8th Control System Cyber-Security Workshop (CS)2/HEP

Sunday 8 Oct 2023, 08:00 → 17:40 Africa/Johannesburg

8/9

Stefan Lueders (CERN)

Attacks against industrial control systems, including Ransomware and politically motivated attacks, are now regularly reported in the media; new vulnerabilities are regularly published and exploited; and politicians become more and more concerned about the resilience of the control systems controlling a nations critical infrastructure...

Modern accelerator and detector control systems do not differ significantly from the control systems used in industry or devices being part of the "Internet-of-Things" (IoT). Modern Information Technologies (IT) are commonly used, control systems are based more and more on common-of-the-shelf hardware/software (VME, PLCs, VxWorks, network switches, networked controls hardware, SCADA, commercial middleware, etc.) or Windows/Linux PCs, and commonly employ standard IT-techniques (Git & built frameworks, virtualisation & containerisation, Machine Learning, etc.). Furthermore, due to the academic freedom in the High Energy Physics community, control systems are produced in a wide, decentralized community, which leads to heterogeneous systems and often necessitates remote access. However, with this adoption of modern IT standards, control systems are also exposed to the inherent vulnerabilities of the corresponding hardware and software. The consequences of a security breach in an accelerator or detector control system might be severe, and attackers won't ignore HEP systems just because it's HEP.

Presentations by several HEP institutes worldwide on the application of Cyber-Security in Control Systems were given at the 7th ICALEPCS conference prior to the Covid pandemia. Resurrected, this new (CS)2/HEP workshop is intended to continue sharing and discussing counter-measures, to review configuration and development procedures for secure control systems, and to review the progress since the last (CS)2/HEP workshop.

Potential Keywords and topics are:

• Security, vulnerabilities and protective measures of front end devices (e.g. VME, VxWorks, PLCs, power supplies, networked controls hardware);
• Control network security, network architectures, network segregation, firewalling and intrusion detection, but also data centre connectivities;
• SCADA security, PC installation and management schemes, including secure ("Kiosk") operation in multi-user environments (e.g. at light-sources, where users change quite frequently);
• Authentication & Authorization on control systems;
• Remote operations and expert interventions;
• Software development, software curation, and system built & configuration management;
• Security policies, best practices, security events and lessons learned.

1 Intro to the 8th CS2HEP

Intro @ CS2HEP (2023).pdf

Intro @ CS2HEP (2023).pptx

2 Mitigating Cyber-Threats in remote work: Implementing enhanced measures post-ransomware attack

The global shift to remote work during the COVID-19 pandemic significantly widened our cyber threat landscape, leaving many organisations exposed. A notable case was the successful breach of ESS corporate network by a recognised ransomware group that executed credential stuffing attack. During the 8th Control System Cyber-Security workshop we plan to examine this incident, focusing on the lessons that followed.
We'll delve into the implementation of protective strategies, such as multi-factor authentication (MFA) and Identity and Access Management (IAM), as well as the network segmentation through the security zones and we will also present the use of Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA) solutions for secure application access.

Speaker: Remy Mudingay (European Spallation Source ERIC)

CS2HEP_ICALEPCS_RM.pdf

3 Sanzu : A secure graphical remote access solution

Today more and more control systems are accessed and administered remotely. However many of the existing solutions are not satisfying because they are either unsecure, bad in term of performance or proprietary softwares. For example in 2019, Kasperky found 37 vulnerabilities in four different implementations of VNC.
That's why we created our own graphical remote access solution written in rust.
During the 8th Control System Cyber-Security Workshop, we plan to focus on presenting our open-source graphical remote access solution called Sanzu. We will focus on the two main usages of our tool:
Firstly we will talk about Sanzu as a secure replacement for existing remote access solutions like VNC. Then we will dive into the use of Sanzu to provide a remote web browser with the goal of mitigating attacks targeting web browsers on computers with access to critical infrastructures.

Speaker: Antonin Fringant

09:55 Morning Coffee

4 Upcoming CERN Accelerator-IT Governance

A new CERN IT governance model was put in place in 2021 between the CERN IT department and the Accelerator and Technology Sector (ATS) in view of preparing the Accelerator control system infrastructure for the LHC high luminosity era. Flagship projects such as the adoption of containerization technology and orchestrators or the review of the network isolation for Accelerator control offer unique opportunities to streamline our DevOps processes and to improve the overall security of our control system. This talk with present the motivation behind these initiatives and discuss the potential benefits we expect in terms of security.

Speaker: Marc Vanden Eynden (CERN)

CyberSecurity Workshop-final.pdf

CyberSecurity Workshop-final.pptx

5 SLAC Initiatives in Accelerator Cyber Security

We describe a program at SLAC to truly understand accelerator cyber
vulnerabilities as they exist at SLAC and similar facilities, improve
accelerator cyber security generally, engage the U.S. Dept. of Energy in
collaboration and funding, and provide the concomitant upgrades to
EPICS Base for the accelerator community.

