1 / 11

Maximizing Security for Free-Electron Laser Remote Access

Learn about JLab's powerful Free-Electron Laser, its sensitive information policies, and control system security measures. Explore FEL capabilities, ITAR compliance, and proactive security steps for remote access.

daltman
Télécharger la présentation

Maximizing Security for Free-Electron Laser Remote Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Jefferson Lab  Remote Access Review: Free-Electron Laser Wesley Moore FEL Computer Scientist 01 December 2010

  2.  FEL Presentation Objectives • What is the Free-Electron Laser (FEL)? • FEL's relationship to sensitive information (SI) • Outline adopted policies and procedures • Remote Access to SI and control systems •  Quality Assurance • Future plans

  3. Description of JLab's FEL • The FEL is the world's most powerful free-electron laser.  It is primarily an infrared laser, although it can also produce ultraviolet and other colors of laser light.   • The FEL also holds the world record as the brightest source of Terahertz (THz) light and is now in the process of characterizing it's kilowatt-scale ultraviolet capability. UV Lasing UV Wiggler

  4.  Cause for Sensitive Information • Science and Technology (S&T) is typically considered to be sensitive if the S&T involves activities or items on the Military Critical Technologies List (MCTL) or if the S&T is included in the Department of State's International Traffic in Arms Regulations (ITAR).  Sensitive S&T has consequent export control requirements by law, regulation and the JLab DOE contract. • Please note there is no Classified Information involved with FEL activities at this point.

  5. The FEL wanted to maintain a proactive posture with respect to information security, not reactive.  Early involvement of the Chief Information Officer (CIO) Obvious the FEL would become a moderate enclave Initiated compliance with JLab site wide policies and procedures for sensitive information Procedures used for the following: Personnel security Physical security Handling of hard copies Handling of electronic information Policies & Procedures

  6. Remote Access 2-Factor Authentication Restrictive inbound and outbound firewall configuration FOUO-ITAR documents are stored on a secure file server File server provided by IT Core Located in Computer Center with card reader access security Sensitive Information Security

  7. EPICS access security protects IOC databases from unauthorized Channel Access Clients.  Access is based on the following*: Who:Userid of the channel access client. Where:Hostid where the user is logged on.  This is the host on which the channel access client exists.  Thus no attempt is made to see if a user is local or is remotely logged on to the host. What:Individual fields of records are protected.  Each record has a field containing the Acess Secuirty Group (ASG) to which the record belongs... How:  User Access Groups (UAG) and Host Access Groups (HAG) combine to create read/write permissions. Local IOC console is protected via physical security and telnet access protected via networking security. * extracted from EPICS Application Developer's Guide, Base Release 3.14.11 Control System Security 1/2 Slide 7

  8. Key Points to Remote Access: Once through the firewall, an accepted user and host has transparent remote access.  Recall: Who:Userid of the channel access client. Where:Hostid where the user is logged on.  This is the host on which the channel access client exists.  Thus no attempt is made to see if a user is local or is remotely logged on to the host. Channel Access Security is granted by the System Owner (W. Moore) Read/Write Access is role based (operator, user, student, etc.) Remote actions are administratively coordinated through the on-site Duty Officer and operators. Control System Security 2/2 Slide 7

  9.       Active QA: Network and system level QA (reliant on IT Core) Security of FOUO-ITAR is periodically reviewed Gaps: Some embedded IOCs are not using EPICS Channel Access  security files.  Periodic audit of Channel Access security configuration. Removeold userids Changes in personnel PLCs and other network capable devices?? Quality Assurance Slide 7

  10. We are currently evaluating our readiness for future ITAR related experiments on the FEL. Things we must consider: Machine hardware is not ITAR, configuration could be. Effort required to "Black-box" the FEL's control system Is all Remote Access denied?? Proper storage of machine parameters. Staffing issues and requirements due to heightened information security. Cost associated with protecting information. Future...

  11. Questions?

More Related