Page 1 of 11 26/11/2013 https://j2eeps.cern.ch/wikis/plugins/servlet

Transcription

Page 1 of 11
ws-quality
googletest (C++) example on Hudson - (Updated 26.11.2013 18:28:04)
Blog post added by Benjamin Farnham
I've added a sample project using the googletest unit testing framework for C++ to Hudson. The Hudson job builds the production code and unit tests, then runs the
unit tests and reports the junit style XML to the world (i.e. sends error emails if the tests break)
https://hudson3.cern.ch/job/googletest_demo/
The project structure separates production code and tests and the Makefile always runs the tests as part of the compilation (if the unit tests fail you have broken
something).
https://svn.cern.ch/reps/en-ice-svn/trunk/utilities/project-prototypes/googletest_demo
View Online | Add Comment
iefc
IEFC-20-11-2013 - (Updated 21.11.2013 10:07:13)
Blog post added by Herve Milcent
93rd IEFC meeting, Wednesday, 20 November 2013https://indico.cern.ch/conferenceDisplay.py?confId=283175
1-Approval of minutes from the 93rd IEFC meeting
2-Information concerning LS1
3-Report from PS-CSAP (R. Steerenberg, 15¿)
4-SPSC report (L. Gatignon and S. Maury, 20¿)
5-Outcome of ELENA review (C. Carli, 15¿)
6-Detailed schedule for re-commissioning of the injector complex (K. Foraz, 15¿)
POPS restart beginning of January.
Test with POPS in 2013: week 14 and 15 (April).
cmw
something).
RDA3 diagnostic server and clients - (Updated 20.11.2013 12:46:44)
https://j2eeps.cern.ch/wikis/plugins/servlet/gadgets/ifr?container=atlassian&mid=16... 26/11/2013
Page 2 of 11
In order to learn the RDA3 API changes (relative to RDA2), the RDA2 diagnostic tools have been ported to use the new RDA3 C++ API. Both RDA2 and RDA3
versions of these tools exist...
Reordered in the svn repo as follows:
z
z
https://svn.cern.ch/reps/en-ice-svn/trunk/tools/UNICOS/Utilities/cmw_diagnostic_tools/RDA_2
https://svn.cern.ch/reps/en-ice-svn/trunk/tools/UNICOS/Utilities/cmw_diagnostic_tools/RDA_3
Both contain the following programs (to be built and run on BE/CO machines...)
z
z
z
hello_world_server: Publishes a simple property with an alternating string (hello/world) and incrementing integer and a timestamp (double).
get_device_property: Performs a synchronous get on any given property (usage: get_device_property --help).
monitor_on: Subscribes to changes in any given property and displays them on an in-console display (usage: monitor_on --help).
Note that both client applications can get/subscribe to any RDA server, not just the hello_world_server.
RDA3 notes:
z
z
z
z
API feels sensible to work with, no obvious problems.
RDA3 client/server comms works fine as far as the test programs go.
Only callback method of subscription tried so far (basically the same update mechanism as RDA2 subscribe), seems OK.
The Makefile is a bit fiddly, ordering the libs correctly takes some time (linking fails if not ordered correctly), see the programs above for correct lib ordering.
CAEN OPC Server v5.38 recommended version - (Updated 14.11.2013 14:56:11)
Email sent to opc-users mailing list...
This email concerns CAEN users with SY1527/SY2527 and SY4527/SY5527 mainframes.
CAEN released a new version of the CAEN OPC Server, v5.38. This version [passed all tests|../../../../../../../../../../display/EN/5.38+Test] in the
