01-03-2010, 12:04 AM
Abstract
Over the last few years modern accelerator and experiment control systems have increasingly been based on commercial-off-the-shelf products (VME crates, PLCs, SCADA systems, etc.), on Windows or Linux PCs, and on communication infrastructures using Ethernet and TCP/IP. Despite the benefits coming with this ®evolution, new vulnerabilities are inherited, too: Worms and viruses spread within seconds via the Ethernet cable, and attackers are becoming interested in control systems. Unfortunately, control PCs cannot be patched as fast as office PCs. Even worse, vulnerability scans at CERN using standard IT tools have shown that commercial automation systems lack fundamental security precautions: Some systems crashed during the scan, others could easily be stopped or their process data be altered . The (CS)2/HEP workshop [2] held the weekend before ICALEPCS2007 was intended to present, share, and discuss countermeasures deployed in HEP laboratories in order to secure control systems. This presentation will give a summary of the solutions planned, deployed and the experience gained.
Presented By
S. Lüders*, CERN, Geneva, Switzerland
INTRODUCTION
The enormous growth of the worldwide interconnectivity of computing devices (the Internet) during the last decade offers computer users new means to share and distribute information and data. In industry, this results in an adoption of modern Information Technologies (IT) to their plants and, subsequently, in an increasing integration of the production facilities, i.e. their process control and automation systems, and the data warehouses. Thus, information from the factory floor is now directly available at the management level (From Shop-Floor to Top-Floor) and can be manipulated from there. However, with a thorough inter-connection of business and controls network, the risk of suffering from a security breach in distributed process control and automation systems# increases. This risk can be expressed as in the following formula: Risk = Threat × Vulnerability × Consequence The different factors are explained in the following. Threats This interconnected world is by far more hostile than a local private controls network. The number of potential threats increases as worms and viruses can now easily propagate to control systems and attackers start to become interested in control systems too. Additional threats can be operators or engineers who download configuration data to the wrong device, or broken controls devices that flood the controls network and, thus, bring it to a halt. The major part of the factor threat originates from outside and cannot be significantly reduced. Thus, protective measures have to be implemented to prevent external threats penetrating control systems. These protective measures should also prevent insiders from (deliberate or accidental) unauthorized access.
Vulnerabilities
The adoption of standard modern IT in control systems also exposes their inherent vulnerabilities to the world. Programmable Logic Controllers (PLCs) and other controls devices (even valves or temperature sensors) are nowadays directly connected to Ethernet, but often completely lack security protections [1]. Control PCs are based on Linux and Microsoft Windows operating systems, where the latter is not designed for control systems but for office usage. Even worse, control PCs can not be patched that easily, as this has to be scheduled beforehand. In addition, controls applications may either not be compliant with a particular patch or software licenses to run controls applications may become invalid. Finally, using emailing or web servers has become normal on control systems today; even web cameras and laptops can now be part of them. The vulnerability factor can either be minimized by guaranteeing a prompt fix of published or known vulnerabilities, and/or by adding pro-active measures to secure the unknown, potential or not-fixable vulnerabilities.
Consequences
Within the High-Energy Physics (HEP) community, control systems are used for the operation of the large and complex accelerators and beam lines, the attached experiments, as well as for the technical infrastructure (e.g. power & electricity, cooling & ventilation). All are running a wide variety of control systems, some of them complex, some of them dealing with personnel safety, some of them controlling or protecting very expensive or irreplaceable equipment. Thus, the consequences from suffering a security incident are inherent to the design of e.g. accelerators at stake. A security incident can lead to loss of beam time and physics data, or †even worse †damage to, or destruction of, unique equipment and hardware.
Control System Cyber-Security in HEP
In order to cope with the growing usage of standard IT technologies in control systems, several HEP laboratories worldwide have reviewed their operation principles by taking the aspect of security into account. This paper will give a summary on the Control System Cyber-Security
Over the last few years modern accelerator and experiment control systems have increasingly been based on commercial-off-the-shelf products (VME crates, PLCs, SCADA systems, etc.), on Windows or Linux PCs, and on communication infrastructures using Ethernet and TCP/IP. Despite the benefits coming with this ®evolution, new vulnerabilities are inherited, too: Worms and viruses spread within seconds via the Ethernet cable, and attackers are becoming interested in control systems. Unfortunately, control PCs cannot be patched as fast as office PCs. Even worse, vulnerability scans at CERN using standard IT tools have shown that commercial automation systems lack fundamental security precautions: Some systems crashed during the scan, others could easily be stopped or their process data be altered . The (CS)2/HEP workshop [2] held the weekend before ICALEPCS2007 was intended to present, share, and discuss countermeasures deployed in HEP laboratories in order to secure control systems. This presentation will give a summary of the solutions planned, deployed and the experience gained.
Presented By
S. Lüders*, CERN, Geneva, Switzerland
INTRODUCTION
The enormous growth of the worldwide interconnectivity of computing devices (the Internet) during the last decade offers computer users new means to share and distribute information and data. In industry, this results in an adoption of modern Information Technologies (IT) to their plants and, subsequently, in an increasing integration of the production facilities, i.e. their process control and automation systems, and the data warehouses. Thus, information from the factory floor is now directly available at the management level (From Shop-Floor to Top-Floor) and can be manipulated from there. However, with a thorough inter-connection of business and controls network, the risk of suffering from a security breach in distributed process control and automation systems# increases. This risk can be expressed as in the following formula: Risk = Threat × Vulnerability × Consequence The different factors are explained in the following. Threats This interconnected world is by far more hostile than a local private controls network. The number of potential threats increases as worms and viruses can now easily propagate to control systems and attackers start to become interested in control systems too. Additional threats can be operators or engineers who download configuration data to the wrong device, or broken controls devices that flood the controls network and, thus, bring it to a halt. The major part of the factor threat originates from outside and cannot be significantly reduced. Thus, protective measures have to be implemented to prevent external threats penetrating control systems. These protective measures should also prevent insiders from (deliberate or accidental) unauthorized access.
Vulnerabilities
The adoption of standard modern IT in control systems also exposes their inherent vulnerabilities to the world. Programmable Logic Controllers (PLCs) and other controls devices (even valves or temperature sensors) are nowadays directly connected to Ethernet, but often completely lack security protections [1]. Control PCs are based on Linux and Microsoft Windows operating systems, where the latter is not designed for control systems but for office usage. Even worse, control PCs can not be patched that easily, as this has to be scheduled beforehand. In addition, controls applications may either not be compliant with a particular patch or software licenses to run controls applications may become invalid. Finally, using emailing or web servers has become normal on control systems today; even web cameras and laptops can now be part of them. The vulnerability factor can either be minimized by guaranteeing a prompt fix of published or known vulnerabilities, and/or by adding pro-active measures to secure the unknown, potential or not-fixable vulnerabilities.
Consequences
Within the High-Energy Physics (HEP) community, control systems are used for the operation of the large and complex accelerators and beam lines, the attached experiments, as well as for the technical infrastructure (e.g. power & electricity, cooling & ventilation). All are running a wide variety of control systems, some of them complex, some of them dealing with personnel safety, some of them controlling or protecting very expensive or irreplaceable equipment. Thus, the consequences from suffering a security incident are inherent to the design of e.g. accelerators at stake. A security incident can lead to loss of beam time and physics data, or †even worse †damage to, or destruction of, unique equipment and hardware.
Control System Cyber-Security in HEP
In order to cope with the growing usage of standard IT technologies in control systems, several HEP laboratories worldwide have reviewed their operation principles by taking the aspect of security into account. This paper will give a summary on the Control System Cyber-Security