Presentation is loading. Please wait.

Presentation is loading. Please wait.

Problems to Overcome Implementation Issues at CERN Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan) October 11th 2009.

Published byAshlynn Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "Problems to Overcome Implementation Issues at CERN Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan) October 11th 2009."— Presentation transcript:

1 Problems to Overcome Implementation Issues at CERN Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan) October 11th 2009

2 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Overview

3 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Why worry ?

4 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 LHC First Beam Day Hmm… A defaced web-page at an LHC experiment… A “flame” message to some Greek “competitors”… …on 10/09/2008: Just coincidence ?

5 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Violation of Basic Principles ! Configuration well documented in Google… Neglected “Rule of Least Privileges”: Everyone could upload whatever he/she wants… Lack of input validation & sanitization

6 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Defense-in-Depth

7 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Separate Networks Deploy different networks for different purposes: ► …for accelerator, experiments, offices ► …no Internet connectivity ► …controlled remote access ► …no wireless nor (GPRS) modems However: ► LHC status data needs to be transmitted to experiments (e.g. run info) ► Informational web-sites need to be visible to the inside and outside (logbooks, status pages, expert instructions) ► Developers need sufficient access for further development & debugging (“This is an all-time, permanent prototype.”) ► Laptops needed in vast underground areas for commissioning ► Some remote sites are not connected by the “right” network (or at all)

8 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Hacked oscilloscope at CERN (running Win XP SP2 unpatched) Patch, Patch, Patch !!! Ensure prompt security updates: ► Pass flexibility and responsibility to the experts ► They decide when to install what on which control PC ► Integrate resilience to rebooting PCs ► NOT patching is NOT an option ► Harden systems (e.g. with firewall, AV) However: ► Under pressure priorities are different ► Many sensitive systems which need proper maintenance schedule – rare now ! ► Oscilloscopes might be patched, but lack proper procedures issued by the corresponding vendor… ► “Cry Wolf”: more downtime due to patching than due to attacks… ► Lack of test & connection procedures of 3 rd party PCs

9 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 “At CERN, several Windows control PCs were compromised... Analysis indicated that a [THIRD PARTY CONTROLS SOFTWARE] installed silently an MS-SQL database account and left the password empty by default...” (Not at CERN ) Follow “Rule of Least Privilege”: ► Restrict all access to minimum ► Ensure traceability (who, when, and from where) ► Deploy role-based access system However: ► Typing passwords vs. convenience ► Is “I know you” an authentication factor ? ► Developers need elevated privileges ► “Rule of Least Privilege” not always known/followed, e.g. when publishing data ► Difficult to integrate commercial hardware ► Remote access for too many developers and experts is a nightmare Control (Remote) Access

10 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 “Your software license has expired.” (Not at CERN ) Protecting PLCs and other controls devices: ► Run vulnerability tools on everything ► Harden configuration settings ► Deploy additional protective measures if needed (VPN, ACL, …) However: ► Protection difficult in “mesh-type” inter-communications… ► …and under complex dependencies ► Vulnerability scans can do harm ! ► Hardening not always supported by system ► Lack of integrated access control inside the device is challenging ! Increase Robustness CERN 2007

11 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 A Boeing 777 uses similar technologies to Process Control Systems Review Development Life Cycle Review procedures for ►...development of hardware & applications ►...testing & deployment ►...operation ►...maintenance & bug fixing ► Use software versioning systems, configuration management, and integration frameworks (CVS, SVN, Git) However, ► Lack of proper test-benches, which are 100% realistic & cover all aspects (“This is an all-time, permanent prototype”) ► (Secure) Software Development Life-Cycles require a change-of-culture ► Static source code analysers & code reviews necessary......but either for low-hanging-fruits or expensive !

12 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Make security an objective ► Get management buy-in (security has a cost – successful attacks, too) Bring together control & IT experts: ► Win mutual trust ► Gain synergy effects Train users and raise awareness However: ► Difficult to get buy-in when developers & management are under pressure ► Old (negative) feelings and perceptions difficult to eradicate ► Duplication of services part of the “academic freedom” Foster Collaboration & Policies

13 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Force the Vendors on Board Manufacturers and vendors are part of the solution ! ► Security demands must be included into orders and call for tenders “Procurement Language” document ► “… collective buying power to help ensure that security is integrated into SCADA systems.” However: ► This will increase the visible costs ► Who takes the responsibility ? ► Manufacturers not always prepared to handle such demands ► What if no vendor will/can deliver ? http://www.msisac.org/scada

14 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Summary

15 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Problems to Overcome” — Dr. Stefan Lüders — CS2/HEP Workshop — October 11 th 2009 Thank you very much !!! Quiz: Which link leads to www.ebay.com ? ►http://www.ebay.com\cgi-bin\login?ds=1%204324@%31%33%37 %2e%31%33%38%2e%31%33%37%2e%31%37%37/p?uh3f223d ►http://www.ebaỵ.com/ws/eBayISAPI.dll?SignIn ►http://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo&siteid=0& co_partnerid=2&usage=0&ru=http%3A%2F%2Fwww.ebay.com&rafId=0 &encRafId=default ►http://secure-ebay.com

Download ppt "Problems to Overcome Implementation Issues at CERN Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan) October 11th 2009."

Similar presentations

4 th Control System Cyber-Security Workshop Exchanging ideas on HEP security Dr. Stefan Lüders (CERN Computer Security Officer) 4 th (CS) 2 /HEP Workshop,

4 th Control System Cyber-Security Workshop Exchanging ideas on HEP security Dr. Stefan Lüders (CERN Computer Security Officer) 4 th (CS) 2 /HEP Workshop,
How things go wrong. The lucky one and the unlucky one Dr. Stefan Lüders (CERN Computer Security Officer) 3 rd (CS) 2 /HEP Workshop, Grenoble (France)

How things go wrong. The lucky one and the unlucky one Dr. Stefan Lüders (CERN Computer Security Officer) 3 rd (CS) 2 /HEP Workshop, Grenoble (France)
Configuration Management

Configuration Management
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
3 rd Control System Cyber-Security Workshop A Summary of this year’s meeting Dr. Stefan Lüders (CERN Computer Security Officer) with contributions from.

3 rd Control System Cyber-Security Workshop A Summary of this year’s meeting Dr. Stefan Lüders (CERN Computer Security Officer) with contributions from.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Supervision of Production Computers in ALICE Peter Chochula for the ALICE DCS team.

Supervision of Production Computers in ALICE Peter Chochula for the ALICE DCS team.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Similar presentations

Ads by Google