laboratory regression test suite, v5.38 is the latest recommended version for SY1527/SY2527 and SY4527/SY5527 mainframes.
V5.38 of the OPC Server is available for installation via the following¿
a)
From CMF package ¿CAEN OPC Server v5.38¿
b)
As a stand-alone installer in \\cern.ch\dfs\Applications\CAEN\CAENHVOPCServer_5.38
Any problems installing or running the software please let us know at mailto:[email protected].
RDA3 Development Highlights from CMW team - (Updated 14.11.2013 14:15:29)
* MW status + plans
- RDA3 java, still working on RBAC integration
- RDA3 C++, new client API. cmw-rda3 v.0.4.4
* End Jan 2014 plans
- RDA3 Java, RBAC integration complete.
- RDA3 C++: RBAC integration (not started), backwards comp for RDA2 devices (i.e. RDA2/RDA3 inter comms).
* RDA3 client API
- now available! Plus implementation; can get to work.
- SyncGet
- AsyncGet (with future, provides threading control, client env passes thread into CMW env.)
- AsycnGet with callback (update arrives on a CMW scheduler callback thread - fixed num of CMW threads)
- AsyncSubscribe with SubscriptionQ (updates arrive in Q, my thread can check Q and pop from it)
- AsyncSubscribe with callback (update arrives on a CMW scheduler callback thread - fixed num of CMW threads)
* RDA3 code quality (Java & C++)
- code review
- code coverage (C++ GCC and LCOV, LCOV is a coverage flag)
- static code analysis (CPP check, open source)
* Performance Tests
- Comparative RDA2/RDA3 performance, with the Async and Sync functions above.
- Measured start up time (i.e. creating interface with 1000 properties) and action (get/set/subscribe) times.
Page 3 of 11
- Async calls better performance in RDA3 than RDA2.
- Time between subscription and first update is faster with RDA3 than RDA2.
- Conclusion: Prefer async operations, RDA3 outperforms RDA2 for this type of operation.
* General: JAPC provides common+stable client API to middleware but also databases, virtual machines, ayak, ayak. JAPC is nor a server API.
* General: High frequency data, should not be handled in JAPC, use C++.
* RDA3 scalability testing
- RDA team have to know threading model of CMW client/server.
* FESA 3.2 (RDA3), latest expected date is June 2014
* MW status + plans
- RDA3 java, still working on RBAC integration
- RDA3 C++, new client API. cmw-rda3 v.0.4.4
* End Jan 2014 plans
- RDA3 Java, RBAC integration complete.
- RDA3 C++: RBAC integration (not started), backwards comp for RDA2 devices (i.e. RDA2/RDA3 inter comms).
* RDA3 client API
- now available! Plus implementation; can get to work.
- SyncGet
- AsyncGet (with future, provides threading control, client env passes thread into CMW env.)
- AsycnGet with callback (update arrives on a CMW scheduler callback thread - fixed num of CMW threads)
- AsyncSubscribe with SubscriptionQ (updates arrive in Q, my thread can check Q and pop from it)
- AsyncSubscribe with callback (update arrives on a CMW scheduler callback thread - fixed num of CMW threads)
* RDA3 code quality (Java & C++)
- code review
- code coverage (C++ GCC and LCOV, LCOV is a coverage flag)
- static code analysis (CPP check, open source)
* Performance Tests
- Comparative RDA2/RDA3 performance, with the Async and Sync functions above.
