2nd Control System Cyber-Security Workshop (CS)2/HEP

Sunday 11 Oct 2009, 09:00 → 17:00 Europe/Zurich

Kobe International Conference Center (KICC) Room 403

Stefan Lueders (CERN)

Since the last ICALEPCS conference in 2007, Control System Cyber-Security (CS2) still attracts increasing attention worldwide from global players in industry and in government, in particular in the U.S. and in Europe. We also see growing numbers of malicious attacks attempting to infiltrate control systems. Today's accelerator and detector control systems do not differ significantly from the control systems used in industry. Modern Information Technologies (IT) are commonly used, control systems are based more and more on common-of-the-shelf hardware/software (VME crates, PLCs, VxWorks, LynxOS, network switches, networked controls hardware, SCADA, commercial middleware, etc.) or Windows/Linux PCs. Furthermore, due to the academic freedom in the High Energy Physics (HEP) community, control systems are produced in a wide, decentralized community, which leads to heterogeneous systems and often necessitates remote access. However, with this adoption of modern IT standards, control systems are also exposed to the inherent vulnerabilities of the corresponding hardware and software. The consequences of a security breach in an accelerator or detector control system might be severe, and attackers won't ignore HEP systems just because it's HEP. First overviews by several HEP institutes worldwide on the application of Cyber-Security in Control Systems were given at the last ICALEPCS conference. This time, the (CS)2/HEP 2009 workshop is intended to review the progress since the last conference, to share and discuss further counter-measures, and to review configuration and development procedures for secure control systems. Potential Keywords and topics are: * Security, vulnerabilities and protective measures of front end devices (e.g. VME crates, LynxOS, VxWorks, PLCs, power supplies, networked controls hardware) * Control network security, network architectures, network segregation, firewalling and intrusion detection * SCADA security, PC installation and management schemes * Secure ("Kiosk") operation in multi-user environments (e.g. at light-sources, where users change quite frequently) * Authentication & Authorization on control systems * Remote operations and expert interventions * Software development cycle and system configuration management * Security policies & best practices

Summary Talk CS2HEP_@_ICALEPCS_(2009).pdf CS2HEP_@_ICALEPCS_(2009).ppt

1 Introduction to the 2nd Control System Cyber-Security Workshop

Slides Control_System_Cyber-Security_@_CS2HEP_(2009).pdf Control_System_Cyber-Security_@_CS2HEP_(2009).ppt

2 Standards Based Measurable Security for Embedded Devices

Control systems are now routinely connected with enterprise networks and even wide area networks, opening their components to a large array of cyber security threats. Facing threats on such a large scale can now longer solely be done through ad-hoc incident response and post-mortem activities. Defense in depth strategies are being widely adopted and advocated through emerging control systems specific cyber security standards [1]. With these strategies comes the need to accurately prioritise risks and manage system assets, in order to implement measured, tailored security restrictions and automatically assess damages to provide efficient and precise incident response. Eventually, an organization must be able to measure incidents trends and evaluate business impact to feed constant security policy reviews. CERN has implemented a control device cyber security test bench, entitled TOCSSiC [2], updated to provide standards-compliant measurements. Such measurements can be employed to automatically evaluate device vulnerabilities and security policy compliance. [1] F. Tilaro, "Control system cybersecurity standards, convergence and tools", CERN technical report, April 2009 [2] S. Lueders, "Control systems under attack !?", ICALEPCS, October 2005

Speaker: Mr Brice Copy (CERN)

Slides TROIE.odp TROIE.pdf

09:45 Coffee Break

3 A study of network vulnerability in embedded devices

Recently many TCP/IP devices are used in accelerator-control system. Not only computers but also embedded devices are used in the accelerator-control system. Since the embedded devices are designed with limited hardware resources, many devices are consists of subset of the TCP/IP components. The limited resources and components therefore cause many problems such as vulnerabilities of network traffic. SPring-8 is one of the largest synchrotron-radiation facilities in the world, and many embedded devices are used to control accelerator complex. Originally, the control network of SPring-8 is designed as single segment without any routers, it is the best solution for a small-scale control network from a point of high reliability by the simplification. However, by increasing the number of embedded devices in the single network, more trouble have arisen such as packet flooding, hang up of devices, and so on. We study network vulnerabilities on these embedded devices used in SPring-8. And then, we found vulnerability on iTRON-based embedded devices.[1] We also performed improvement of implementation on vulnerable devices and refinement of network into multi-segmented L3 network design. In this presentation, we report result of the refinement to improve reliability of the control system. [1] T.Sugimoto, M.Ishii, T.Masuda, T.Ohata, T.Sakamoto, and R.Tanaka, Proceedings of PCaPAC2008, THX03 (2008)

