Presentation is loading. Please wait.

Presentation is loading. Please wait.

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo.

Published byJean Johnson Modified over 8 years ago

Similar presentations

Presentation on theme: "TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo."— Presentation transcript:

1 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo Testa (TS/CV)

2 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department2 Security Problems General: EVERY computer connected to a network is exposed to security risks! 2 types of threats –Accidental “attacks” Human errors Security scans –Malicious attacks Aggression –Login/passwords stolen –Sabotage –Switching equipment on or off Viruses and worms –Automatic propagation –Data damage or manipulation –Denial of service attacks

3 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department3 Hardware Servers –Mostly UNIX based (HP-UX, Solaris, Linux) –Very important for service, critical component –Less risk for attacks (today!) PCs –Windows or Linux –Widely used –Very high risk –Frequent updates and patches necessary PLCs and I/O cards –Very robust –Little protection possible (today)

4 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department4 Network Ethernet at CERN –General purpose network Very hostile and exposed to outside world Frequent attacks from outside –Technical network Only accessible inside CERN BUT: connected to General Purpose network (today) –“Private” networks Profibus Modbus

5 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department5 Guidelines CERN wide –Operational Circular No 5 accepted by every computer user at CERN –Security guidelines http://cern.ch/security CERN's Computer Security Recommendations Password Recommendations at CERN Risks and how you can help to reduce them

6 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department6 Control System Issues Awareness campaign Risk Impacts Solutions Review critical systems Network segregation Firewalls Remote access through terminal servers Monitoring Project engagement Commitment from the beginning

7 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department7 Strategy 1.Understand the risk and engage projects early 2.Implement Quick Win security improvements 3.Manage third party risks −Vendors −Integrators 4.Establish security governance and response capability 5.Raise awareness and skills 6.Implement Long Term improvements −Network segregation, etc.

8 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department8 Example: LHC ventilation 1.Migration of LEP control system into LHC configuration −~100 PLCs (+ ~50 micro-PLCs) −Motivations for upgrade: Migration of the process control to the LHC functionality Integration of systems Replacement of obsolescent hardware and software Recover and document the system know-how 2.Integration of control equipment for new LHC structures −~25 new PLCs (+ ~125 new micro-PLCs) 3.Inter-point communication and CCC remote monitoring −8 new master PLCs + 8 new SCADA platforms

9 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department9 Technical Option #1 Every PLC is connected to the CERN TCP/IP network CERN TCP/IP Technical Network Master P8 Master P2 Master P1 Master P7 Master P6 Master P5 Master P4 Master P3 PLC #i P8 PLC #j P8 PLC #j P1 PLC #i P1 PLC #j P2 PLC #i P2 PLC #i P3

10 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department10 Technical Option #2 CERN TCP/IP Technical Network Master P8 Master P2 Master P1 Master P7 Master P6 Master P5 Master P4 Master P3 PLC #i P8 PLC #j P8 PLC #j P1 PLC #i P1 PLC #k P2 PLC #j P2 PLC #i P2 PLC #i P3 Profibus DP fieldbus Every PLC is connected to a dedicated industrial fieldbus At each LHC point, only the master PLC is connected to the TCP/IP network

11 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department11 Technical Options Slave i CERN TCP/IP Technical Network Master (SU) SCADA (SU) Requirement / constraint DPTCP Need (  ) Availability Very Good ESS Security Good Needs plan ESS Remote accessibility (to slave PLCs) Good Very Good DES Project scheduling (time constraint) Good ESS Cost efficiency Good ESS (  ) ESS, Essential; DES, Desirable Profibus DP Slave i CERN TCP/IP Technical Network Master (SU) SCADA (SU) Understand the risk: vulnerability increases with number of network connections  Quick win improvement: Profibus DP allows a compromise between openness and engagement to secure process control

12 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department12 Operational Aspects Access to process control PLCs is now restricted  Provisions are made to avoid limitations on the operational features 1. An operation panel at each process control cubicle 2. A supervision application at each LHC point (SUi) 3. Local operation is possible from a laptop computer connected to the Profibus DP network (only intended for maintenance) 1. TIM interfaces with the master PLC at each LHC point 2. Transmission of some relevant alarms and data from each LHC point by the means of a 2 nd. path (MMD) 3. Supervision application (SCADA) mimic diagrams web- published for remote information of operation teams Local operation Remote operation

13 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department13 Conclusion Security issues are becoming a serious problem also at CERN “Quick Win” solutions do not require major investments if considered already in the design phase “Long-Term” solutions require clear CERN wide guidelines and regulations for the implementation of control systems Strategy to keep the systems up-to-date must be settled from the beginning. Continuous follow-up is needed to ensure secure O&M within the available and often limited resources

14 TS workshop 2004U. Epting, M.C. Morodo Testa - TS department14 Questions ? ?

Download ppt "TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo."

Similar presentations

ALICE DCS Workshop Day 10th September. 2001 The Cooling and Ventilation Control System D. Blanc, Process Control Team and Project Leader CERN ST/CV-Design.

ALICE DCS Workshop Day 10th September The Cooling and Ventilation Control System D. Blanc, Process Control Team and Project Leader CERN ST/CV-Design.
SCADA Security, DNS Phishing

SCADA Security, DNS Phishing
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Supervision of Production Computers in ALICE Peter Chochula for the ALICE DCS team.

Supervision of Production Computers in ALICE Peter Chochula for the ALICE DCS team.
Ethernet as a field-network Renaud Barillère - CERN IT-CO.

Ethernet as a field-network Renaud Barillère - CERN IT-CO.
Chapter 12 Network Security.

Chapter 12 Network Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
IACT 901 Module 9 Establishing Technology Strategy - Scope & Purpose.

IACT 901 Module 9 Establishing Technology Strategy - Scope & Purpose.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Session 3 – Information Security Policies

Session 3 – Information Security Policies
ST Technical Committee 15th October LHC Ventilation Control System migration D. Blanc ST-CV.

ST Technical Committee 15th October LHC Ventilation Control System migration D. Blanc ST-CV.
by Evolve IP Managed Services

by Evolve IP Managed Services
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
VoIP Security Assessment Service Mark D. Collier Chief Technology Officer

VoIP Security Assessment Service Mark D. Collier Chief Technology Officer
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Similar presentations

Ads by Google