- Measured start up time (i.e. creating interface with 1000 properties) and action (get/set/subscribe) times.
- Async calls better performance in RDA3 than RDA2.
- Time between subscription and first update is faster with RDA3 than RDA2.
- Conclusion: Prefer async operations, RDA3 outperforms RDA2 for this type of operation.
* General: JAPC provides common+stable client API to middleware but also databases, virtual machines, ayak, ayak. JAPC is nor a server API.
* General: High frequency data, should not be handled in JAPC, use C++.
* RDA3 scalability testing
- RDA team have to know threading model of CMW client/server.
* FESA 3.2 (RDA3), expected date is June 2014
opc
WIENER bug tracker site back on line - (Updated 25.11.2013 08:27:40)
The WIENER bug tracker site and data has been successfully migrated to the new software/hardware and is back online again to allow us to view, create and track
issues.
http://redmine.wiener-d.com
Page 4 of 11
OPC-UA toolkit - (Updated 21.11.2013 13:38:22)
This has been ordered from Unified Automation; source code for the toolkit for linux and windows. The purchase order has been sent to the vendor.
CAEN monthly meeting highlights - (Updated 21.11.2013 11:17:25)
Highlights from the monthly meeting with CAEN...
z
z
z
The SY4527 for EN/ICE has been delivered to CERN. It will not be ready for use until the electronics pool have completed some standard processes
(initialising the warranty etc). We wait for the 'release to owner' notification from the pool, expected early next week.
SY4527 recommended versions:
{ Firmware: v1.2.1
{ Software: v1.2.3, note that the software has a new name: 'HIVOX'.
CMS performance investigation
{ CAEN's engineers do not have a clear enough picture of the problem CMS is trying solve.
{ Have scheduled a conversation by skype for tomorrow to clarify.
CMS Tracker - latest news regarding poor performance investigation - (Updated 14.11.2013 15:04:11)
Blog post edited by Benjamin Farnham
Problem still ongoing, CMS now off the 'super-critical' list though as they have a temporary workaround (re-introducing extra computers to parallelise the load by
running multiple OPC Servers which control fewer mainframes). The workaround is a temporary measure, a few proposals about how better to parallelize the load
within the OPC Server process (i.e. to avoid requiring multiple OPC Server processes) has been sent to the vendor for review, currently awaiting comment.
CAEN OPC Server v5.38 recommended version - (Updated 14.11.2013 14:56:11)
Email sent to opc-users mailing list...
This email concerns CAEN users with SY1527/SY2527 and SY4527/SY5527 mainframes.
CAEN released a new version of the CAEN OPC Server, v5.38. This version [passed all tests|../../../../../../../../../../display/EN/5.38+Test] in the
laboratory regression test suite, v5.38 is the latest recommended version for SY1527/SY2527 and SY4527/SY5527 mainframes.
V5.38 of the OPC Server is available for installation via the following¿
a)
From CMF package ¿CAEN OPC Server v5.38¿
b)
As a stand-alone installer in \\cern.ch\dfs\Applications\CAEN\CAENHVOPCServer_5.38
Any problems installing or running the software please let us know at mailto:[email protected].
Page 5 of 11
qps
QPS-14-11-2013 - (Updated 15.11.2013 19:08:55)
Blog post added by Herve Milcent
QPS Agent

