CERN, Geneva
Control systems are now routinely connected with enterprise networks and even wide area networks, opening their components to a large array of cyber security threats. Facing threats on such a large scale can now longer solely be done through ad-hoc incident response and post-mortem activities. Defense in depth strategies are being widely adopted and advocated through emerging control systems specific cyber security standards [1]. With these strategies comes the need to accurately prioritise risks and manage system assets, in order to implement measured, tailored security restrictions and automatically assess damages to provide efficient and precise incident response. Eventually, an organization must be able to measure incidents trends and evaluate business impact to feed constant security policy reviews. CERN has implemented a control device cyber security test bench, entitled TOCSSiC [2], updated to provide standards-compliant measurements. Such measurements can be employed to automatically evaluate device vulnerabilities and security policy compliance.
[1] F. Tilaro, "Control system cybersecurity standards, convergence and tools", CERN technical report, April 2009
[2] S. Lueders, "Control systems under attack !?", ICALEPCS, October 2005
CERN, Geneva
DIP is a middleware infrastructure developed at CERN to allow lightweight communications between the various distributed components of a control system (such as detector control systems or gas control systems). DIP publications are currently subject to a lack of visibility from the CERN general purpose network and a lack of formal service level agreements between information publishers and consumers. The DIP contract management system adresses these limitations by providing a publication monitoring tool that can make available both publication data and publication status on the web through a javascript API for inclusion in web pages and integration with advanced AJAX libraries (such as the Google Web Toolkit Visualization API). It also performs status information logging, and advertises such information in the form of DIP publications (to ease integration with SCADA systems such as PVSS). We will demonstrate how complex structured information can be easily made available to a large array of consumers through the usage of the Spring framework and the multiple configuration based adapters it offers to a vast choice of communication protocols.
