Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computing and Network Infrastructure for Controls CNIC Context? Why CNIC? What is CNIC? CNIC Phases and Definitions CNIC Status and Manpower Conclusion.

Published bySheryl Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "Computing and Network Infrastructure for Controls CNIC Context? Why CNIC? What is CNIC? CNIC Phases and Definitions CNIC Status and Manpower Conclusion."— Presentation transcript:

1 Computing and Network Infrastructure for Controls CNIC Context? Why CNIC? What is CNIC? CNIC Phases and Definitions CNIC Status and Manpower Conclusion Uwe Epting on behalf of the CNIC-WG

2 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV2 Context Control Systems –Increasing use of standard IT equipment Before –Specific hard- and software solutions Today: –Workstations and PCs –Windows or Linux operating systems –Increasing use of standard networks (Ethernet, TCP/IP) Before –Private networks and fieldbuses Today –Large use of Ethernet and remote monitoring also for control systems

3 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV3 Why CNIC? Security problems –Increasing risk of virus infections –Instabilities due to port scans or denial of service attacks (DOS) –Access and equipment manipulation by error (e.g. wrong IP address) –Old “unsecure” equipment No security implemented Security updates not available –Time constraints Equipment stop not always possible for applying patches Important number of equipment needs to be updated at the same time Beam and physics operation relies on a stable and secure environment

4 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV4 What is CNIC? –Working Group delegated by the CERN Controls Board Mandate covers only control systems, not office computing –Working group for the definition of CERN wide security policy CERN wide networking aspects Operating systems configuration (Windows and Linux) Services and support –Members should cover all CERN controls domains and activities Service providers (mainly IT department) Service users (mainly Accelerator and Technical Departments)

5 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV5 CNIC mandate Tools for system maintenance (NICEFC and LINUXFC). Tools for setting up and maintaining many different Controls Network domains. A domain is defined to be a collection of systems under a single management responsibility. Rules and policies for what can be connected to a domain and an authorization procedure. For example, this should cover wireless communications and portable computers. Ground rules, policies and mechanisms for inter-domain communications. Ground rules, policies and mechanisms for communications between controls domains and the Campus Network (and hence the Internet). Document all domains of use and in each case obtain from the group(s) concerned the name of the person designated to have technical responsibility, the person with hierarchical responsibility for giving the necessary authorization and their backups. Investigate with help from IT/CS what technical means could be provided to ensure the defined policies are complied with, and propose an implementation plan.

6 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV6 Requirements and Definitions Operating System Network I CNIC Phases ImplementationOperation IIIII Phase I - CNIC policy: –“DESIGN, SETUP AND OPERATION OF THE CERN CONTROL SYSTEM ENVIRONMENT” Description of concepts Definition of terms Definition of policies Main Chapters - Security Policy - Networking - Operating System and Tools - Services 09/200401/200507/2005 01/2006

7 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV7 Security Policy Network Domains –Physical network segregation + Functional Sub-Domains (FSD) Hardware Devices –No USB, modems, CDs, wireless … Operation System –Central installation + Strategy for security patches Software –Development guidelines, installation and test procedures Logins and passwords –Traceability, no generic accounts, strong passwords Training Security Incidents and Reporting

8 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV8 Networking General Purpose Network (GPN) –Desktop Computing, testing, access from outside, … Technical and Experiment Network (TN and EN) –Only operational devices –Authorization procedure Inter domain communications –Application Gateways + Trusted services Network monitoring and intrusion detection –Performance and statistics –Disconnection on “breakpoints” Testing –TOCSSiC (hostile network environment)

9 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV9 Operating System and Tools NICEFC and LINUXFC –Centrally managed and distributed Today: Windows XP SP2 (NICE XP), Scientific Linux CERN 3 (SLC3) Named Set of Computers (NSC) –Groups of computers with identical basic configuration –Responsible persons will be contacted in case of emergency and if security patches etc. need to be applied. Configuration –Version management database Operating System (LINUXFC or NICEFC) User defined software packages (e.g. PVSS, …) –Rollback to previous version possible

10 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV10 Services Operation and Maintenance –IT support for: Standard equipment Network connections (24h/d, 365d/year) Operating System installation Security patches Test Environment –Vulnerability Tests (TOCSSiC) –Integration Tests (test bench per domain necessary) Hardware Support –Standard PCs (e.g. office) –“Industrial” PCs (a few models should cover most requirements)

