Cern Security UAB-2009


Published on

Charla sobre la seguridad en el Cern, dictada en diciembre del 2009 en la UAB.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • CERN is run by 20 European Member States, but many non-European countries are also involved in different ways. Fundamental research in particle physics Designs, builds & operates large accelerators Designs, builds & operates large experimental facilities together with outside institutes Financed by 20 European countries SFR ~1000M budget - operation + new accelerators ~2,400 staff (dropping from 3450 to ~2150 by 2006) > 5,000 users (researchers) from Europe and all over the world ~ 1000/year rotate The current Member States are: Austria, Belgium, Bulgaria, the Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Italy, The Netherlands, Norway, Poland, Portugal, the Slovak Republic, Spain, Sweden, Switzerland and the United Kingdom. Member States have special duties and privileges. They make a contribution to the capital and operating costs of the CERN programmes, and are represented in the Council, responsible for all important decisions about the Organization and its activities. Some States (or International Organizations) for which membership is either not possible or not yet feasible are Observers. 'Observer' status allows Non-Member States to attend Council meetings and to receive Council documents, without taking part in the decision-making procedures of the Organization.Scientists from 220 Institutes and Universities of non-Members States also use CERN's facilities. Physicists and their funding agencies from both Member and non-Member States are responsible for the financing, construction and operation of the experiments on which they collaborate. CERN spends much of its budget on building new machines (such as the Large Hadron Collider), and it can only partially contribute to the cost of the experiments. Observer States and Organizations currently involved in CERN programmes are: the European Commission, India, Israel, Japan, the Russian Federation, Turkey, UNESCO and the USA. Non-Member States currently involved in CERN programmes are: Algeria, Argentina, Armenia, Australia, Azerbaijan, Belarus, Brazil, Canada, China, Croatia, Cyprus, Estonia, Georgia, Iceland, India, Iran, Ireland, Mexico, Morocco, Pakistan, Peru, Romania, Serbia, Slovenia, South Africa, South Korea, Taiwan and the Ukraine.
  • Like our ETs, our ancient ancestors did the same: observing, classification and interpretation. 4 Elements show the beauty of nature. But this did not explain everything. Mendeleev et al. did it again: observing, classification and interpretation. Bohr cleaned the table reducing to p,n,e The 1930 become again worse…..
  • Today, the theory sorts again the particle zoo. All particles and forces have been confirmed by HEP experiments. But the theory (the standard model) still has many open questions. Therefore, HEP has to conduct more experiments… And rather than colliding CARs we collide particles. The most stable ones are e or p. LEP, LHC
  • Its like guiding a light beam with lenses. Here we use magnetic fields -> magnets. Cooled to obtain higher efficiencies and not to produce to much useless heat. Small cross section of the beam to enlarge colliding area. The tinier the particles the larger the collider (particle accelerator). We want to smash the CAR into tinier parts -> higher speeds needed. Superfluid Helium Energy-efficiency: the larger the radius, the smaller the energy loss Energy of each beam equals that of a Jumbo Jet 747 at takeoff (takeoff weight 400t, speed 180 kmh). Beam can melt 500kg of copper in 100 microseconds. Energy stored in the 1232 dipole magnets (10 GJ) is equivalent of that of an aircraft carrier (100000t) at 30knots or an Airbus A380 travelling at 700 km/h. Millions of parameters to control through literally 1000 PCs and PLCs using PROFIbus, WorldFIP and Ethernet TCP/IP. Control of beam injection, beam orbit, beam position, beam ramping, magnets RF & power, cooling, beam dump, machine protection, radiation, personnel access. 1.9 K cooler than the universe at 2.74K (Cosmic Microwave Background Radiation) CERN Control Centre (CCC), Technical Control Room (TCR), Meyrin, Prevessin Control Room (MCR/PCR), Safety Control Room (SCR), CERN Safety Alarm Monitoring (CSAM), Cooling & Ventilation, Electricity & Power, Cryogenics, Gas Detection (Sniffer), Smoke Detection, Radiation Monitoring. Avoid influence to/from the environment -> bury into the ground (radiation, other particles, barriers).
