Embed Size (px)
Citation preview
Computer Security Risks for Computer Security Risks for Control Systems at CERNControl Systems at CERN
Denise Heagerty, Denise Heagerty,
CERN Computer Security Officer,CERN Computer Security Officer,
12 Feb 200312 Feb 2003
Incident Summary, 2000-2002Incident Summary, 2000-2002
20002000 20012001 20022002 Incident TypeIncident Type
1616 5959 3131 System compromised (intruder has control)System compromised (intruder has control) security holes in software (e.g. ssh, ftp, telnet, ICQ,…)
8686 4242 2525 Compromised CERN accountsCompromised CERN accounts sniffed or guessed passwords
99 1111 2121 Serious VirusesSerious Viruses several new viruses are released each day
18 18 1313 2121 Unauthorised use of file serversUnauthorised use of file servers insufficient access controls
99 1515 1616 Serious SPAM incidentsSerious SPAM incidents CERN email addresses are regularly forged
1717 1111 99 Miscellaneous security alertsMiscellaneous security alerts
155155 151151 123123 Total IncidentsTotal Incidents
ConclusionsConclusions
Intruders or serious viruses were detected Intruders or serious viruses were detected on a total of 77 CERN systems during 2002on a total of 77 CERN systems during 2002
Firewall blocks many attempts per day Intrusions succeed almost weekly
Security patches for all software need to be Security patches for all software need to be applied in a timely fashionapplied in a timely fashion
A balance is needed between risk and stability, but for systems directly exposed outside the firewall the risk is extremely high (the patch may come too late)
Exposing sensitive systems (e.g. controls) Exposing sensitive systems (e.g. controls) directly outside the firewall is a recipe for directly outside the firewall is a recipe for disasterdisaster
They will be targeted continually by hostile code, which even if unsuccessful, has a performance and stability impact
Recommendations for remote Recommendations for remote access to control systemsaccess to control systems
Strictly limit access to a minimal set of clearly Strictly limit access to a minimal set of clearly identified and authorised usersidentified and authorised users
Individual usernames are essential even if software or data is shared
Logs of connections and actions are needed for incident identification and correction
Provide remote access via independent systemsProvide remote access via independent systems Separate remote access from the control systems and clearly
define the interaction to reduce risks Ensure sufficient security on the remote access systems
Minimal configuration which can be exposed in the firewall at low risk
Active management and monitoring with timely patches applied LXPLUS and VPN servers offer remote access to CERN
A remote access service dedicated to control systems may be required for strengthened security in the LHC era
Solutions for Remote AccessSolutions for Remote Access
Control screens and applications can be Control screens and applications can be managed remotely via encrypted tunnelsmanaged remotely via encrypted tunnels
Locally installed applications encrypted inside SSH (http://cern.ch/security/ssh/encrypt_connections.htm)
VNC (Virtual Network Computing) encrypted inside SSH (http://cern.ch/security/ssh/encrypt_vnc.htm)
CERN VPN encrypted connections (http://cern.ch/vpn) allow remote computers to connect as if running on the CERN Campus Network
Encrypting applications with Encrypting applications with SSHSSH
An application(s) on the remote workstation An application(s) on the remote workstation is configured to connect locally to sshis configured to connect locally to ssh
Ssh is configured to route the local client Ssh is configured to route the local client application to a CERN server applicationapplication to a CERN server application
An ssh connection is opened to CERN (e.g. An ssh connection is opened to CERN (e.g. lxplus) and the client application is lxplus) and the client application is launched as if running at CERN.launched as if running at CERN.
VPN (Virtual Private Network)VPN (Virtual Private Network)
A remote computer can connect to the Internet using an A remote computer can connect to the Internet using an arbitrary Internet Service Provider (ISP) and have an IP arbitrary Internet Service Provider (ISP) and have an IP Address in the Internet.Address in the Internet.
The VPN client software on the remote computer The VPN client software on the remote computer exchanges data through an encrypted tunnel with a exchanges data through an encrypted tunnel with a dedicated VPN server at CERNdedicated VPN server at CERN
The remote computer acts as if it was on the CERN Intranet The remote computer acts as if it was on the CERN Intranet and can run applications transparently through the tunneland can run applications transparently through the tunnel
Securing VPN Client accessSecuring VPN Client access
Protect the computerProtect the computer Anti-virus updated at least daily (for Windows PCs) Operating system and installed applications kept secure for all
known security holes Firewall for home computers with permanent connections (e.g.
ADSL) System restricted to only run essential applications
games, music and freely copied software are targets for viruses
Protect the account & passwordProtect the account & password Require registration (no default access) Verify that VPN passwords cannot be cracked Require at least 128 bit encryption Limit unsuccessful login attempts
CERN’s VPN Security Requirements are at: CERN’s VPN Security Requirements are at: http://cern.ch/vpn/securityhttp://cern.ch/vpn/security
SummarySummary
Avoid direct off-site Internet access for control Avoid direct off-site Internet access for control systemssystems
Use technical network or TCP/IP Connectivity = NONE Discuss requirements with Campus Network team
Configure control systems securely and apply Configure control systems securely and apply patches in a timely fashionpatches in a timely fashion
The balance between stability and risk needs to take account of almost weekly on-site intrusions
Provide remote access via independent systems Provide remote access via independent systems with strict security and clearly defined interaction with strict security and clearly defined interaction with control systemswith control systems
Implement user level access controls and logging LXPLUS and VPN servers provide remote access to CERN.
Enhanced solutions may be needed for the LHC era.
