3rd Control System Cyber-Security Workshop (CS)2/HEP

Sunday 9 Oct 2011, 09:00 → 17:30 Europe/Zurich

Kilimandjaro Nord (WTC Convention Center, Grenoble (France))

Stefan Lueders (CERN)

2010 has been the tipping point for Control System Cyber-Security (CS2). For the first time, a targeted attack --- dubbed "Stuxnet" --- was conducted against an industrial control system. While this one was aimed at a particular control system, the attack itself confirms that the threat is real and similar attacks, most probably less sophisticated, will be seen throughout 2011...
Today's accelerator and detector control systems do not differ significantly from the control systems used in industry. Modern Information Technologies (IT) are commonly used, control systems are based more and more on common-of-the-shelf hardware/software (VME crates, PLCs, VxWorks, LynxOS, network switches, networked controls hardware, SCADA, commercial middleware, etc.) or Windows/Linux PCs. Furthermore, due to the academic freedom in the High Energy Physics community, control systems are produced in a wide, decentralized community, which leads to heterogeneous systems and often necessitates remote access. However, with this adoption of modern IT standards, control systems are also exposed to the inherent vulnerabilities of the corresponding hardware and software. The consequences of a security breach in an accelerator or detector control system might be severe, and attackers won't ignore HEP systems just because it's HEP. Overviews by several HEP institutes worldwide on the application of Cyber-Security in Control Systems were given at the 2nd ICALEPCS conference.
In the era of "Stuxnet", the (CS)2/HEP 2011 workshop is intended to share and discuss counter-measures, to review configuration and development procedures for secure control systems, and to review the progress since the last (CS)2/HEP workshop.
Potential Keywords and topics are:

• Security, vulnerabilities and protective measures of front end devices (e.g. VME crates, LynxOS, VxWorks, PLCs, power supplies, networked controls hardware);
• Control network security, network architectures, network segregation, firewalling and intrusion detection;
• SCADA security, PC installation and management schemes;
• Secure ("Kiosk") operation in multi-user environments (e.g. at light-sources, where users change quite frequently);
• Authentication & Authorization on control systems;
• Remote operations and expert interventions;
• Software development cycle and system onfiguration management;
• Security policies, best practices, security events and lessons learned.

Slides CS2HEP_@_ICALEPCS_(2011).pdf CS2HEP_@_ICALEPCS_(2011).pptx

09:30 → 09:45 Introduction to the 3rd Control System Cyber-Security Workshop

Speaker: Dr Stefan Lueders (CERN)

Slides Control_System_Cyber-Security_@_CS2HEP_(2011).pdf Control_System_Cyber-Security_@_CS2HEP_(2011).ppt

09:45 → 10:00 How things go wrong.

An online demo of a few real security events, how they were possible, and how they were exploited.

Speaker: Dr Stefan Lueders (CERN)

Slides How_things_go_wrong_@_CS2HEP_(2011).pdf How_things_go_wrong_@_CS2HEP_(2011).pptx

10:00 → 10:30 Review of a cyber-security event at Jefferson Lab accelerator network

Speaker: Theo McGuckin (Jefferson Lab)

Slides 2011_Review_of_Cyber-Security_Event_on_Jefferson______Lab’s_Accelerator_Final.pdf 2011_Review_of_Cyber-Security_Event_on_Jefferson______Lab’s_Accelerator_Final.pptx

10:30 → 10:45 Coffee Break

10:45 → 11:15 Cybersecurity for the Control System Engineer

How does cybersecurity fit in to (or not fit in to) the requirements for designing and operating distributed control systems for large experimental physics projects?

Speaker: Steven Hartman (Oak Ridge National Laboratory)

Slides hartman_cs2hep2011.pptx

11:15 → 11:45 Experiences with ISO/IEC 27001 Implementation at NSCL

Recent incidents have emphasized the importance of security and operational continuity for achieving the quality objectives of an organization, and the safety of its personnel and machines. However, security and disaster recovery are either completely ignored or given a low priority during the design and development of an accelerator control system, the underlying technologies, and the overlaid applications. This leads to an operational facility that is easy to breach, and difficult to recover. Retrofitting security into the control system becomes much more difficult during operations. The Electronics Department at NSCL wanted to address security in a holistic manner, and decided to implement ISO/IEC 27001 Information Security standard. The ISO/IEC 27001 standard and the related code of practice (ISO 27002) cover a broad set of topics such as risk assessment, asset management, human resources, physical security, communication and operations, , application development and maintenance, access control, disaster recovery, security incident management, and legal and regulatory compliance. In this paper we describe our experiences in implementing the ISO 27001 standard (we are not certified yet). We describe our risk assessment methodology, the identified risks, the selected controls, and their implementation. We also describe our documentation structure for the various policies, procedures, guidelines, and standards. We illustrate problems faced with securing low-level controls, infrastructure, and applications. We also illustrate how we are using this experience in the design of FRIB's (Facility for Rare Isotope Beam) global database.

Speaker: Dr Vasu Vuppala (NSCL, MSU)

Slides ICALEPCS11-CSW-Argus.pdf ICALEPCS11-CSW-Argus.pptx

11:45 → 12:15 Inventory and Risk assessment of the CERN Technical Network

Speaker: Mr Pierre Charrue (CERN)

Slides Security-Icalepcs2011.pdf Security-Icalepcs2011.pptx

12:15 → 12:45 Can off-the-shelf control systems be compliant with CERN computer security policy?