the DQAMCNMB and DQAMSN600 are under development.
if the agent looses the WorldFIP bus synchro for more than 300sec (configurable), it automatically resets itself.
the DQAMGS will have a real PM buffer an not a software one as now (the PM is currently done by the GTW).
FEC (GTW):

FESA3 latest version, the memory leak was fixed. QPS is now stable
upgrading to LTIM FESA3 version
.
winccoa:

setup with 15 updates per second on all the floats looks stable, the maximum we should have in operation is 10 per seconds
2 new devices DQAMCNMB (replacement of DQAMCMB) and DQAMSN600 (replacement of DQAMS600) must be developped.
PIC and LHC_CIRCUIT to be looked at...
test

test setup in building 281 will start soon
all the DQAMCNMB crates (1232) will be tested, by bunch of 12 per day maximum.
the test setup is in LabVindows & PXI
installation & commissionning.

Sector 81
11/03/2014: installation of the QPS agent in the tunnel: 1 week to install all the agents in the tunnel
18/03/2014: the QPS expert starts to connect the QPS Agent to WorldFIP and test the complete chain: FEC (GTW), RDA, WinCCOA (former PVSS),
LHCLogging, Post-Mortem, 2 weeks
01/04/2014: start of the IST test
Sector 67: IST test from 16/04/2014
Consequence:
The layout DB must be ready for a given sector at least one month before the IST test because I also need to prepare the installation. I will also need
tools to extract the data from the layout DB, the same ones as previously is fine, I need to be able to extract all the devices (QPS and nQPS) of a given
bus.
Note: the F and A bus are on two sectors but there is only one FEC handling it, so F and A bus configuration must be in the layout DB even if the two
adjacent sectors will be commissioned later.
FESA and CCDB: the tools to populate the DB, remove the existing devices of the corresponding sector, upgrading the device version, etc. must be
ready by the end of 2013. We need few weeks to find the most efficient way of configuring the FECs as all the devices are extracted from the layout
DB and put in the CCDB.
Note: the LTIM and QPS devices are currently in FESA 2.10 and must be move to FESA 3, it is acceptable if there are all removed before (we were
thinking of first deleting all the devices of a FEC and importing them again in the CCDB, as some devices will be moved from one FEC to another one).
However the RBAC settings must not be deleted.
LHCLogging: WinCCOA to LHCLogging and all the necessary tools to configure it, diagnose it must be ready at the latest one month before the IST
test.
LSA stuff: the QPS expert will have tools to configure the QPS devices, these tools be developed with LSA. The LSA infrastructure must be ready at
the latest for the validation of the QPS devices, 2 weeks before the IST test.
The system must be operational during the cool down of the magnets, this means that as soon as the IST test start, no interruption, of course planned
interruptions will be accepted in agreement with the experts, the operators and the commissioning team.
The deployment of the FEC (GTW) will be with FESA3-RDA2, we will try to use the latest FESA3 version available in January 2014. We will also plan
to upgrade to FESA3-RDA3 if this is needed before the end of LS1 (end of 2014).
The QPS will be deployed with RDA2 as the FEC will be FESA3-RDA2. This implies
PIC can be deployed with RDA2 provided that the other PIC RDA interfaces (timing, etc.) are RDA2 only.
LHC_CIRCUIT can be deployed with RDA2 provided that the FGC are RD2. But the latest news I got are that the FGC should be with RDA3, so
if this is confirmed, the LHC_CIRCUIT should be deployed with RDA3.
It is not yet defined how the QPS and nQPS devices will be organised, this will depends on the result of the ORACLE winccoa on-going tests. If the
QPS and nQPS devices are organised differently than previously:
PIC: the QPS_OK mapping, views, calculations must be reviewed and modified
LHC_CIRCUIT: the powering sector, circuit views and widgets must be reviewed and modified, the QPS macros must also be redone.
other topics

