LIGO Cybersecurity Status

Similar documents
LIGO Authentication and Authorization 2.0

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report.

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Enabling LIGO Applications on Scientific Grids

Cisco Advanced Services for Network Security

Scalability in Log Management

Guideline on Auditing and Log Management

How To Audit The Mint'S Information Technology

IceCube Cybersecurity Improvement Plan Recommendations to Enhance IceCube s Cybersecurity Program

Case Study: Security Implementation for a Non-Profit Hospital

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

The Protection Mission a constant endeavor

Authentication Project Report

CMPT 471 Networking II

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

FREQUENTLY ASKED QUESTIONS

Reference Architecture: Enterprise Security For The Cloud

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Security Event Management. February 7, 2007 (Revision 5)

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Protecting Critical Infrastructure

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Five keys to a more secure data environment

North American Electric Reliability Corporation (NERC) Cyber Security Standard

LSC Data Analysis Software Planning Document DRAFT

SANS Top 20 Critical Controls for Effective Cyber Defense

Cyber Security Risk Management: A New and Holistic Approach

New Era in Cyber Security. Technology Development

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Working with the FBI

CyberNEXS Global Services

Defending Against Data Beaches: Internal Controls for Cybersecurity

Keyfort Cloud Services (KCS)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

System Specification. Author: CMU Team

The Importance of Cybersecurity Monitoring for Utilities

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

John Essner, CISO Office of Information Technology State of New Jersey

Network monitoring systems & tools

SAN Conceptual and Design Basics

A Systems Approach to HVAC Contractor Security

Basics of Internet Security

VULNERABILITY MANAGEMENT

Netsweeper Whitepaper

C24 - Inside the Data Center Andrew J. Luca

How To Secure Your System From Cyber Attacks

Cyber Security for SCADA/ICS Networks

FIREWALLS & CBAC. philip.heimer@hh.se

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Large-scale Real-time Data-driven Scientific Applications

National Cyber Security Framework and Protocol. for securing digital information in networked critical infrastructures and communications

BPA Policy Cyber Security Program

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

JOB OPENING. Please see attached Job Description: Last day to apply: February 27, 2013

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Industrial Control Systems Security Guide

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

ISERink Overview. Version 1.1. February 1, 2015

Critical Controls for Cyber Security.

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

NASA OFFICE OF INSPECTOR GENERAL

Payment Card Industry Data Security Standard

Course Title: Penetration Testing: Network & Perimeter Testing

Building a Security Operations Center. Randy Marchany VA Tech IT Security Office and Lab marchany@vt.edu

Leveraging SANS and NIST to Evaluate New Security Tools

: HP HP Version : R6.1

QRadar SIEM 6.3 Datasheet

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Identity and Access Management for LIGO: International Challenges

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

August, 2000 LIGO-G D.

BlackRidge Technology Transport Access Control: Overview

Navigate Your Way to NERC Compliance

U.S. SECURITIES & EXCHANGE COMMISSION

Information Technology Risk Management

Open Source Security: Opportunity or Oxymoron?

Mule Enterprise Service Bus (ESB) Hosting

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC)

Empowering the Enterprise Through Unified Communications & Managed Services Solutions

LIGO Mailing List Group Configuration

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Federal Aviation Administration

Click to edit Master title style

Cybersecurity: What CFO s Need to Know

Audit of the Board s Information Security Program

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Transcription:

LIGO Cybersecurity Status Albert Lazzarini NSF Annual Review of LIGO LIGO Hanford Observatory October 23-25, 2006 1

Outline Recommendations from last review Overview of cybersecurity within LIGO Laboratory Summary of activities during the past year Engagement outside LIGO Laboratory 2

Responses to recommendations from 2005 LIGO Computing Develop, document, qualify a computing model Released the first version of the collaboration computing plan covering the era of LIGO I -- prior to Advanced LIGO operations( ~ 2013+) Update plan to reflect accrued experience since plan s first release Extend plan to address Advanced LIGO needs Continue working with the Open Science Grid (OSG) LIGO is an integral member of the Open Science Grid project -- recently funded by NSF/DOE Resource Manager on OSG Executive Team (K. Blackburn) OSG Council representative (W. Anderson, UWM) OSG Virtual Organization(VO) Support Center (M. Ramsunder, PSU) LSC production analysis is being integrated with OSG Physics at the Information Frontier (PIF) awarded to LSC data grid institutions concurrently with OSG P. Brady (PI, UW M), ex officio member of OSG executive board 3

