4 control system cyber-security workshop · cyber-security workshop . more “discipline” is what...
TRANSCRIPT
![Page 1: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/1.jpg)
4th Control System Cyber-Security Workshop
More “discipline” is what we need.
Dr. Stefan Lüders (CERN Computer Security Officer) with contributions from
S. Banerin (UW School of Medicine), E. Bonaccorsi (LHCb), E. Carrone (SLAC), P. Chochula (ALICE), S. Gysin (ESS),
R. Krempaska (PSI), T. Sugimoto (Spring8), F. Tilaro (CERN) ICALEPCS, San Francisco (California), October 7th 2013
![Page 2: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/2.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Why Control System Cyber-Security…
![Page 3: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/3.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Why Control System Cyber-Security…
Switching off the light (CERN conference room)
![Page 4: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/4.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Why Control System Cyber-Security…
Switching off the light (CERN conference room)
Switching off the light (US cities) http://democrats.energycommerce.house.gov/sites/default/files/
documents/Report-Electric-Grid-Vulnerability-2013-5-21.pdf
![Page 5: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/5.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Why Control System Cyber-Security…
Switching off the light (CERN conference room)
Switching off the light (US cities) http://democrats.energycommerce.house.gov/sites/default/files
/documents/Report-Electric-Grid-Vulnerability-2013-5-21.pdf
![Page 6: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/6.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Why Control System Cyber-Security…
Switching off the light (CERN conference room)
Switching off the light (US cities) http://democrats.energycommerce.house.gov/sites/default/files
/documents/Report-Electric-Grid-Vulnerability-2013-5-21.pdf
Switching off accelerators!
![Page 7: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/7.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
…needs a disciplined approach!
![Page 8: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/8.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
![Page 9: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/9.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
![Page 10: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/10.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…full network segregation & firewalling (Alice, LHCb, PSI)
![Page 11: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/11.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…full network segregation & firewalling (Alice, LHCb, PSI)
![Page 12: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/12.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…tightly controlled remote access (Alice, PSI, Spring8) 2FA-Authentication; SSH gateways; shift leader enabled VPN tunnels
…full network segregation & firewalling (Alice, LHCb, PSI)
![Page 13: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/13.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…tightly controlled remote access (Alice, PSI, Spring8) 2FA-Authentication; SSH gateways; shift leader enabled VPN tunnels
…full network segregation & firewalling (Alice, LHCb, PSI)
![Page 14: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/14.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…tightly controlled remote access (Alice, PSI, Spring8) 2FA-Authentication; SSH gateways; shift leader enabled VPN tunnels
…fine-grained local access control (Alice, ESS, SPring8) User vs. experts vs. admins; down to Channel Access; role-based
…full network segregation & firewalling (Alice, LHCb, PSI)
![Page 15: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/15.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
![Page 16: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/16.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…agreed procedures for data transfer (Alice) Data replication (outgoing), manual file inspection (incoming)
![Page 17: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/17.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…agreed procedures for data transfer (Alice) Data replication (outgoing), manual file inspection (incoming)
![Page 18: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/18.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…inventories & configuration management (CERN, PSI) Dependency analysis; Kickstart & Puppet; but patching still too infrequent
…agreed procedures for data transfer (Alice) Data replication (outgoing), manual file inspection (incoming)
![Page 19: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/19.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…inventories & configuration management (CERN, PSI) Dependency analysis; Kickstart & Puppet; but patching still too infrequent
…agreed procedures for data transfer (Alice) Data replication (outgoing), manual file inspection (incoming)
![Page 20: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/20.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
With some discipline, people managed to have…
…inventories & configuration management (CERN, PSI) Dependency analysis; Kickstart & Puppet; but patching still too infrequent
…standards & regulations compliance (CERN, SLAC, UW) IEC61850 robustness;800-53(IT) vs. 800-82(ICS); HIPPAA/FERPA/FDA
…agreed procedures for data transfer (Alice) Data replication (outgoing), manual file inspection (incoming)
![Page 21: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/21.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Control System Cyber-Security is feasible!!
![Page 22: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/22.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Control System Cyber-Security is feasible!!
You just need to be disciplined…
![Page 23: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/23.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Control System Cyber-Security is feasible!!
You just need to be disciplined…
…able to prioritize… 1. Safety 2. Availability 3.
Security
![Page 24: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/24.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Control System Cyber-Security is feasible!!
…and bring together what belongs together:
Functionality, usability, availability, maintainability,
and security
You just need to be disciplined…
…able to prioritize… 1. Safety 2. Availability 3.
Security
![Page 25: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/25.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Control System Cyber-Security is feasible!!
…and bring together what belongs together:
Functionality, usability, availability, maintainability,
and security
You just need to be disciplined…
…able to prioritize… 1. Safety 2. Availability 3.
Security
Let’s tackle it JOINTLY!!!
![Page 26: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/26.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Control System Cyber-Security is feasible!!
…and bring together what belongs together:
Functionality, usability, availability, maintainability,
and security
You just need to be disciplined…
…able to prioritize… 1. Safety 2. Availability 3.
Security
Let’s tackle it JOINTLY!!! https://indico.cern.ch/ conferenceDisplay.py?confId=217457
![Page 27: 4 Control System Cyber-Security Workshop · Cyber-Security Workshop . More “discipline” is what we need. Dr. Stefan L üders (CERN Computer Security Officer) with contributions](https://reader035.vdocument.in/reader035/viewer/2022080720/5f79c1333ac09c5ead7637b4/html5/thumbnails/27.jpg)
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “4th CS2/HEP Workshop Summary” — Dr. Stefan Lüders — ICALEPCS2013 ― October 6th 2013
Thank you very much!!!
In particular to ~35 participants &
esp. to all presenters…
…as well as to the Organizing Committee!!!