LIGO-G060520-03-M1LIGO CybersecurityLIGO CybersecurityStatusStatusAlbert LazzariniNSF Annual Review of LIGOLIGO Hanford ObservatoryOctober 23-25, 2006LIGO-G060520-03-M2Outline Recommendations from last review Overview of cybersecurity within LIGOLaboratory Summary of activities during the past year Engagement outside LIGO LaboratoryLIGO-G060520-03-M3Responses to recommendations from 2005LIGO ComputingDevelop, document, qualify a computing model Released the first version of the collaboration computing plancovering the era of LIGO I -- prior to Advanced LIGOoperations( ~ 2013+) Update plan to reflect accrued experience since plan’s first release Extend plan to address Advanced LIGO needsContinue working with the Open Science Grid (OSG) LIGO is an integral member of the Open Science Grid project --recently funded by NSF/DOE Resource Manager on OSG Executive Team (K. Blackburn) OSG Council representative (W. Anderson, UWM) OSG Virtual Organization(VO) Support Center (M. Ramsunder, PSU) LSC production analysis is being integrated with OSG Physics at the Information Frontier (PIF) awarded to LSC data grid institutions concurrently with OSG P. Brady (PI, UW M), ex officio memb er of OSG executive boardLIGO-G060520-03-M4OverviewThe LIGO Scientific Collaborationand the LIGO Data GridLIGO Laboratory: 4 sites*LHO, LLO: observatory sites• Caltech• Hanford Observatory (LHO)LivingstonObservatory (LLO)•MIT ••LSC - LIGO Scientific Collaboration•Not under organizational control of LIGO Laboratory•Funding provided through separate grants - NSF•Cybersecurity policy allows them to join trust relationship with laboratory via MOUsCollaboration Tier 2: 2 US sitesUWM •PSU •CardiffAEI/Golm •Birmingham•+ 3 EU sites/EULIGO-G060520-03-M5OverviewCybersecurity within LIGO Laboratory LIGO’s sole mission: gravitational wave fundamental scientific research-- principal goal: maximize scientific output Computer security for LIGO must be consistent with mission & goalsPrimary: avoid disruption of operation or corruption of dataSecondary: avoid serious embarrassment caused by defacement of LIGO publicly accessiblewebsites or the use of LIGO computers in criminal activities Designed to address no more than the specific LIGO computer security aims: Caltech provides support for LIGO’s payroll, accounting, purchasing and other major businesssystems and these are covered by Caltech policies All measures based on risk evaluation Computer security implementations must be balanced Disruptions to science caused by intrusions vs. impediments to science caused by securitymeasuresLIGO-G060520-03-M6OverviewCybersecurity within LIGO Laboratory Cybersecurity is based on a layered approach Ensure significant assets are fully protected andsecure Allow flexible access to information required to allowthe LIGO Scientific Collaboration to accomplish itsscientific mission Most stringent requirement applies to resourceslocated at the observatory sitesLIGO-G060520-03-M7OverviewObservatory Critical Systems (OCS) Cybersecurity plan identifies the key area of LIGO Laboratory ITinfrastructure that requires specific measures to ensure robustnessagainst disruption of LIGO operations from cyber attacks. Observatory Security Critical Systems Located at the observatory sites Comprises of the interferometers and data caches prior tocommitment of data to the permanent archive. Ensures that interferometer operation and control takes place in a secure environment Protects integrity of archived data Interferometer controls & data acquisition (CDS - Control & Data System) Data archival at observatories (LDAS - LIGO Data Analysis Systems) General computing components (GC) that “touch CDS & LDAS”) OCS oversight assigned to an OCS Committee that is chaired by LHOCDS lead (D. Barker) Charged with evaluating, assessing cybersecurity measures & needs with regard to theOCS infrastructure Key personnel responsible for major OCS infrastructure are members of the committee Cybersecurity personnel, CSO and CSC, attend all meetings.LIGO-G060520-03-M8OverviewCybersecurity Organization within LIGO LaboratoryLIGO-G060520-03-M9Activities during past yearNew Computer Security Officer Kent Blackburn appointed new LIGO Computer Security Officer(CSO) in September 2006 Shannon Roddy remains the Computer Security Coordinator(CSC) Internally: immediate tasks at hand: Reviewing/updating cybersecurity documents & policies; Cybersecurity Plan Update Risk Assessment Acceptable Use Policy Incident Response Procedures Patch Procedures Externally: focus on integration of cybersecurity within thelarger collaboration computing infrastructure New working group established under the LSC Computer Committee to addresscollaboration wide partnership in cybersecurity. Comprises of LIGO CSO/CSC and LSC Tier II computer security officers Also addresses LIGO certificate management under the DOE CALIGO-G060520-03-M10Activities during past yearImproved security - Observatory Critical Systems OCS committee convened bi-monthly to assign actions, monitor progressin security implementation at both observatories Intrusion Detection System installed IDS installed on server performing as an X2100 gentoo router, with a mySql datab ase and web data accesstool running on the base X2100 FC 4 server Administration traffic and system logs further secured New ADMINLAN installed, IDS datab ase and syslog server on this network Outside access to Critical Systems reduced to single point of access Dual home gateways removed. NAT router the single point of access CDS controls and non-controls network traffic separated New PCLAN created for non control systems. RAIDS, switches and tapes moved to ADMINLAN. NewTESTLAN created for offline teststands and laboratory systems Offsite network scans of OCS resulted in system reconfiguration/upgrades Ports which should not be op en were closed. Older versions of server software, e.g. ap ache, upgraded Reviewed and further restricted offsite access to the OCS Access to frameb uilder NDS restricted on a need-to-know basis. Access to testp oints removed. Sensitivewiki data is password p rotected, etc.LIGO-G060520-03-M11Activities during past yearAddressing Vulnerabilities Vulnerability Assessment In progress: assessment using NIST FISMA