there is a CSCM test planned in 3 sectors, but it is not yet confirmed
There will be no QPS software & hardware in HIE-Isolde.
Page 6 of 11
jira
SERVICE NOW integration status meeting - 18 Nov 2013 - (Updated 18.11.2013 17:29:30)
Blog post edited by Brice Copy
Meeting with SERVICE NOW implementation team :
z
z
z
z
They can now map Functional Elements, Service Elements and Configuration Items (ITIL-speak for JIRA's projects and components) to JIRA projects
They can now push tickets from Service Now to JIRA, complete with REPORTER, SUMMARY, DESCRIPTION.
They are now working on propagating updates from SERVICE NOW to JIRA (e.g. user canceling a request).
JIRA updates to Service Now have to be implemented by JIRA developers - Alvaro from IT-PES has already started work on an event listener to perform
REST calls to SERVICE NOW.
IMPORTANT NOTE :
No other info will be propagated between SNOW and JIRA - Comments for instance will NOT be duplicated between the two.
z
We will receive a first prototype from Alvaro, to be tested on our side.
build
something).
cybersecurity
CESAR Conference 2013 in Rennes - (Updated 26.11.2013 09:45:05)
Blog post edited by Brice Copy
Intro
Brice has participated to the organisation of the C&ESAR Conference 2013 in Rennes, focusing this year on Cybersecurity in SCADA and Industrial Control
Systems.
http://www.cesar-conference.org/
Executive Summary Of the Conference
z
The French government (in the context of the very recently voted LOI DE PROGRAMMATION MILITAIRE) is finally enforcing laws that require vendors to
pass a cybersecurity certification process. Currently two standards are under scrutiny : ISA-99 / ISA Secure (alias IEC-62443) and ACHILLES WURLDTECH.
ANSSI reports their concern that ACHILLES is a black-box
and is pondering possible alternatives.
{ In this context, the ANSSI-led Working Group would like CERN to come and talk about their testbench and equipment validation experience with
Page 7 of 11
z
z
z
z
TRoIE / Achilles Wurldtech to advise the certification labs.
German and Dutch governments are also following, although the Dutch already had a de-facto standard (WIB) which is compliant with both ISA 99 and
ACHILLES.
Intro
Executive Summary Of the Conference
Detailed proceedings en Franglish
{ C&ESAR 2013 DAY 1
Amiral Coustillière - Marine Francaise
Démo vulnérabilités PLC - par le Ministère de la défense (DGA-MI)
Patrick HEBRARD - DCNS - Cyber Sécurité à bord des navires de guerre
Fabrice TEA - Schneider FRANCE - La Cybersecurite dans les automates Schneider
Impact de STUXNET à RTE FRANCE- Patrick ASSAILLY
{ C&ESAR 2013 DAY 2
David Sancho - TREND Micro - Who is targetting SCADA?
David BOUCART - direction generale de l'armement - Des bus de terrain vers IP
Thomas Demongeot - Maîtrise de l'information - Pistes de recherches sur la détection d'intrusion
Jean Michel BRUN - Schneider - détection et surveillance
Contact avec SIEMENS / BSI
Jean-Luc TROLLÉ - EDF et gouvernance cybersecurite des centrales nucléaires
Vilash KATTA - CHASSIS method for Unifying Safety and Security
Gerome BILLOIS - CLUSIF - Tour d'horizon des standards cybersecurite
Stephane MEYNARD - Groupe de travail ANSSI sur ICS
Frederic GUYOMARD - EDF - certifications sur ICS et SCADA
Contact avec ANSSI's Stéphane Meynard
{ C&ESAR 2013 DAY 3
Sebastien BOMBAL - AREVA - Gérer les intrusions
Gisele Ducrot - AXA Assurances
Adrian PAUNA - ENISA - current and future activities
Robin BERTHIER - University Of Illinois - Amilizer IDS for smart meters
Guillaume PRINGENT - Hynesim et SCADAVIRT - simulation et sécurité
Detailed proceedings en Franglish
C&ESAR 2013 DAY 1
Amiral Coustillière - Marine Francaise
Livre blanc sur la cyberdéfense, doctrine de réponse graduelle, cadre juridique pour les interventions, uniformisation des ressources et compétences, rattachement
de ANSSI au Premier Ministre, triplement du budget dans un contexte de crise.
Attention particulière sur les données privées et confidentielles notamment Cloud (prism).
Protection des investissements R&D nationaux
Après le vol d'informations, la déstructuration de la société devient le nouvel objectif.
