What is ACE The A ccelerator C omputing E nvironment ACE is a collection of network segments enclaves and fiefdoms maintained by the A ccelerator C omputing G roup ACG ID: 750518
Download Presentation The PPT/PDF document "Anthony Cuffe CEBAF Control System Acces..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Anthony Cuffe
CEBAF Control System AccessSlide2
What is ACE?
The Accelerator C
omputing
E
nvironment (ACE) is a collection of network segments (enclaves and fiefdoms) maintained by the Accelerator Computing Group (ACG) dedicated to the control and support of Accelerator Operations.This includes isolated, self-sufficient fiefdoms and specialized computing enclaves dedicated to the:Control of Accelerator operations (CEBAF) Control of LERF, SRF and ITF operationsSupport of End Station operationsDevelopment of controls software and hardware related to these facilities.This also includes several non-isolated enclaves for:User desktops for Accelerator and Engineering support staff Windows Terminal ServersSite-Wide Services (logbooks, database, web services, …)
OverviewSlide3
Network Segmentation/Isolation
Segmentation of our Fiefdoms/Enclaves from the rest of site is implemented through Network based ACLs and Firewalls.
Access to external internet is only allowed on non-operational networks.
acenet
(ACE Desktop Enclave)wintsnet ( Windows Terminal Server Network)Systems are grouped together in special networks by function to simplify Firewall/ACLs rules.Fiefdoms: opsnet, devnet, srfnet,…Special Networks: bkupnet, accupsnet, consrvnet, cagwnet, …Protection of vulnerable systems: plcnet, opsiocnetSlide4
Network Segmentation
(CNI to ACE)Slide5
Remote Access – Two Factor
Access from the outside is only allowed via
ssh
through a gateway system (
acclogin).Remote logins (ssh) to Accelerator systems require two-factor authentication using crypto-tokens generated from a Smartphone App or CRYPTOCard keyfob.Management and assignment of the CRYPTOCards are done by both ACE and CNI.Faster response to user issuesTighter control over users with ACC accessA separate Accelerator login account is also required to access the control system.Slide6
Physical Security
All critical and sensitive Accelerator systems reside within the confines of the Accelerator Site which is a fenced area with controlled access
.
All
personnel must be badged.Access to specific areas is controlled by badge readers (CANS) that authorize entry only to those staff and users that have appropriate training and access privileges.Access is controlled by physical locks where CANS is not available.Access is logged and video taped in sensitive areas (MCC Datacenter).Backup systems and media are always kept under lock and key and backups are stored in an off-site safe.Visitors must have an escort.Slide7
User and Group Accounts
Individuals access and manipulate the control system using their own accounts.
General purpose logins
(group accounts
) are avoided whenever possible and normally utilized for long-running services. General purpose logins are controlled and logged using sudo.Local accounts are avoided at all costs. Passwords are changed at least every 6 months (enforced through Kerberos).User auditing is done continuouslySlide8
EPICS – Channel Access Security
Almost all ACC Control/SCDA Systems are based on
EPICS
.
Channel Access is the command-and-control communication protocol used by EPICS.Provides the security layer for EPICS.Allows users to read, write and monitor real-time data from low-level controls.Allows for Host and User based access control (read and write).Slide9
CA Security Measures
Controlled by Network based ACLs/Firewalls in, out and between ACE networks.
Read-access is granted to all users on local networks and made available to external network through CA gateways.
Write-access during operational periods is authenticated by user
(operations staff only) and host computer (strictly managed).Short-term access to non-operator support staff can be granted by the Crew Chief.Specially trained experts (MAC) can also be granted pre-defined, limited access by the Crew Chief with a short expiration.Approved Operators and MAC users are designated by OPS group leader.Write-access during non-operational periods is authenticated by host computer only (open channel access).Physical access controls are employed for Controls hardware.All control system writes are logged (caputlog and splunk).Slide10
?