  • Also the detectors grow. Like the zoom-objectives from SLR cameras. Or magnifying glass, microscope, X-ray, … Raw information is measured. The CMS tracker comprises ~250 square metres of silicon detectors - about the area of a 25m-long swimming pool. The silicon Pixel detector comprises (in its basic form) more than 23 million detector elements in an area of just over 0.5 square meters. The lead tungstate crystals forming the ECAL are 98% metal (by mass) but are completely transparent. The 80000 crystals in the ECAL have a total mass equivalent to that of ~24 adult African elephants - and are supported by 0.4mm thick structures made from carbon-fibre (in the endcaps) and glass fibre (in the barrel) to a precision of a fraction of a millimetre. The brass used for the endcap HCAL comes from recuperated artillery shells from Russian warships. The CMS magnet will be the largest solenoid ever built. The maximum magnetic field supplied by the solenoid is 4 Tesla - approximately 100000 times the strength of the magnetic field of the earth. The amount of iron used as the magnet return yoke is roughly equivalent to that used to build the Eiffel Tower in Paris. The energy stored in the CMS magnet when running at 4 Tesla could be used to melt 18 tonnes of solid gold. During one second of CMS running, a data volume equivalent to 10,000 Encyclopaedia Britannica is recorded The data rate handled by the CMS event builder (~500 Gbit/s) is equivalent to the amount of data currently exchanged by the world's Telecom networks. The total number of processors in the CMS event filter equals the number of workstations at CERN today (~4000 - how many failures per day?!). Control of Experiment (ECS), Magnet (MSS/MCS), Data Acquisition (DAQ), Trigger (HLT), Data Taking (Run Control), Detector Safety (DSS), Gas (GCS), C+V, Power/Electricity, Racks.
  • Consequences: moving collimators, changing interlock thresholds, failing to dump beam, ...
  • 1970: Gargamelle bubble chamber @ PS 1973: Bubble chamber @ FERMILAB 1979: PETRA 1982: UA1 @ SPS 1986: NA35 @ SPS 1992: H1 @ HERA 1995: NA49 @ SPS 2000: ALEPH @ LEP 2001: STAR @ RHIC 2008: ATLAS @ LHC
  • Cern Security UAB-2009

    1. 1. CERN, Security & the LHC … about the balance between academic freedom, operations & security Dr. Stefan Lüders (CERN Computer Security Officer) “ Protecting Office Computing, Computing Services, GRID & Controls” UAB Seminar December 18 th 2009
    2. 2. Three Parts Academic Freedom vs. Security Control System Cyber-Security Controlling the LHC <ul><li>Massage your brain: </li></ul><ul><li>Ask questions anytime </li></ul><ul><li>Discussions welcome ! </li></ul>
    3. 3. Part I European Organization 20 European Members 2500 staff + 10.000 users 600M€ annual budget for Nuclear Research Tim Berners-Lee
    4. 4. Academic Freedom at CERN <ul><li>CERN’s Mission: </li></ul><ul><ul><li>Research : Seeking and finding answers to questions about the Universe </li></ul></ul><ul><ul><li>Technology : Advancing the frontiers of technology </li></ul></ul><ul><ul><li>Collaborating : Bringing nations together through science </li></ul></ul><ul><ul><li>Education : Training the scientists of tomorrow </li></ul></ul><ul><li>CERN’s Users: </li></ul><ul><ul><li>Users from hundreds of universities out of dozens of countries </li></ul></ul><ul><ul><li>Trainees, students, PhDs, post-docs, professors, technicians, secretaries, engineers, physicists, … </li></ul></ul><ul><ul><li>High turn-over of users coming/leaving </li></ul></ul><ul><li>Academic Freedom in Research: </li></ul><ul><ul><li>No limitations and boundaries if possible </li></ul></ul><ul><ul><li>Free communication & freedom to publish </li></ul></ul><ul><ul><li>Trial of the new, no/very fast life-cycles, all-time prototypes </li></ul></ul><ul><li>Find the balance between </li></ul><ul><li>Academic Freedom </li></ul><ul><li>Operation </li></ul><ul><li>Security </li></ul>