Speaker: Mr Gregory R White (SLAC)

ICALEPCS23_Cybertalk-230924 v1.pdf

ICALEPCS23_Cybertalk-230924 v1.pptx

12:00 Lunch

6 Epics Security Technical Plan

A presentation of the 2 years implementation plan primarily undertaken by Osprey DCS, SLAC and ORNL and funded by the US Department of Energy

The plan wll update PVXS (C++) and core-pva (Java, in CS-Studio/Phoebus) to support secure network connections based on the industry standard Transport Layer Security (TLS) technology. PVA clients that search for PV names will be able to indicate support for TLS authenticated and encrypted communications. PVA servers that support TLS will be able to accept such search requests and initiate the creation of a secure communication session. PVA servers that support secure connections will prefer TLS over regular unsecured connections. Server authentication will be accomplished by providing an X.509 certificate and optional client authentication will be achieved in the same way.

The updated pvAccess protocol will provide robust authorization in an end-to-end encrypted, fully authenticated, efficient and manageable framework for control systems access. The implementation is planned to be completely backward compatible, with secure and non-secure clients and servers interoperating seamlessly.

Speaker: Mr Georg McIntyre (Level-N)

7 The DC Nightmare

With the growing complexity of the IT hardware and software stack, with the prelevant usage of central computing resources for Internet-facing services, user services but also serving industrial control systems (OT), the design of data centre architectures and in particular networks becoming more and more challenging. This presentation will introduce the dilemma of creating a highly agile and flexible computer center set-up while still trying to maintain security perimeters within. It is bound to fail.

Speaker: Stefan Lueders (CERN)

DC Nightmares @ CS2HEP (2023).pdf

DC Nightmares @ CS2HEP (2023).pptx

8 Cybersecurity risks of SBOM (or git) with automation

Many distributed version control platforms utilizing open-source worldwide collaboration, such as GitLab and GitHub, have built-in mechanisms allowing for robust version-control and smooth automation via e.g. pipelines. At some large-scale research facilities, some also trigger automatic deployments of the latest version of the software to clients otherwise isolated on private networks – creating an undesired interface between the public realm and the systems on the private networks. The risk is hence non-zero that a malicious attack could occur to a git repository which introduces malware or functionality changes, with a successful such automatically deploying the malicious changes to the clients defined in its pipeline.

Therefore, there is a need in the field to start discussing and doing risk assessments for scenarios built on this as a baseline, starting with a simple set of questions:

• How safe are these type of git workflows?
• What protection measures could be taken?
• Has this or similar happened before, and if so, in what scale and what lessons learned has come from this?

Speaker: Benjamin Bolling (European Spallation Source ERIC)

CS2HEP_ICALEPCS23_BB.pdf

CS2HEP_ICALEPCS23_BB.pptx

9 Software Bill of Material Deep Dive

Supply chain attacks have surged since 2013, offering attackers an easy and lucrative method to breach vital organizational functions. In the past four years alone, notable supply chain attacks have grown fourfold. This trend is predicted to persist unless effective countermeasures are embraced. In the realm of open science, the heavy dependence on open-source code for scientific software development, coupled with diverse technology use in extensive deployments, presents challenges for asset owners to evaluate and eliminate potential vulnerabilities.

New regulations from the US government (White House executive order EO14028) and the EU commission (E.U. Cyber Resilience Act) now require Service and Equipment suppliers involved in government contracts to publish SBOMs for their commercial products. These SBOMs must adhere to a standardized and openly accessible data format, and support automated identification of existing or potential vulnerabilities, along with strategies for effective mitigation.

This presentation will focus on open-source tools and workflows that leverage SBOM standards and help the CERN Accelerator and Technology Sector inventory and manage vulnerabilites across the multiple platforms and programming languages it employs for its operational software.

Speaker: Brice Copy (CERN)

SBOM Deep Dive.odp

SBOM Deep Dive.pdf

15:10 Afternoon Tea

10 CERN Computer Security Controls

Like any other organization, university or enterprise, CERN is permanently under attack. The risks --- legally or financially, to CERN's operation or reputation --- cannot be neglected.

The CERN Computer Security Team has been mandated to protect the operations and reputation of CERN against cyber-threats. In this presentation we will go through the different defense mechanisms --- controls --- the Team is providing in order to prevent, protect, detect and respond to any kind of abuse, attack or intrusion against CERN's computing facilities, devices, accounts, services & control systems in an agile, complex and heterogenous environment and while keeping a good balance between "academia", "operations" and "computer security".

Speaker: Stefan Lueders (CERN)

Discussion on "Security"