Overview The LIGO Scientific Collaboration and the LIGO Data Grid LIGO Laboratory: 4 sites Collaboration Tier 2: 2 US sites + 3 EU sites Hanford Observatory (LHO) UWM PSU MIT Birmingham Cardiff Caltech *LHO, LLO: observatory sites Livingston Observatory (LLO) AEI/Golm LSC - LIGO Scientific Collaboration Not under organizational control of LIGO Laboratory Funding provided through separate grants - NSF /EU Cybersecurity policy allows them to join trust relationship with laboratory via MOUs 4

Overview Cybersecurity within LIGO Laboratory LIGO s sole mission: gravitational wave fundamental scientific research -- principal goal: maximize scientific output Computer security for LIGO must be consistent with mission & goals Primary: avoid disruption of operation or corruption of data Secondary: avoid serious embarrassment caused by defacement of LIGO publicly accessible websites or the use of LIGO computers in criminal activities Designed to address no more than the specific LIGO computer security aims: Caltech provides support for LIGO s payroll, accounting, purchasing and other major business systems and these are covered by Caltech policies All measures based on risk evaluation Computer security implementations must be balanced Disruptions to science caused by intrusions vs. impediments to science caused by security measures 5

Overview Cybersecurity within LIGO Laboratory Cybersecurity is based on a layered approach Ensure significant assets are fully protected and secure Allow flexible access to information required to allow the LIGO Scientific Collaboration to accomplish its scientific mission Most stringent requirement applies to resources located at the observatory sites 6

Overview Observatory Critical Systems (OCS) Cybersecurity plan identifies the key area of LIGO Laboratory IT infrastructure that requires specific measures to ensure robustness against disruption of LIGO operations from cyber attacks. Observatory Security Critical Systems Located at the observatory sites Comprises of the interferometers and data caches prior to commitment of data to the permanent archive. Ensures that interferometer operation and control takes place in a secure environment Protects integrity of archived data Interferometer controls & data acquisition (CDS - Control & Data System) Data archival at observatories (LDAS - LIGO Data Analysis Systems) General computing components (GC) that touch CDS & LDAS ) OCS oversight assigned to an OCS Committee that is chaired by LHO CDS lead (D. Barker) Charged with evaluating, assessing cybersecurity measures & needs with regard to the OCS infrastructure Key personnel responsible for major OCS infrastructure are members of the committee Cybersecurity personnel, CSO and CSC, attend all meetings. 7

Overview Cybersecurity Organization within LIGO Laboratory 8

Activities during past year New Computer Security Officer Kent Blackburn appointed new LIGO Computer Security Officer (CSO) in September 2006 Shannon Roddy remains the Computer Security Coordinator (CSC) Internally: immediate tasks at hand: Reviewing/updating cybersecurity documents & policies; Cybersecurity Plan Update Risk Assessment Acceptable Use Policy Incident Response Procedures Patch Procedures Externally: focus on integration of cybersecurity within the larger collaboration computing infrastructure New working group established under the LSC Computer Committee to address collaboration wide partnership in cybersecurity. Comprises of LIGO CSO/CSC and LSC Tier II computer security officers Also addresses LIGO certificate management under the DOE CA 9

Activities during past year Improved security - Observatory Critical Systems OCS committee convened bi-monthly to assign actions, monitor progress in security implementation at both observatories Intrusion Detection System installed IDS installed on server performing as an X2100 gentoo router, with a mysql database and web data access tool running on the base X2100 FC4 server Administration traffic and system logs further secured New ADMINLAN installed, IDS database and syslog server on this network Outside access to Critical Systems reduced to single point of access Dual home gateways removed. NAT router the single point of access CDS controls and non-controls network traffic separated New PCLAN created for non control systems. RAIDS, switches and tapes moved to ADMINLAN. New TESTLAN created for offline teststands and lab oratory systems Offsite network scans of OCS resulted in system reconfiguration/upgrades Ports which should not be open were closed. Older versions of server software, e.g. apache, upgraded Reviewed and further restricted offsite access to the OCS Access to framebuilder NDS restricted on a need-to-know basis. Access to testpoints removed. Sensitive wiki data is p assword p rotected, etc. 10