    5. 5. Basics on Security <ul><li>Security is as high as the weakest link: </li></ul><ul><ul><li>Attacker chooses the time, place, method </li></ul></ul><ul><ul><li>Defende r needs to protect against all possible attacks (currently known, and those yet to be discovered) </li></ul></ul><ul><ul><li>Security is a system property (not a feature) </li></ul></ul><ul><ul><li>Security is a permanent process (not a product) </li></ul></ul><ul><ul><li>Security cannot be proven (phase-space-problem) </li></ul></ul><ul><ul><li>Security is difficult to achieve , and only to 100%- ε </li></ul></ul><ul><ul><li>Users define ε as user, admin, developer, system expert, service owner </li></ul></ul>BTW: Security is not a synonym for safety
    6. 6. Under Permanent Attack <ul><li>CERN is under permanent attack… even now. </li></ul><ul><li>Servers accessible from Internet are permanently probed: </li></ul><ul><ul><li>… attackers trying to brute-force passwords; </li></ul></ul><ul><ul><li>… attackers trying to break Web applications; </li></ul></ul><ul><ul><li>… attackers trying to break-in servers and obtain administrator rights. </li></ul></ul><ul><ul><li>Users are not always aware/cautious/proactive enough: </li></ul></ul><ul><ul><li>… attackers trying to harvest credentials outside CERN; </li></ul></ul><ul><ul><li>… attackers trying to “phish” user passwords. </li></ul></ul>
    7. 7. Users: The Biggest Vulnerability Email addresses can easily be faked ! Stop “Phishing” attacks: No legitimate person will EVER ask for your credentials ! <ul><ul><li>Do not trust your web browser ! </li></ul></ul>
    8. 8. What about you? <ul><ul><li>Quiz: Which URL leads you to ? </li></ul></ul><ul><li>http://www.ebay.comcgi-binlogin?ds=1%204324@%31%33%37 %2e%31%33%38%2e%31%33%37%2e%31%37%37/p?uh3f223d </li></ul><ul><li>http://www.ebaỵ.com/ws/eBayISAPI.dll?SignIn </li></ul><ul><li> co_partnerid=2&usage=0& &encRafId=default </li></ul><ul><li> </li></ul>
    9. 9. Vulnerabilities are everywhere !!! Unpatched oscilloscope (running Win XP SP2) Lack of input validation & sanitization Confidential data on Wikis, Webs, CVS… Free passwords on Google…
    10. 10. Permanent Mitigation Cycle (1) <ul><li>Prevention: </li></ul><ul><li>Central PC management & immediate patching </li></ul><ul><li>“ Rule of least privilege ” for access rights </li></ul><ul><li>Security Baselining for systems/services: Contract between owner & Security Officer incl. regular reviews </li></ul><ul><li>Assessments & reviewsTraining secure coding & configuration practices </li></ul><ul><li>Provisioning of static code analyzers </li></ul><ul><li>Definition and communication of Security Policies </li></ul>Prevention Protection Detection Response
    11. 11. Permanent Mitigation Cycle (2) <ul><li>Protection: </li></ul><ul><li>“ Defense-in-Depth ” </li></ul><ul><li>Tightened outer perimeter firewall with life-cycle, scanning & opening approval </li></ul><ul><li>Segregated networks with dedicated purposes </li></ul><ul><li>Inter-network filtering and access control </li></ul><ul><li>Deployment of local firewalls </li></ul><ul><li>Awareness raising : Dedicated awareness sessions, Introduction sessions for newcomers, Leaf sheets & posters </li></ul>Prevention Protection Detection Response
    12. 12. Permanent Mitigation Cycle (3) Prevention Protection Detection Response
