SLAC National Accelerator Laboratory Update on Security Issues LCLS Ebeam Security Update Covering work of Network, Systems, and EPICS teams, and contributions from SCCS teams Gunther will cover Photon Cyber Security Integrated with SLAC Security Plan Delivered Systems Network Architecture Computer Security What’s Next 12 Nov 2008 LCLS FAC: Update on Security Issues 1 Terri Lahey lahey@slac.stanford.edu SLAC National Accelerator Laboratory Cyber Security Protection Program (CSPP) Integrated with SLAC Cyber Security Plan MCC enclave was extended for LCLS Ebeam Control System SCCS security team interfaces with DOE MCC is represented on security committee Interact with SCCS teams to build and maintain production control system DOE site visits and responded to ST&E review SCCS daily and quarterly security scans CSPP Annual Review of MCC enclave (early 2009) Implemented original design of LCLS networks Plan to upgrade enclave while supporting legacy control system for Minimum Maintenance State of Linac (CID-S19) & PEP 12 Nov 2008 LCLS FAC: Update on Security Issues 2 Terri Lahey lahey@slac.stanford.edu SLAC National Accelerator Laboratory Delivered Systems Production systems to support ebeam injector through edump MPS/PPS/HVAC in photon section Network upgrade at MCC for gigabit traffic to support digitized video LINUX RHEL4 Servers and OPI Main Control Center (MCC) Control Room – new layout with 5 dual-head Linux OPI, multiple dual-head Sun Ray OPI, multiple overhead displays, and locations for laptop on public subnets or wireless. Foyer: space for Sun Ray & laptop work areas Debugging in the field with sunray and wireless 12 Nov 2008 LCLS FAC: Update on Security Issues 3 Terri Lahey lahey@slac.stanford.edu SLAC National Accelerator Laboratory 12 Nov 2008 LCLS FAC: Update on Security Issues 4 Terri Lahey lahey@slac.stanford.edu SLAC National Accelerator Laboratory Network Architecture (1) Production nodes reside on production networks isolated from SLAC Networks Accelerator subnets: Channel Access, Instruments, Utilities, Video, Sunray Terminal Private network for some subsystems: BPM, LLRF, Torroid, ADS Unrouted traffic Monitor traffic and manage switch via accelerator network LCLSDMZ is the edge of LCLS networks only access to LCLS from the rest of SLAC All nodes are SLAC-only Wireless is on a separate network; tunnel into SLAC 12 Nov 2008 LCLS FAC: Update on Security Issues 5 Terri Lahey lahey@slac.stanford.edu SLAC National Accelerator Laboratory Network Architecture (2) Traffic routing: LCLS integration with previous MCC & SLAC networks Filtering Firewall to control traffic Read only access from DMZ nodes SCCS services provided from nodes on DMZ saIOC router is tightly controlled with acls for a 64node IP range Use SCCS team for security and network management Security and networking advised on DMZ architecture Networking manages switches and brings them online Use central network monitoring package and alerts 12 Nov 2008 LCLS FAC: Update on Security Issues 6 Terri Lahey lahey@slac.stanford.edu SLAC National Accelerator Laboratory LCLS Ebeam Computer Security (1) LCLS LINUX servers & workstations 32-bit RHEL4 (64-bit DELL 1950/2950) standalone configuration, system disk mirroring, console service, UPS management, failover procedure, automated system resource monitoring, watchdog for production applications, etc to ensure the systems are reliable and robust Yum patching Synchronize MCC patch repository with SCCS repository Monitor when patches are needed Schedule downtime to patch on ROD days Can fallback to old system production applications uses production NFS Authenticate with local accounts and use SSH v2 keys 12 Nov 2008 LCLS FAC: Update on Security Issues 7 Terri Lahey lahey@slac.stanford.edu SLAC National Accelerator Laboratory LCLS Ebeam Computer Security (2) Operator Interfaces (OPI) Standalone linux workstations in control room: dual 24” monitor Linux-based sunray Sunray 2fs clients in control room for Overhead displays and dualmonitor workstations Sunray 2fs clients (cow) and laptops for debugging in the field Provide readonly access from offices via PVGateway with CA Security Login to production servers for read/write access Wireless is outside SLAC; tunnel with ICA/Citrix/SSH/VPN/RDP EPICS IOCs IOCs and RTEMS use MCC NFS CA Security is applied in multiple systems VMS control system Minimizing usage while we migrate last functions 12 Nov 2008 LCLS FAC: Update on Security Issues 8 Terri Lahey lahey@slac.stanford.edu SLAC National Accelerator Laboratory Other Status Omnilocks on computer room Moved network core into locked computer room slcIOC bridge Injector through BSY devices use this bridge Injector and BC2/L3 commissioning Upcoming run through BSY Undulator beamline & edump are EPICS only MCC Oracle is patched by SCCS Oracle experts Electronic logbooks – operations and physics 12 Nov 2008 LCLS FAC: Update on Security Issues 9 Terri Lahey lahey@slac.stanford.edu SLAC National Accelerator Laboratory What’s next Data Transfer between ebeam and photon sections Security Review filtering firewall to give readonly access to control system Review MCC Enclave’s CSPP and implement improvements Computing Infrastructure Short term access to SCCS Oracle until we move to MCC Oracle Review all SCCS dependencies and migrate where needed Support S20-BSY Linac Upgrade with existing network/computing architecture Migrating away from physics elog to DOE compliant elog 12 Nov 2008 LCLS FAC: Update on Security Issues 10 Terri Lahey lahey@slac.stanford.edu