Presentation is loading. Please wait.

Presentation is loading. Please wait.

CEBAF Control System Access

Published by Modified over 5 years ago

Similar presentations

Presentation on theme: "CEBAF Control System Access"— Presentation transcript:

1 CEBAF Control System Access
Title Page Design 1 CEBAF Control System Access Anthony Cuffe

2 What is ACE? The Accelerator Computing Environment (ACE) is a collection of network segments (enclaves and fiefdoms) maintained by the Accelerator Computing Group (ACG) dedicated to the control and support of Accelerator Operations. This includes isolated, self-sufficient fiefdoms and specialized computing enclaves dedicated to the: Control of Accelerator operations (CEBAF) Control of LERF, SRF and ITF operations Support of End Station operations Development of controls software and hardware related to these facilities. This also includes several non-isolated enclaves for: User desktops for Accelerator and Engineering support staff Windows Terminal Servers Site-Wide Services (logbooks, database, web services, …) Interior Page Design 1 Overview

3 Network Segmentation/Isolation
Segmentation of our Fiefdoms/Enclaves from the rest of site is implemented through Network based ACLs and Firewalls. Access to external internet is only allowed on non-operational networks. acenet (ACE Desktop Enclave) wintsnet ( Windows Terminal Server Network) Systems are grouped together in special networks by function to simplify Firewall/ACLs rules. Fiefdoms: opsnet, devnet, srfnet,… Special Networks: bkupnet, accupsnet, consrvnet, cagwnet, … Protection of vulnerable systems: plcnet, opsiocnet Interior Page Design 1

4 Network Segmentation (CNI to ACE)
Interior Page Design 1

5 Remote Access – Two Factor
Access from the outside is only allowed via ssh through a gateway system (acclogin). Remote logins (ssh) to Accelerator systems require two-factor authentication using crypto-tokens generated from a Smartphone App or CRYPTOCard keyfob. Management and assignment of the CRYPTOCards are done by both ACE and CNI. Faster response to user issues Tighter control over users with ACC access A separate Accelerator login account is also required to access the control system. Interior Page Design 1

6 Physical Security All critical and sensitive Accelerator systems reside within the confines of the Accelerator Site which is a fenced area with controlled access. All personnel must be badged. Access to specific areas is controlled by badge readers (CANS) that authorize entry only to those staff and users that have appropriate training and access privileges. Access is controlled by physical locks where CANS is not available. Access is logged and video taped in sensitive areas (MCC Datacenter). Backup systems and media are always kept under lock and key and backups are stored in an off-site safe. Visitors must have an escort. Interior Page Design 1

7 User and Group Accounts
Individuals access and manipulate the control system using their own accounts. General purpose logins (group accounts) are avoided whenever possible and normally utilized for long-running services. General purpose logins are controlled and logged using sudo. Local accounts are avoided at all costs. Passwords are changed at least every 6 months (enforced through Kerberos). User auditing is done continuously Interior Page Design 1

8 EPICS – Channel Access Security
Almost all ACC Control/SCDA Systems are based on EPICS. Channel Access is the command-and-control communication protocol used by EPICS. Provides the security layer for EPICS. Allows users to read, write and monitor real-time data from low-level controls. Allows for Host and User based access control (read and write). Interior Page Design 1

9 CA Security Measures Controlled by Network based ACLs/Firewalls in, out and between ACE networks. Read-access is granted to all users on local networks and made available to external network through CA gateways. Write-access during operational periods is authenticated by user (operations staff only) and host computer (strictly managed). Short-term access to non-operator support staff can be granted by the Crew Chief. Specially trained experts (MAC) can also be granted pre-defined, limited access by the Crew Chief with a short expiration. Approved Operators and MAC users are designated by OPS group leader. Write-access during non-operational periods is authenticated by host computer only (open channel access). Physical access controls are employed for Controls hardware. All control system writes are logged (caputlog and splunk). Interior Page Design 1

10 ? Interior Page Design 2

Download ppt "CEBAF Control System Access"

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Accelerator Controls Brad Cumbia Anthony Cuffe December 1, 2010 Remote Access Review.

Accelerator Controls Brad Cumbia Anthony Cuffe December 1, 2010 Remote Access Review.
Network security policy: best practices

Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
 What is intranet What is intranet  FeaturesFeatures  ArchitectureArchitecture  MeritsMerits  applicationsapplications  What is ExtranetWhat is.

 What is intranet What is intranet  FeaturesFeatures  ArchitectureArchitecture  MeritsMerits  applicationsapplications  What is ExtranetWhat is.
Auditing Information Systems (AIS)

Auditing Information Systems (AIS)
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Similar presentations

Ads by Google