One nice thing about the internet and the World Wide Web is their international nature, like CERN's international stance - communication without borders, information sharing without limits, connecting the world and its people. On the other hand, that's also their drawback: international interconnectivity makes it possible today to spread misinformation and manipulate elections, as well as wage remote attacks against any target around the globe, including against CERN. That's why international collaboration and incident response is key. Because an incident in the Antipodes might directly affect the IT services at CERN. And has done so.
A compromised server at the University of Antipodes might have been used to connect to CERN. With the stolen passwords, an attacker might then try move towards other targets. Spread laterally. Like, for example, trying to break into CERN's systems and create havoc there. Such spreading attacks have been seen over and over in the past (like "Phalanx" or "Busywinman"), but also more recently with some misbehaving user accounts on CERN's interactive Linux cluster ("LXPLUS"). While this was spotted quickly and no damage was done, incident forensics led back to computer centres abroad, resulting in a full reinstallation of their computer centre. Just like in another incident in 2022. Or at the ALMA telescope complex. Or close to the BESSY II accelerator...
The reach of the CERN Computer Security Office must therefore be vast, wide-reaching and manifold. Within our physics community, the Office is in close contact with the US Fermi and Lawrence Berkeley national labs, holding monthly meetings to discuss cybersecurity: network layouts, remote connections, 2-factor authentication, you name it. Discussions about what works, what is efficient, and what are the pitfalls. Similarly, CERN contributes to a cybersecurity review for the European Southern Observatory (ESO). On a larger scale, many European and pan-European institutes running photon and neutron sources (e.g. SESAME and SOLEIL) deliberate regularly about the cybersecurity of their accelerator control systems and beamlines. Including CERN, which has run a dedicated Control System Cyber-Security (CS2HEP) workshop at every ICALEPCS (International Conference on Accelerator and Large Experimental Physics Control Systems) since 2007. The next one is in September, in case you want to join?
And CERN is much more than just "control systems". Think data - with vast streams of the experiments' measurements pouring from CERN's Tier 0 into the Worldwide LHC Computing Grid (WLCG) for storage, processing, compute and analysis. Interconnecting about 150 Tier 1, 2 and 3 computer centres via the European Grid Initiative (EGI) and the US Open Science Grid (OSG), this vast array is not only the "Instagram for physicists", allowing them to delve into each other's physics analyses, but also a primary target for attackers trying to piggyback and mine cryptocurrencies. The luckiest attacker made 2000 US dollars in Bitcoin and got sentenced to jail. CERN usually coordinates WLCG incident response via its WLCG Computer Security Officer, while the EGI Incident Response Lead is part of the CERN Computer Security Office. And both of them have resumed meetings with all "virtual organisations" of the LHC experiments as well as their contributing data centres to reconnect, build trust and links, rediscuss best practices, provide guidelines and help improve their monitoring, protections and procedures.
Similarly, the Office teams up with other international entities from our worldwide academic research and education community. Like ESnet, with one former expert from the CERN Office having just taken over responsibilities there. Or SAFER, created by CERN, providing incident response. Whether it's fostering our links with the Chinese Academy of Sciences, or building up peer networks in South America ("RedCLARA"), or contributing to the Research and Education Networks Information Sharing & Analysis Center" (REN-ISAC) with members from all the Five Eyes countries (AUS, CAN, NZ, UK, US) plus CERN.
And beyond academia, the Computer Security Office is in close touch with the official cybersecurity authorities of both of our Host States (namely the French ANSSI and the Swiss MELANI/NCSC) as well as with other Geneva-based international (UN) organisations, whose Computer Security Officers meet on an irregular basis to discuss incidents and plans to improve their security posture.