A computer security policy enforced at CERN requires all network-connected equipment to be submitted to regular port scans. Security patches are also required to be applied to all Windows and Linux machines on a regular basis. From time to time these security measures cause problems with equipment and software, which for one reason or another were not equipped to handle them. We discuss cases, where existing CERN access and safety systems have suffered service disruptions, reasons behind these incidents, as well as some strategies on how to mitigate and how to prepare for them in future designs.

Speaker: Timo Hakulinen (CERN)

Slides Cyber_security_workshop_20111009_TH.pdf Cyber_security_workshop_20111009_TH.pptx

12:45 → 13:30 Lunch Break

13:30 → 14:00 Cyber security from the ALICE user’s perspective

The Detector Control System (DCS) of ALICE, one of the LHC experiments at CERN in Geneva is distributed across 150 mainly Windows computers and 1200 network attached devices, most of them running some version of Linux. Cyber security has always been one of the key elements driving its design from the very beginning. The security principles and rules have been discussed and approved by the collaboration well ahead of putting the first systems into production. In the presentation we focus on the main architectural principles of the ALICE DCS and show how the security requirements comply with day-to-day operational needs. We discuss how the strict security rules affect the system development, operation and maintenance. We demonstrate with examples the typical problems which have to be addressed on a large system providing control of a delicate high energy physics experiment in an environment where several hundred people need worldwide access. We assess the impact of typical cyber security measures on system performance, stability and manageability. And finally, we demonstrate limitations posed by operating commercial software in a high energy physics environment.

Speaker: Dr Peter Chochula (CERN)

Slides ALICE_Security.pdf ALICE_Security.pptx

14:00 → 14:30 IT security for the LHCb Experiment

The LHCb Experiment is one of the four large particle physics detectors at CERN. The LHCb Online System comprises more than 2000 servers and embedded systems and more than 200 network devices. It has more than 200 active users. Operational independence and strong isolation from the internet as well as from central CERN resources have been an important design criteria. Like any large experimental IT infrastructure we are confronted with the sometimes conflicting requirements between ease and convenience of operation and security needs. This paper describes the IT security model adopted, its implementation and operational consequences. It presents the network structure, the authorization and authentication model, the hardening of the gateway servers, a three-tier redundant firewall implementations as well as the technical problems encountered and corresponding solutions.

Speaker: Enrico Bonaccorsi (CERN-CERN-CERN)

Slides icalepcs_cyber_security_workshop.pdf icalepcs_cyber_security_workshop.pptx

14:30 → 15:00 Application and Virus Detecting Firewall on the SPring-8 Experimental User Network

SPring-8 experimental user network is aimed at controlling experimental instruments and data acquisition. For users' convenience such as web browsing, users can connect internet via the user network. Web browsers use HTTP(s) to access WWW servers. But nowadays, HTTP is used as many other protocol tunneling. On the user network, protocol tunnelings via HTTP are often found, and SPring-8 control system is threatened by tunneling applications: bandwidth exhaustion by media streaming such as YouTube, P2P file sharing, unauthorized instrumental control from outside of experimental area via VPN, and so on. Moreover, during web-browsing, many virus infections had been occurred on the user network. To prevent threats from the control system, we installed PaloAlto firewall system, which recently called "next generation firewall". The PaloAlto firewall can detect many applications and viruses including tunneling protocols. We report results of application/virus detection and prevention using the firewall.

Speaker: Dr Takashi SUGIMOTO (Japan Synchrotron Radiation Research Institute)

Slides CS2HEP_ID17_sugimoto.pdf CS2HEP_ID17_sugimoto.pptx

15:00 → 15:30 Industrial Devices Robustness Assessment and Testing against Cyber Security Attacks

CERN (European Organization for Nuclear Research),like any organization, needs to achieve the conflicting objectives of connecting its operational network to Internet while at the same time keeping its industrial control systems secure from external and internal cyber attacks. With this in mind, the ISA-99* international cyber security standard has been adopted at CERN as a reference model to define a set of guidelines and security robustness criteria applicable to any network device. Devices robustness represents a key link in the defense-in-depth concept as some attacks will inevitably penetrate security boundaries and thus require further protection measures. When assessing the cyber security robustness of devices we have singled out control system-relevant attack patterns derived from the well-known CAPEC** classification. Once a vulnerability is identified, it needs to be documented, prioritized and reproduced at will in a dedicated test environment for debugging purposes. CERN - in collaboration with SIEMENS – has designed and implemented a dedicated working environment, the Test-bench for Robustness of Industrial Equipments***(“TRoIE”). Such tests attempt to detect possible anomalies by exploiting corrupt communication channels and manipulating the normal behavior of the communication protocols, in the same way as a cyber attacker would proceed. This document provides an inventory of security guidelines**** relevant to the CERN industrial environment and describes how we have automated the collection and classification of identified vulnerabilities into a test-bench. References: *http://www.isa.org **http://capec.mitre.org ***F.Tilaro,“Test-bench for Robustness...“, CERN, 2009 ****B.Copy,F.Tilaro“Standards based measurable security for embedded devices”,ICALEPCS 2009

Speaker: Filippo Tilaro (None)

Slides ICALEPCS_2011_-_Slides.pptx

15:30 → 15:45 Coffee Break

15:45 → 16:30 Discussion

Speaker: Dr Stefan Lueders (CERN)

Slides Discussion_@_CS2HEP_(2011).ppt