Cybersecurity Imperatives for Control Systems: A Critical Update
In prior editions of the Bulletins, we have examined the cybersecurity vulnerabilities associated with control systems, often relegated to the margins of IT discourse.
Yet, the financial repercussions of cyberattacks—exemplified by the staggering $250,000 daily losses incurred by ALMA—underscore an urgent shift in perspective. Laboratories and collaborative experiments can no longer dismiss these threats.
The cybersecurity landscape has evolved measurably over the last decade; however, the pace of adaptation remains distressingly slow in comparison with the rapid progression of information technologies and the evolving tactics of cyber adversaries.
Although crafting a comprehensive cybersecurity framework extends beyond the purview of this article, we propose a series of initial measures:
- Secure executive endorsement, necessitating that management acknowledges the inherent risks of cyberintrusion, evaluates and prioritizes vulnerabilities, champions mitigation strategies, and accepts any residual risks.
- Engage a qualified third-party for a cybersecurity audit, adhering to established benchmarks such as the ISO 27001, the NIST SP 800 series, Germany’s BSI Grundschutz, the Trusted CI framework from the US National Science Foundation (NSF), or the more practical CISv8 framework.
- Implement multi-factor authentication across all computing accounts, particularly for those facilitating internet connectivity and interfacing with control and security systems.
- Separate networks according to their specific functions, such as data center operations, control systems, and campus devices. Monitor inter-network communication effectively, focusing on the specific IP addresses, ports, and services involved.
- Conduct penetration testing on all systems, whether procured or developed internally, to identify misconfigurations, weaknesses, and vulnerabilities. Ideally, integrate penetration testers during design and architectural phases.
- Regulate CI/CD pipelines to ensure that unvalidated code is subjected to rigorous verification (modern tools like GitLab or OpenStack come equipped with scanning capabilities such as “Harbor,” “Secret scanning, and “SAST”). Implement screening protocols for externally sourced virtual machines, containers, software packages, and libraries; avoid unregulated dependency on PyPI and NPM by instituting a software curation process.
- Maintain immutable backups of all data, installation and configuration files, along with the operating and built systems, to enable full restoration in the event of catastrophic failure (i.e., if the entire IT infrastructure were compromised). Regularly test these backups for reliability.
- Provide training for all experts, developers, and operators to comprehend risks and mitigation strategies, develop a vested interest in enhanced security measures, and contribute to the fortification of their control systems.
Significantly, CERN’s IT and Operational Technology (OT)—encompassing the control and safety systems for accelerators, experiments, and infrastructure—are proactively adhering to these guidelines with utmost diligence. This effort is necessitated by unpredictable, high-impact events.
In our interconnected reality, where control and IT systems are symbiotic, the benefits are evident, yet the vulnerabilities loom large.
By integrating contemporary IT frameworks, accelerator and experimental physics control systems can achieve improved precision, expedited development, and optimized resource allocation.
However, this modernization renders them vulnerable to the pervasive cybersecurity threats that afflict conventional IT infrastructures, as historical breaches have starkly illustrated.
Thus, the onus is on control system professionals, developers, and operators to proactively invest in cybersecurity measures for their facilities. By adopting standardized practices and assessing residual risks, they can either support strategic mitigations or consciously accept potential threats.
The pressing question remains: will action be undertaken before a cybersecurity breach occurs, or will we be compelled to respond only in its aftermath?
Source link: Miragenews.com.