    13. 13. Permanent Mitigation Cycle (4) <ul><li>Response: </li></ul><ul><li>Provisioning of CSIRT/CERT: “Computer Security Incident Response Team” “Computer Emergency Response Team” </li></ul><ul><li>Impact analysis / classification / prioritization </li></ul><ul><li>Containment </li></ul><ul><li>Incident forensics </li></ul><ul><li>Recovery (i.e. usually reinstallation) </li></ul><ul><li>Interaction with third parties: e.g. external universities, CERTs </li></ul><ul><li>Apply lessons learned </li></ul><ul><li>Costing </li></ul><ul><li>Business continuity planning / Disaster recovery planning </li></ul>Prevention Protection Detection Response
    14. 15. Part II Controllingthe LHC
    15. 16. Control Systems in a Nutshell Control System Safety System
    16. 17. Hunt for the Beauty in Nature China 3000yrs ago ancient Greeks Dmitri Mendeleev 1869 1930-today Niels Bohr 1913
    17. 18. The Standard Model of HEP Particles Forces Gluons (8) Quarks Mesons Baryons Nuclei Graviton ? Bosons (W,Z) Atoms Light Chemistry Electronics Solar system Galaxies Black holes Neutron decay Beta radioactivity Neutrino interactions Burning of the sun Strong Photon Gravitational Weak Electromagnetic Bottom Strange Down Top Charm Up 2/3 2/3 2/3 -1/3 -1/3 -1/3 each quark: R , B , G 3 colors Quarks Electric Charge Tau Muon Electron Tau Neutrino Muon Neutrino Electron Neutrino -1 -1 -1 0 0 0 Electric Charge Leptons But what makes them weight ??? Peter Higgs
    18. 19. Observables & Instruments Radio Telescope Spy Glass Telescope Microscope Electron Microscope Particle Accelerator The observable Universe Galaxies The Solar System Proton Atom Cell Virus Higgs? Nuclei 10 -34 10 -30 10 -26 10 -22 10 -18 10 -14 10 -10 10 -6 1m 10 6 10 10 10 14 10 18 10 22 10 26
    19. 20. The Large Hadron Collider (LHC) Proton Bunch Beam
    20. 21. LHC Beam Optics Steer a beam of 85 kg TNT through a 3mm hole 10.000 times per second ! World’s largest superconducting installation (27km @ 1.9 ° K) worth 2B€ Vacuum Cryogenics Quench Protection Beam Position
    21. 22. CERN Accelerator Complex Pre-Accelerators Timing Machine Protection Beam Dump Beam Orbit Radio Frequency
    22. 23. General Infrastructure Safety Radiation Monitoring Cooling & Ventilation Electricity Alarmhandling Facility Management Access Control
    23. 24. Data Acquisition Control The ATLAS Experiment 7000 tons Ø22m × 43m 500M€ pure hardware Data Acquisition (Sub-)Detectors The cavern: 53m × 30m × 35m 92m below ground About 100 million data channels Run Control Experiment Triggering
    24. 25. Control Systems for Experiments The CMS Experiment 500M€ pure hardware 12500 tons, Ø15m × 22m Safety Gas Distribution Smoke Radiation Cooling & Ventilation Sniffer High Voltage Electricity Magnet Cryogenics About one million control channels
    25. 26. Control Systems at CERN Experiment: ALICE, ATLAS, CMS, LHCb, LHCf and TOTEM ALPHA (AD-5), Cast, Collaps, Compass, Dirac, Gamma Irradiation Facility, ISOLTRAP, MICE R&D, Miniball, Mistral, NA48/3, NA49, NA60, nTOF, Witch, … GCS, MCS, MSS, and Cryogenics System Accelerator Infrastructure: ADT, ACS, BQE, BPAWT, BDI, BIC, BLM, BOF, BPM, BOB, BSRT, BTV, BRA, CWAT, Cryo (Frigo, SM18 & Tunnel), BCTDC, BCTF, FGC, LEIR Low Level RF, LHC Beam Control System, LBDS, HC, LHC Logging Service, LTI, MKQA, APWL, BPL, OASIS, PIC, QDS/QPS, BQS, SPS BT, BQK, Vacuum System, WIC, and BWS Accelerators: AB/OP, AD, CNGS, CCC, CLIC, ISOLDE, ISOLDE offline, LEIR, LHC, Linac 2, Linac 3, PS, PS Booster, REX, SM18, and SPS Safety: ACIS, AC PS1, AC PS2, AC SPS1, AC SPS2, Alarm Repeater, ARCON, ADS, CSA, SGGAZ, SFDIN, CSAM, CESAR, DSS, LACS, LASS, LASER, Radmon, RAMSES, MSAT, Radio Protection Service, Sniffer System, SUSI, TIM, and Video Surveillance Infrastructure: CV, ENS, FM, DBR, Gamma Spectroscopy, TS/CSE, and YAMS
    26. 28. Part III Control System Cyber Security