Crises entre USA et le reste du monde (Brésil, Russie) à la suite de l'affaire Snowden.
Démo vulnérabilités PLC - par le Ministère de la défense (DGA-MI)
z
z
z
Incidents recensés par le passé dûs à des PLCs non protégés :
{ Sas de banques ouverts a distance par internet!
{ Contrôle d'un four de crématorium à distance par internet!
Utilisation importante de PLC sur les navires de guerre (production d'énergie, controle des radars, des moteurs etc...) Démo du contrôle des hélices avec
connexion par internet pour la maintenance à distance.
Démo d'un malware (email avec payload) pour prendre le contrôle moteur d'un navire type porte avion à distance.
Patrick HEBRARD - DCNS - Cyber Sécurité à bord des navires de guerre
z
z
z
z
Video sur l'importance des automatismes industriels à bord des navires tactiques (linux, java, plcs ...) pour tous les aspects des navires de guerre (énergie,
radars, missiles, pompes...). A peu près 35 millions de lignes de code.
conflits entre tech IT et ICS ... beaucoup de windows NT / Windows 95 encore en activité mais sur des systèmes isolés.
équipage marin à bord passé de 300 en 1967 sur le "Tourville" à 96 sur "FREMM" en 2005 - personnel généraliste, pas d'expert cybersécurité à bord !
exemple : le destroyer 'Chevalier Paul' embarque près de 400 automates
Exemples de contre mesures pour les armées de l'OTAN :
z
z
z
z
Certification linux securisé EL2+ pour navires finlandais
Condamnation du port usb / RJ45
Defense in depth
"Maintien en condition de sécurité" MCS
Fabrice TEA - Schneider FRANCE - La Cybersecurite dans les automates Schneider
z
les mêmes excuses que d'habitude sur pourquoi la situation n'a pas bougé
{ Besoin d'exploitation sur 20 / 40 ans; performance a la milliseconde. "Pas possible de patcher"
{ standard de robustesse physiques forts mais cybersecurité faible
{ aucune nouvelle proposition
Impact de STUXNET à RTE FRANCE- Patrick ASSAILLY
z
z
contraintes d'élimination des défauts importantes et gros usage de l'informatique depuis 2006 ('pallier Électre')
démarche cybersecurite depuis 2002 avec supervision centralisée depuis 2004
Page 8 of 11
z
2010 :
{
{
z
2011 :
z
2012 :
{
Juillet : appel de siemens concernant Stuxnet sur tous les postes de contrôle numérique RTE; pas de STUXNET mais 820% des postes infectés par
des virus sans conséquences notables pour l’opération !!!
Août : Signature d'un référentiel sécurité par tous les directeurs de site
Audits internes
16 incidents de securite majeurs recensés (prises de contrôle non autorisée, vols de données)
mise en place du white listing
{ veille cybersecurite avec diffusion
{ Firewalls
pour 2013 - 2014...
{ points d'accès unique protégé
{ hardening systématique
{ centralisation du Security Information and Event Management system (SIEM) et administration de la cybersecurite au niveau national.
{
{
z
C&ESAR 2013 DAY 2
David Sancho - TREND Micro - Who is targetting SCADA?
z
z
z
z
z
z
z
interest in ICS ramped up since 2010 !
google can be used to find exposed devices... demo with an electric meter
shodan.com can be used to even target Plc brands, provides details about config and useable unpatched vulnerabilities (example with an unpatched Simatic
S7 1200, then a honeypot)
honeypot with a raspberry pi and a plc, BEEF, SNORT
58% of all attacks from Russia but spam type attacks against the Russian honeypot
direct critical attacks ( a few dozens over 3 months but the first attacks took mere minutes to happen after the honeypot was activated) represent 50% coming
from China, but also internally against the Chinese honeypot.
walk through of an attack against honeypot :
{ social engineering through email
{ exploit then stealing passwords and all documents using HACKSFASE malware. Used by the Chinese army.
David BOUCART - direction generale de l'armement - Des bus de terrain vers IP
Bonne récapitulation du sujet: Ethercat / Profibus / AFDX...
Bénéfices d'Ethernet :
z
z
z
z
z
z
redondance
VLAN support
IGMP, multicast
routage dynamique
contrôle d'accès
Mais pour la securité:
manque de support
Thomas Demongeot - Maîtrise de l'information - Pistes de recherches sur la détection d'intrusion