Activities during past year Addressing Vulnerabilities Vulnerability Assessment In progress: assessment using NIST FISMA supporting documentation as starting criteria Targeting compliance with NIST Special Publication 800-53 Proving difficult in certain areas Variances from NIST 800-53 will require directorate approval Network Vulnerability Scanning (NESSUS) CY2006: performed scans of LIGO assets connected to the outside. Used NESSUS (industry standard tool) with publicly available vulnerability databases Network vulnerability scanning will take place annually at a minimum Issues and variances from policy to be resolved by the individuals responsible for the subsystem 11

Activities during past year Participation within the larger cybersecurity community Attended security conferences, workshops & meetings : NSF Cyber Security Summit for NSF Large Research Facilities Vienna, VA Dec '05 http://www.educause.edu/cyb05 (At the encouragement of T. Carruthers, NSF) Educause Security Professionals Conference Denver, CO April 10-12 '06 http://www.educause.edu/sec06 15th USENIX Security Symposium Vancouver, B.C., Canada August 1-4 '06 http://www.usenix.org/events/sec06/ LIGO CSO engaged in OSG Security Planning through his OSG Executive Team role Effective mechanism in providing visibility for LIGO into challenges faced outside the Laboratory Allows us to bootstrap our security learning curve as we integrate further into the global grid computing environment 12

Activities during past year Incident Summary (since last NSF Review) To date, no compromises discovered within the LIGO Observatory Critical Systems 8 incidents this past year were restricted to General Computing infrastructure at a number of LIGO Lab. Sites Revealed several weaknesses in our policy, and identified the need to prioritize further IDS activities 3 of 8 incidents led to an update of our policies Nature of incidents Incidents by site 13

Outside engagement LIGO and the Open Science Grid The LIGO Scientific Collaboration is one of the original members of the Open Science Grid (OSG) Operating 2 OSG Production sites at PSU and UWM Operating 1 OSG Integration Testbed site at Caltech Operating 1 OSG Validation Testbed site at Caltech Each site must register a site security contact with OSG All LSC OSG sites have registered the local system administrator Each Virtual Organization (VO) in the OSG manages a VO Support Center LIGO s VO Support Center is located at PSU Acts as a point of contact for the OSG Grid Operations Center with the VO Includes cybersecurity and incident response point of contact for VO LIGO computer security infrastructure benefits from having a much larger collaboration from many different disciplines Examples: Adoption of DOE CA protocols Recent Globus Security patch communicated to LIGO via OSG channels 14

Challenges for LIGO Cybersecurity was not central to the original architecture of the CDS network, developed & designed in 1995-1997 Control room operations rely on shared unix accounts for ease of work flow Real-time dedicated 24x7x365 operations (including commissioning and engineering support when not in science runs) makes it very difficult to effect system up grades CDS relies on critical systems with out dated operating system that are no longer supported or lack security features, e.g., telnet session to VxWorks Patch installations require larger than anticipated effort due to the uniqueness of most computer configurations Many patches must be backed out to allow productive work to continue for science operation Access to near-real-time science data by systems outside the OCS infrastructure leads to multi-homed CDS gateways with multiple links to General Computing -- these are critical to current science run Need to establish greater commonality of security infrastructure and strategies across all LIGO sites Example: recent progress towards IDS at each LIGO Laboratory site Prominence of laptop computers underscores importance of physical security and protection of key information that might be stored on them (e.g., private keys). 15

Conclusion LIGO implemented a cybersecurity plan in 2004 General level of security awareness within Laboratory has increased Past two years have focused on improving security of the Observatory Critical Systems infrastructure however, scientific observation limits ability to make rapid changes Greater involvement in Grid Computing introduces additional vulnerabilities that need to be addressed by policies, incident response, risk assessment, and LIGO user community Coordinate with LIGO Tier II computer security officers to assure partnership and ownership of solutions. LIGO is still assessing how compliance with NSF guidelines & expectations meshes with NIST FISMA standards Level of effort for complete implementation is high! 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information