    27. 29. Overview The (r)evolution of control systems... Team Up: Risks & Mitigations are int’l ! ...omitted security aspects! Mitigation: Defense-in-Depth Why worry ? The risk equation
    28. 30. Standard Hard and Software Ethernet & Wireless Common of the shelf HW WWW & Emails Modbus/TCP, OPC & Telnet Desktop PCs & Laptops C++, Java, XML, Corba... Shared Accounts & Passwords Oracle, Labview… Windows & Linux
    29. 31. (R)Evolution: The Past
    30. 32. (R)Evolution: Today
    31. 33. “ Controls” is not IT ! (1) System Life Cycle 3 – 5 years 5 – 20 years Availability scheduled interventions OK 24h / 7d / 365d Confidentiality high low Time Criticality delays tolerated critical “ Office IT” “ Controls” Security Knowledge exists usually low Intrusion detection standard … no signatures… Usage of wireless frequent increasing use DHCP standard Fixed IPs in hardware configurations
    32. 34. “ Controls” is not IT ! (2) Patches & Upgrades frequent infrequent or impossible (needs extensive tests) Antivirus Software standard rare or impossible (might block CPU) Reboots standard rare or impossible (processes will stop) Admin Rights to be avoided needs to run controls processes “ Office IT” “ Controls” Password Changes standard rare or impossible (password “hardwired”) Changes frequent, formal & coordinated rare, informal & not always coordinated &quot;Do not touch a running system !!!&quot;
    33. 35. Standard Vulnerabilities Ethernet & Wireless Common of the shelf HW WWW & Emails Modbus/TCP, OPC & Telnet Desktop PCs & Laptops C++, Java, XML, Corba... Shared Accounts & Passwords Oracle, Labview... Windows & Linux
    34. 36. The TOCSSiC <ul><li>COTS Automation Systems are without security protections. </li></ul><ul><ul><li>Programmable Logic Controllers (PLCs), field devices, power supplies, … </li></ul></ul><ul><ul><li>Security not integrated into their designs </li></ul></ul><ul><li>Teststand On Controls System Security at CERN (TOCSSiC) </li></ul><ul><ul><li>“ Nessus ” vulnerability scan (used in Office IT) </li></ul></ul><ul><ul><li>“ Netwox ” DoS attack with random fragments </li></ul></ul><ul><ul><li>“ Wireshark ” network sniffer </li></ul></ul>… going for the low-hanging fruits !!!
    35. 37. Control Systems under Attack ! <ul><li>CERN TOCSSiC Vulnerability Scans </li></ul><ul><ul><li>31 devices from 7 different manufacturers (53 tests in total) </li></ul></ul><ul><ul><li>All devices fully configured but running idle </li></ul></ul>… PLCs under load seem more likely to fail !!! 1/2007 1/2007
    36. 38. TOCSSiC Findings (1) <ul><li>The device crashed while receiving special non-conform packets </li></ul><ul><ul><li>Consumption of all CPU resources (“jolt2” DoS attack) </li></ul></ul><ul><ul><li>Failure to properly handle overlapping IP fragments (“Nestea” attack) </li></ul></ul><ul><ul><li>Loss of network connectivity (Linux “zero length fragment” bug) </li></ul></ul><ul><ul><li>Unable to deal with special malformed packets (“oshare” attack) </li></ul></ul>… violation of TCP/IP standards !!! 2005: DoS (70”) stopped manual control
    37. 39. TOCSSiC Findings (2) <ul><li>FTP server allows anonymous login </li></ul><ul><li>FTP & Telnet servers crashed </li></ul><ul><ul><li>Receiving very looooooooooong commands or arguments </li></ul></ul>… legacy protocols introducing security risks ! <ul><li>HTTP server crashed </li></ul><ul><ul><li>Receiving an URL with tooooooooooooo many characters </li></ul></ul><ul><ul><li>Using up all resources (“WWW infinite request” attack) </li></ul></ul><ul><li>HTTP server allows for directory traversal </li></ul>… who needs web servers & e-mailing on PLCs, anyhow ? ModBus server crashed while scanning port 502 … protocols are well documented (“Google hacking”) !