z
capteur de Security Events (SE)
{ Au niveau du réseau
décodage du protocole e.g. Digital Bond pour DNP3, modbus et EtherNet/IP
analyse des flux binaires
{ analyse de signature type antivirus mais on doit connaitre tout
{ détection d'anomalies sans connaissance préalable :
capture du trafic et analyse du type de trafic, débit réseau, adressage
ou analyse spectrale
ou analyse N-Gram suite de mots
z
Meilleure option : IDS Comportementaux avec l'appui des automaticiens.
Jean Michel BRUN - Schneider - détection et surveillance
z
z
usage de Alienvault comme SIEM
OSSIM pour filtrer les commandes modbus et surveiller
{ les seuils
{ l'adressage
{ configuration management firmware, hardware config
{ actions STOP RUN UPLOAD etc... en fonction des horaires de travail
Contact avec SIEMENS / BSI
z
Pierre Kobes : travail sur "Industry 4.0" en Allemagne
{ Internet of Things research topics
{ discussions at the ENISA level
{ production sites in Germany
{ security nightmare but convenience and costs rule.
Jean-Luc TROLLÉ - EDF et gouvernance cybersecurite des centrales nucléaires
z
z
z
z
z
z
adoption du NSS17 standard de l'AIEA
Defense in depth
fusion avec la "protection et sureté de site nucléaire" sous tous ses aspects
réorganisation et nomination de présidents adjoints membres du working group
nomination de 20 auditeurs
dashboards et suivi
Page 9 of 11
Vilash KATTA - CHASSIS method for Unifying Safety and Security
z
z
z
z
CHASSIS method presentation
{ UML based
{ FAILURE sequence and usecase diagrams - attacker is shown in Red
{ MISUSE sequence and usecase diagrams
{ HAZOP diagrams
{ Link to SATRAP linking safety models to security models
requirements completeness is key
no automated tooling yet
note : it seems quite immature yet
----------
Gerome BILLOIS - CLUSIF - Tour d'horizon des standards cybersecurite
z
z
z
z
z
z
z
53 documents sur ICS en anglais et francais
17 documents retenus
ISA IEC ISO NIST NRC ENISA AIEA DHS
ISA/IEC 62443 (ex. ISA 99)
ISO 27019
manque de vocabulaire commun
publication de l' étude fin 2014 Q1
Stephane MEYNARD - Groupe de travail ANSSI sur ICS
z
Livret blanc / Loi de programmation militaire
{ Renforcer la posture des equipements
{ certification des equipements
{ production de deux documents
z
Conclusions du working group
{ Equipements inadaptés.
{ Besoin de labels de conformance d'ici 2015 - label réglementaire pour les opérateurs critiques.
{ Besoin d'impliquer tous les acteurs.
trois livrables pragmatiques :
z
z
z
méthode
niveau de classification
{ criticité ( mineure avec recommandations, majeure avec directives et auto homologation, critique avec homologation )
{ impacts (humains environnement perte de service) et vraisemblance (attaquants, intervenants, exposition en termes de fonctionnalité/complexité et de
connectivité)
métriques
{ organisationnels
chaîne de responsabilité
analyse de risque
cartographie
habilitation des intervenants
audits
veille sécurité
plan de recuperation
modes d'urgences
gestion de crise
{ techniques
cloisonnements, flux unidirectionnels
télémaintenance
accès vers internet, l'extérieur
{ démarches
identification des vulnérabilités et des contraintes propres
définitions des mesures
EN 2014 :
z
z
z
cas d'études fictifs
labellisation de produits: automates/SCADA
labellisation de prestataires ( audit / intégration / formation )
Frederic GUYOMARD - EDF - certifications sur ICS et SCADA
z
pas de certification pour le NIST ; IEC 61508 n'intègre pas la malveillance etc....
Evaluation des certifications equipements :
z
z
z
ISO IEC 15408 : accréditée par l'ANSSI; Profils de protection; mais pas adaptée au monde ICS
Achilles : reconnues par la communauté; élaborée avec le WIB; propriétaire; opaque
{ Achilles Communication Robustness certification
FUZZING based
a lot of SIEMENS equipments have been certified
ISA Secure : Achilles provides a test platform but closed source... peu répandue à ce jour
Contact avec ANSSI's Stéphane Meynard
z
ANSSI would like CERN to intervene at their working group on certification of equipments and recommendations on :