11 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV11 Phase II: Implementation Deployment of CNIC policy IIIIII CNIC PolicyApproval Training on policy and tools Deployment PilotDev. PilotDev. PilotDev. Spec’s NICEFC: Spec’s LinuxFC: Networking: 09/200401/2005 07/200501/200607/2006 WTS: Awareness campaign Implementation of tools for configuration, management & maintenance Installation of Windows Terminal Servers User Training Install.PilotOperation

12 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV12 CNIC Manpower 09/ 2004 10/ 2004 11/ 2004 12/ 2004 01/ 2005 02/ 2005 03/ 2005 04/ 2005 05/ 2005 06/ 2005 07/ 2005 08/ 2005 09/ 2005 10/ 2005 11/ 2005 12/ 2005 01/ 2006 02/ 2006 03/ 2006 04/ 2006 05/ 2006 06/ 2006 07/ 2006 CNIC policy Awareness campaign approval Spec NETWORK tools Spec LINUXFC tools Spec NICEFC tools develop NETWORK develop LINUXFC develop NICEFC pilot NETWORK pilot LINUXFC pilot NICEFC NETWORK tools operational LINUXFC tools operational NICEFC tools operational Installpilotoperation WTS: TRAINING: CNIC policy and tools deploy CNIC policy CNIC policy in operation: Packaging support - NICEFC - LINUXFC Proposal: IT 1 person (missing) WTS Installation, support Proposal: IT 1 person (planned) CNIC operation - administration - user support Proposal: domains Foresee 1 person/domain Tools - development, support Proposal: IT 3 persons assigned to IT. Tools - development, support Proposal: IT 3 persons assigned to IT. Tools - development, support Proposal: IT 3 persons assigned to IT.

13 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV13 Conclusion Awareness and acceptance for changes is very important –Investment vs. advantages Decisions and proposals must be backed up by management –Availability of manpower and resources Very constructive attitude in the CNIC-WG –Once people understood the reasons Many technical questions and reservations from the “users” –Treated as Use Cases –Must be answered with real/practical solutions ! Difficult to get acceptance … –… before tools and examples can be shown.

14 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV14 Questions ? Check the CNIC website for more information: http://cern.ch/wg-cnic ?

15 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV15 CNIC members TS –Uwe EPTING - TS/CSE –Søren POULSEN - TS/EL AB –Pierre CHARRUE - AB/CO –Mike LAMONT - AB/OP –Patrick LIENARD - AT/MAS IT/CO –Bruce FLOCKHART - IT/CO –Stefan LÜDERS - IT/CO Experiments –Beat JOST - PH-LBC –Guiseppe MORNACCHI - PH/ATD –Martti PIMIÄ - PH/CMC –Peter CHOCHULA - PH/AIT Network –David FOSTER - IT/CS –Jean-Michel JOUANIGOT - IT/CS –Nils HØIMYR - IT/CS –Nuno CERVAENS COSTA - IT/CS NICEFC –Alberto PACE - IT/IS –Ivan DELOOSE - IT/IS LINUXFC –Jan IVEN - IT/ADC –Matthias SCHRÖDER - IT/ADC Security –Denise HEAGERTY - IT/DI –Lionel CONS - IT/DI

16 Computing and Network Infrastructure for Controls CNIC Uwe Epting on behalf of the CNIC-WG

17 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV17 Use Case 1 - Office connection Connection to controls monitoring system (e.g. PVSS) from office PC –Connection to application gateway (e.g. Windows Terminal Server). –Open session to application (e.g. PVSS) with connection to controls machine and PLCs.

18 11 October 2005CNIC at ICALEPCS 2005 - Uwe Epting, CERN, TS/CV18 Use Case 2 - Sensitive equipment Vulnerable devices (e.g. PLCs) must be protected against security risks from the network –Group them in Functional Sub-Domains (FSD) –Access only possible from the host system that controls them External access to the host system via application gateway

Download ppt "Computing and Network Infrastructure for Controls CNIC Context? Why CNIC? What is CNIC? CNIC Phases and Definitions CNIC Status and Manpower Conclusion."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Remote access to PVSS projects and security issues DCS computing related issues Peter Chochula.

Remote access to PVSS projects and security issues DCS computing related issues Peter Chochula.
An Introduction to System Administration Chapter 1.

An Introduction to System Administration Chapter 1.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Supervision of Production Computers in ALICE Peter Chochula for the ALICE DCS team.

Supervision of Production Computers in ALICE Peter Chochula for the ALICE DCS team.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.

Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.
CERN’s Computer Security Challenge

CERN’s Computer Security Challenge

Similar presentations

Ads by Google