    38. 40. TOCSSiC Findings (3) <ul><li>PLCs are unprotected </li></ul><ul><ul><li>Can be stopped w/o problems (needs just a bit of ) </li></ul></ul><ul><ul><li>Passwords are not encrypted </li></ul></ul><ul><ul><li>PLC might even come without authorization schemes </li></ul></ul>… robustness/resilience (security?) must become part of life-cycle ! <ul><li>PLCs are really unprotected </li></ul><ul><ul><li>Services (HTTP, SMTP, FTP, Telnet,…) can not be disabled </li></ul></ul><ul><ul><li>Usually no local firewall or ACLs </li></ul></ul>… lock down of configuration by default !
    39. 41. Why worry ? Vulnerability × Threat × Consequence Risk =
    40. 42. <ul><ul><li>Trojans, viruses, worms , … </li></ul></ul><ul><ul><li>Disgruntled (ex-)employees or saboteurs </li></ul></ul><ul><ul><li>Attackers (giving step-by-step instructions on BlackHat conferences; providing freeware hacking tools for “Script Kiddies”) </li></ul></ul><ul><li>Lack of procedures </li></ul><ul><ul><li>Flawed updates or patches provided by third parties </li></ul></ul><ul><ul><li>Inappropriate test & maintenance rules or procedures </li></ul></ul><ul><li>Lack of robustness </li></ul><ul><ul><li>Mal-configured or broken devices flood the network </li></ul></ul><ul><ul><li>Developer / operator “finger trouble” </li></ul></ul><ul><ul><li>Ignorance… </li></ul></ul>Who is the threat ? Confidential data on Wiki, webpages, CVS…
    41. 43. Damage by Viruses / Worms ? 2003/08/11: W32.Blaster.Worm 2003: The “Slammer” worm disables safety monitoring system of the Davis-Besse nuclear power plant for 5h.
    42. 44. Damage by Lack of Robustness ? “ Your software license has expired.” (Not at CERN  )
    43. 45. Damage by Insiders ? 2000: Ex-Employee hacked “wirelessly” 46x into a sewage plant and flooded the basement of a Hyatt Regency hotel.
    44. 46. Damage by Attackers ? 2003/08/11: W32.Blaster.Worm April 2007 We’re HEP, so who will attack us ?!
    45. 47. LHC First Beam Day Hmm… A defaced web-page at an LHC experiment… A “flame” message to some Greek “competitors”… … on 10/09/2008: Just coincidence ? … user accounts !?!
    46. 48. Who owns the consequences ? How long does it take you to reinstall your system, if requested right now ? Are you prepared to take full responsibility? Are you in the position to really take it ? <ul><li>Can you allow for l oss of </li></ul><ul><li>functionality </li></ul><ul><li>control or safety </li></ul><ul><li>efficiency & beam time </li></ul><ul><li>hardware or data </li></ul><ul><li>reputation…? </li></ul>
    47. 49. Defence-in-Depth (Network-) Protocols Firmware & Operating Systems Devices & Hardware Software & Applications System Integrator & Manufacturer Operator & User Third party applications
    48. 50. Myths about Cyber-Security “Firewall protection is sufficient...&quot; &quot;Network security, that's all you need !&quot; &quot;Everything can be solved by technique !&quot; &quot;More and better gadgets can solve security problems...&quot; &quot;You can keep attackers out...&quot; &quot;Field devices can't be hacked...&quot; &quot;IDSs can identify possible control system attacks...&quot; &quot;Encryption protects you...&quot;
    49. 51. Ground Rules for Cyber-Security Separate Networks Control (Remote) Access Increase Robustness Patch, Patch, Patch !!! Review Development Life-Cycle Foster Collaboration & Policies Inherit IT Security, too !
