SAS: Security for Accelerator

Tuesday, February 17, 2015 @ 05:02 PM gHale


By Gregory Hale
When it comes down to it, security technology is solid, but people continue to remain the weakest link.

“Security is a training problem for people, technology is not the problem,” said Stefan Lueders, Computer Security Officer at CERN during his Tuesday session at Kaspersky’s Security Analyst Summit 2015 (SAS) in Cancun, Mexico.

RELATED STORIES
SAS: Security a ‘Workable Problem’
SAS: Intricate Attacks on Banks
DDoS Attack Costs on Rise
Security a Differentiator for Users

The European Organization for Nuclear Research known as CERN is a European research organization whose purpose is to operate the world’s largest particle physics laboratory. Established in 1954, CERN headquarters are in Geneva and the organization has 21 European member states.

“We have control systems in quite a few different areas,” Lueders said.

CERN has scientists using the facility from all over the world, Russia, China, U.S., Japan, just to name a few, so that means remote access is an important tool he must secure.

“People need permanent access from all over,” Lueders said.

Lueders said control system security professionals should not always have to reinvent the wheel. He said there are enough IT security devices and products that should take care of most OT issues.

One of those OT issues that always creep up, though, is patching.

“Patching must be prompt and agile,” he said. “We do not have technical stops, only stops in a year, that is when we do patches.”

Lueders listed some of the main patching issues:
• Heavy compliance testing
• Rare maintenance windows, once a quarter
• Lots of legacy or old embedded devices

At CERN, Lueders said they create 1 TB/d of security data. That means people need to know what the data is and what to do with it once they get it.

When it comes to security, the younger generation is hitting the workforce, but Lueders wonders if they are ready for the evolving and dynamic environment.

“Our kids are the users and programmers of the future. Is security taught too late in students’ academic careers? In Bachelor’s programs they don’t teach security only when they go into a Master’s program,” he said.

CERN thinks safety first, then availability, and then security, Lueders said. “We are highly complex, but that adds to the security.”



Leave a Reply

You must be logged in to post a comment.