Computer Security: Protecting accelerator from remote evil

A typical question when it comes to computer security is “What is your worst nightmare scenario?” Despite the fact that we usually sleep quite well, tranquilly and deeply, one answer would be CERN succumbing to a so-called “ransomware” attack. The second answer would definitely be the loss of the password of one of our data centre system administrators or of one of the engineers or experts running and managing our technical infrastructure and the accelerators. As we have covered ransomware attacks already in detail in past Bulletin issues (“Blackmailing Academia: Back to pen and paper(?)“, “Blackmailing Enterprises: You are Patient Zero“), let’s see why we worry so much about your expert password…

Actually, and more importantly than ever during these days of teleworking, your CERN password is the Holy Grail for access to all your digital possessions at CERN: your CERN mailbox, your CERN storage space, your CERN PC and laptop, your documents and databases, any CERN websites you manage, the CERN computing services you run, or the accelerator or experiment control systems you operate or develop. One password and you’re in. For an adversary, this is an easy target. One successful discovery of a CERN password, and he or she is in… And depending who owned that password, the adversary has all sorts of access at hand: access to your mailbox to spam the world, access to your storage space to expose your data to your friends, access to your PC or laptop to spy on you, access to your data to encrypt it and blackmail you, access to your websites ready to deface them, and access to the computing service you run or the accelerator or experiment control systems you operate or develop. In these last two cases, if the adversary has a targeted plan or is bold enough, he or she might just monitor your activities for a while: when you log in to your computing services, which settings you apply, how you manipulate the control system settings and how everything is interlinked. On day zero, the attacker will strike and abuse your expert power for his or her evil deeds. Kill computing services, delete databases, dump beams, and run control system parameters out of bounds. Nightmare fulfilled. Goodnight, CERN!

In order to protect CERN’s calm sleep, the IT department has started putting more and more privileged access routes to vital configuration services behind multi-factor authentication. You might be familiar with multi-factor authentication from your bank: the smartphone app, the SMS they send you, the pocket calculator device you have to use… The same goes for CERN IT: the use of Puppet, Foreman, Tellme/Pwn/Tbag has recently started to require system administrators to authenticate themselves in a two-pronged way: with their usual CERN password (“something they know”) plus, and this is new, a so-called second factor (“something they have”), e.g. a hardware token or a dedicated token-generating app running on their smartphone. In the next couple of months, more and more essential computing services will be put behind multi-factor authentication.

And we are not done yet, as the nightmare has a second prong: access to our accelerator control systems and technical infrastructure. Discussions have therefore begun with the Beams department on how remote access to that technical infrastructure, namely the so-called Technical Network (TN) that serves it, can be put behind multi-factor authentication, too. A first step has already been taken for IT managers who need to access services hosted on the TN. Next will be an analysis of how the remote development clusters can benefit from multi-factor authentication, and how remote expert access can be better protected… Stay tuned and follow our discussions at the CNIC meetings. And help us rid CERN of nightmare scenarios!

______

/Public Release. The material in this public release comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.