    50. 52. Separate Networks <ul><li>Deploy different networks for different purposes : </li></ul><ul><ul><li>… for operations with sub-nets for different functions </li></ul></ul><ul><ul><li>… for development and basic testing </li></ul></ul><ul><ul><li>… for beam-lines & experiments </li></ul></ul><ul><ul><li>Campus network for office computing </li></ul></ul><ul><li>Restrict their usage: </li></ul><ul><ul><li>Assign responsibilities and deploy authorization procedures </li></ul></ul><ul><ul><li>Drop Internet connectivity, (GPRS) modems, wireless access points </li></ul></ul><ul><ul><li>Control inter-communication between networks </li></ul></ul><ul><ul><li>Block laptops, email & control web pages </li></ul></ul><ul><ul><li>Control remote access </li></ul></ul><ul><ul><li>Deploy traffic monitoring & Intrusion Detection Systems </li></ul></ul>
    51. 53. Patch, Patch, Patch !!! <ul><li>Ensure prompt security updates: </li></ul><ul><ul><li>Pass flexibility and responsibility to the experts </li></ul></ul><ul><ul><li>They decide when to install what on which control PC </li></ul></ul><ul><ul><li>Integrate resilience to rebooting PCs </li></ul></ul><ul><ul><li>NOT patching is NOT an option </li></ul></ul><ul><li>Deploy protective measures: </li></ul><ul><ul><li>Local firewalls </li></ul></ul><ul><ul><li>Anti-virus software & updated signature files </li></ul></ul><ul><ul><li>Control remotely accessible folders </li></ul></ul><ul><ul><li>Linux or Macs are not more secure: </li></ul></ul><ul><ul><li>Trend towards application-based attacks (e.g. Adobe Reader, Firefox) </li></ul></ul><ul><ul><li>Trend towards web-based attacks (e.g. web browser plug-ins) </li></ul></ul>Plan for the costs !
    52. 54. <ul><li>Follow “Rule of Least Privilege”: </li></ul><ul><ul><li>Restrict all access to minimum </li></ul></ul><ul><ul><li>Ensure traceability (who, when, and from where) </li></ul></ul><ul><ul><li>Keep passwords secret </li></ul></ul><ul><li>… for all assets: </li></ul><ul><ul><li>Control PCs & operating systems </li></ul></ul><ul><ul><li>SCADA applications & user interfaces </li></ul></ul><ul><ul><li>Procedures, documentation, etc. </li></ul></ul><ul><li>“ Role Based Access Control” for op’s: </li></ul><ul><ul><li>Avoid “shared” accounts </li></ul></ul><ul><ul><li>Multi-factor authentication for critical assets </li></ul></ul><ul><ul><li>Full control for the shift leader of operations </li></ul></ul>Control (Remote) Access
    53. 55. <ul><li>PLCs and other controls devices are completely unprotected : </li></ul><ul><ul><li>No firewall, no anti-virus, nothing </li></ul></ul><ul><li>Assess all systems: </li></ul><ul><ul><li>Run vulnerability tools on everything (e.g . PLCs, control PCs, SCADA, data bases. web servers) </li></ul></ul><ul><ul><li>Review configurations settings and remove unnecessary services (e.g. emailing, web servers, Telnet, FTP) </li></ul></ul><ul><ul><li>Deploy additional protective measures if needed (VPN, ACL, …) </li></ul></ul><ul><ul><li>Define Security Baselines: Make systems resilient & robust </li></ul></ul>Increase Robustness CERN 2007
    54. 56. Review Development Life-Cycle <ul><li>Review procedures for </li></ul><ul><ul><li>...development of hardware & applications </li></ul></ul><ul><ul><li>...system testing </li></ul></ul><ul><ul><li>...deployment </li></ul></ul><ul><ul><li>...operations </li></ul></ul><ul><ul><li>...maintenance & bug fixing </li></ul></ul><ul><ul><li>Use software versioning systems , configuration management , and integration frameworks (CVS, SVN, Git) </li></ul></ul><ul><li>Protect operations </li></ul><ul><ul><li>Keep development separated from operations (eventually debugging might need access to full accelerator hardware) </li></ul></ul><ul><ul><li>Avoid online changes for the sake of safe operations: Online changes must be authorized by the shift leader for operations </li></ul></ul>A Boeing 777 uses similar technologies to Process Control Systems
    55. 57. Foster Collaboration & Policies <ul><li>Make security an objective </li></ul><ul><ul><li>Get management buy-in (security has a cost – successful attacks, too) </li></ul></ul><ul><ul><li>Produce “Security Policy for Controls” </li></ul></ul><ul><ul><li>Follow the basic standards of Industry </li></ul></ul><ul><li>Bring together control & IT experts: </li></ul><ul><ul><li>Control system experts know their systems by heart – but IT concepts ? </li></ul></ul><ul><ul><li>IT people often don’t know controls – but IT security they do </li></ul></ul><ul><ul><li>Win mutual trust & get their buy-in </li></ul></ul><ul><ul><li>Gain synergy effects </li></ul></ul><ul><li>Train users and raise awareness </li></ul>Change the Culture !!!