Speaker: Takashi SUGIMOTO (Japan Synchrotron Radiation Research Institute)

Slides CSCSWS-08_talk.pdf CSCSWS-08_talk.ppt

4 Managing Proficy iFix SCADA Nodes and Client in Technical Division at Fermilab

Network Configuration for iFix SCADAs and Windows Terminal Server Remote Access/Control using MS Terminal Server and iFix iClient Implement iFix security along with Windows File Protection Log on at the console with domain captive accounts and lock out policy Patching and Anti-virus mechanisms Fault tolerance and disaster recovery

Speaker: Mrs Ping Wang (Fermilab/Technical Division)

Slides Managing_Proficy_iFix_SCADA_Nodes_and_Client_in.pdf Managing_Proficy_iFix_SCADA_Nodes_and_Client_in.ppt

5 NSLS-II Control System Cybersecurity

The Control System group at the forthcoming National Synchrotron Light Source II (NSLS-II) is in the process of drafting a Cybersecurity Requirements document. This discussion will provide a general overview of the network topology with a focus on the logical flow of traffic. Security at and accessibility to the control complex and beam-lines will be explored in the context of policy, user expectations, and performance requirements with a survey of potential associated technologies (One-time-passwords, VPNs, Centrify/LDAP, NX/Citrix). Finally, providing wireless access to the control system network is viewed as an attractive and cost effective supplement if done right. A secure wireless implementation will be illustrated.

Speaker: Robert Petkus (BNL)

Slides Petkus.ICALEPCS.NSLSII-Cyber.pdf

11:30 Lunch Break

6 Kiosk Mode For Instruments Using Windows Platform

Many commercial instruments -- oscilloscopes, network analyzers, spectrum analyzers -- are now using a Windows platform. Thus they provide all the features and security issues of a desk-top PC. It is necessary to connect these instruments to the Ethernet to provide remote access. At the same time it is necessary that the instrument can be operated locally without having a keyboard, mouse, or password protected screen saver. Implementing a kiosk mode -- a limited user is allowed to run one program -- provides cyber security. The steps needed to implement kiosk mode will be present along with the limitations of the kiosk mode.

Speaker: Roger Lee (Brookhaven National Lab.)

Slides kiosk9.pdf

7 Integrated Access Control for PVSS-based SCADA Systems at CERN

The protection of the PVSS-based Human-Machine-Interface parts of the Control Systems for the LHC accelerator and the experiments at CERN is implemented using the JCOP Framework Access Control component. It allows to protect from non-malicious activity (such as misuse due to operator's mistake) by enabling/disabling the elements of the User Interface. It extends the native PVSS mechanisms for user-authentication and makes the management of the role-based authorizations easy to configure and maintain. Ultimately, it enables the synchronization of the access-control related data across distributed systems, and allows to synchronize this data with central user-management resources at CERN (such as Active Directory), and automated creation of user accounts.

Speaker: Piotr Golonka (CERN EN/ICE-SCD)

13:30 Coffee Break

8 Security Design of a Computer-Based Personnel Safety System Logbook

In the last year Jefferson Lab’s Personal Safety System (PSS) Logbook has been converted from a paper log to an electronic logbook. The motivation for this upgrade was to take advantage of the inherent benefits of electronic media (indexing, searching, automated information capture and parsing) as well as to make use of features of the lab’s existing electronic logbook infrastructure. This conversion posed many design challenges however, especially in balancing increased security requirements with the design of an easy-to-use interface for the Safety System Operator (SSO). The paper will explore how the security requirements for the PSS electronic logbook were addressed with both new and existing code. It will also explore how key features were implemented with a focus on meeting security requirements in such a way as to still develop an application that was functional and easily operated by the SSO.

Speaker: Theo McGuckin (Jefferson Lab)

Slides Security_Design_of_a_Computer-Based_Personnel_Safety_System_Logbook_2.pdf Security_Design_of_a_Computer-Based_Personnel_Safety_System_Logbook_2.pptx

9 Problems to Overcome: Implementation Experience at CERN

This presentations will detail the problems during the implementation of security measures for CERN control systems. The presentation will first focus on the evolution of CERN security in the past years and discuss some security incidents related with control systems. Based on the current status, the most problematic areas in terms of user friedliness and useablity will be discussed, and potential future directions will be presented.

Speaker: Dr Stefan Lueders (CERN)

Slides Problems_to_Overcome_@_CS2HEP_(2009).pdf Problems_to_Overcome_@_CS2HEP_(2009).ppt

14:45 Coffee Break

10 Discussion

Slides Discussion_@_CS2HEP_(2009).pdf Discussion_@_CS2HEP_(2009).ppt