUS and VPN servers provide remote access to CERN. Enhanced solutions may be needed for the LHC era.

Download ppt "Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003."

Similar presentations

Computer Security set of slides 10 Dr Alexei Vernitski.

Computer Security set of slides 10 Dr Alexei Vernitski.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.

Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Firewall Configuration Strategies

Firewall Configuration Strategies
Chapter 12 Network Security.

Chapter 12 Network Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Similar presentations

Ads by Google