    56. 58. Team up: The International Risk Vulnerability × Threat × Consequence Risk =
    57. 59. Control Systems for Living <ul><li>… in the electricity sector </li></ul><ul><ul><li>transmission & distribution, fossil, hydro, nuclear </li></ul></ul><ul><li>… in the oil & gas sector </li></ul><ul><li>… in the water & waste sector </li></ul><ul><li>… in the chemical and pharmaceutical industry </li></ul><ul><li>… in the transport sector </li></ul><ul><li>… for production: </li></ul><ul><ul><li>e.g. cars, planes, clothes, media </li></ul></ul><ul><li>… in supermarkets </li></ul><ul><ul><li>e.g. scales, fridges </li></ul></ul><ul><li>… for facility management </li></ul><ul><ul><li>electricity, water, C&V </li></ul></ul>COBB County Electric, Georgia Middle European Raw Oil, Czech Republic Athens Water Supply & Sewage Merck Sharp & Dohme, Ireland CCTV Control Room, UK Reuters TV Master Control Room
    58. 60. Critical Infrastructure <ul><li>Increased focus since 9/11 and due to today’s general security situation: </li></ul><ul><li>Electricity </li></ul><ul><li>Oil & Gas </li></ul><ul><li>Water & Waste </li></ul><ul><li>Chemical & Pharmaceutical </li></ul><ul><li>Transport </li></ul>Critical Infrastructure Protection (CIP)
    59. 61. <ul><ul><li>“ Good Practice Guidelines Parts 1-7 ” U.K. Centre for the Protection of National Infrastructure (CPNI) </li></ul></ul><ul><ul><li>“ Manufacturing and Control Systems Security” ANSI/ISA SP99 TR99.00.01-04 </li></ul></ul><ul><ul><li>“ Cyber Security Procurement Language for Control Systems” Idaho National Labs </li></ul></ul><ul><ul><li>“ Guide to SCADA and Industrial Control Systems Security” NIST SP800-82 </li></ul></ul><ul><ul><li>“ Critical Infrastructure Protection CIP-002 to CIP-009” U.S. Federal Energy Regulatory Commission (FERC) </li></ul></ul><ul><ul><li>“ Information Technology ― Security Techniques ” </li></ul></ul><ul><ul><li>“ Systems and Software Engineering ― Software Life Cycle Processes” </li></ul></ul><ul><ul><li>ISO/IEC 27001:2005 and ISO/IEC 12207:2009 </li></ul></ul><ul><ul><li>+ Common Criteria, AGA, CIDX, ISPE, OLF #104, bdew whitepaper, etc. pp. </li></ul></ul>(Too) Many Standards ?
    60. 62. “ Procurement Language” <ul><li>Manufacturers and vendors are part of the solution ! </li></ul><ul><ul><li>Security demands must be included into orders and call for tenders </li></ul></ul><ul><li>“ Procurement Language” document </li></ul><ul><ul><li>“… collective buying power to help ensure that security is integrated into SCADA systems.” </li></ul></ul><ul><ul><li>“ Copy & Paste” paragraphs for System Hardening, Perimeter Protection, Account Management, Coding Practices, Flaw Remediation, … </li></ul></ul>
    61. 63. <ul><li>“ European Information Exchange on SCADA and Control System Security” </li></ul><ul><ul><li>“… is for those European Governments, Industry and research institutions that are dependent upon and, or whose responsibility it is to improve the security of SCADA and Control Systems ...” </li></ul></ul><ul><ul><li>19 members from 13 European countries (50% authorities, 50% users) </li></ul></ul><ul><ul><li>Government Initiatives: </li></ul></ul><ul><ul><li>Global Players: </li></ul></ul><ul><ul><li>Conferences: SCADA Security Scientific Symposium (1/2010, Miami) </li></ul></ul>Team Up ! EuroSCSIE
    62. 64. Summary The (r)evolution of control systems... Team Up: Risks & Mitigations are int’l ! ...omitted security aspects! Mitigation: Defense-in-Depth Why worry ? The risk equation
    63. 65. Happy New Year ! 1992 1970 1982 2000 1979 1995 1986 2001 1973 2010!
    64. 66. Questions ?