Page 10 of 11
{
{
{
{
an open platform
a modular and configurable test suite
a royalty free self certifiable mechanism
delegation to third party labs "CESTIS"
C&ESAR 2013 DAY 3
Sebastien BOMBAL - AREVA - Gérer les intrusions
Phase 1 - intrusion avec zero day ou social engineering - inevitable
Phase 2 - expansion - phase essentielle de la réponse incident ! D'où importance de defense in depth
Phase 3 - exfiltration et corruption - besoin de récupération
z
Où placer la barre ?
{ manuel et reactif?
{ outillée
{ agile et mature
{ défense dynamique
{ entreprise de production résiliente
KPI : Mesure de temps et coefficient de résistance à l'intrusion.
Réponse
z
z
z
z
z
z
z
z
auditer le périmètre
investiguer
plannifier la reprise en main
communiquer aux stakeholders
bascule au jour J
gestion ressources humaines
impacts applicatifs à expliquer
garder une trace complète de tout pour auditer l'incident
Facteurs clefs de réussite
z
z
z
z
z
processus de gestion de crise
confidentialité - attaquant ne sait peut etre qu'il a été détecté
avoir une structure incident de taille adéquate
dérouler le plan tôt si nécessaire
tout logger! Pour répondre aux questions plus tard
Gisele Ducrot - AXA Assurances
z
z
z
case study - the haiffa tunnel sabotage - September 2013
8 september 2013 the tunnel is targetted by a trojan horse which shuts down the tunnel for 8 hours
analyse d'impact
{ perte de business pour le grand centre commercial d'Israël
{ perte de productivité pour les entreprises high tech ( Intel / Yahoo / Microsoft etc...)
Cout total direct de l'incident = 1.65 millions USD de perte directe
Cout total indirect = 55 millions de dollars
Who will pay ??
Comment reduire les risques?
Hisser le cyber risque au niveau du risque feu (code du travail)
Les assureurs proposent à présent une couverture cyber incident.
Adrian PAUNA - ENISA - current and future activities
z
z
z
z
z
ICS study in 2011 with recommendations to EU member states
2013 : Work on European ICS Testing
Need for a certification framework and mutual trust
Need for a knowledge management programme
note : once again no one is making a move. ENISA is merely an advisor.
Robin BERTHIER - University Of Illinois - Amilizer IDS for smart meters
z
z
z
z
z
z
z
z
z
working group www.TCIPG.org
Financement de 20 millions USD depuis 2009
cisco/ ibm / symantec / intel etc...
monthly status updates published on the web
2009 vulnerability study was catastrophic
{ passwords sent in clear
{ encryption keys in clear in the unit's EEPROM
{ Counter Seals can be tampered with
adoption of a Specification-based approach (rather than signature based)
surveillance monitoring des protocoles smart grid :
{ ANSI C12.22 et C12.19
specification des regles de comportements suspects en accord avec le protocole
dissectors+ parsers + state machines
implementation du capteur Amilizer avec BeagleBoard (equivalent to Raspberry Pi)
Testbed architecture with hundreds of virtual counters
console de visualization pour surveillance de l'actvité des compteurs
Page 11 of 11
z
test live sur 11600 compteurs / trois serveurs
{ 100 millions de paquets reseau
{ 2 megabytes of traffic
{ -> plusieurs optimisations ont été apportées, surveillance concluante
z
NESCOR security policy enforcement analysis with rules
z
dnp3 support and more scada protocols in the works
Contact : [email protected]
Guillaume PRINGENT - Hynesim et SCADAVIRT - simulation et sécurité
z
plateforme virtuelle modulaire reconfigurable
{ plus de 100 plc virtuels
{ switches, plcs, routers aussi
Equivalent of our TRoIE testbench with a REDIS cloud module for data analytics that wasn't working during the live demo.

Page 1 of 11 26/11/2013 https://j2eeps.cern.ch/wikis/plugins/servlet

Transcription

Documents pareils

PROTOCOLE D`ACCUEIL D`UN CHERCHEUR OU ENSEIGNANT

SITE CERN LHCb-FERNEY-VOLTAIRE Parking LECLERC GPS

reconversion Ingénieur informatique - Strasbourg

SECTION 3 Ressources de la Caisse et Garantie

Parking relais Conforama - Passeport Big Bang

Convention d`accueil - Relations with the Host States Service

avis d`execution de travaux en dehors de la plage horaire