Voir en

Computer Security: 20 years of securing controls (or trying to): black swans and convergence

30 October, 2025

Our last article discussed the mess of control system cybersecurity 20 years ago and today. Nothing has changed, it seems. But does that really matter? In fact, it does.

While eagerly expected by experts, the first dominant incident on control systems reported by the media was the Stuxnet attack of 2010 against the Iranian nuclear programme allegedly conducted by some secret services. Infiltrating the nuclear processing site at Natanz, a USB stick with malicious software intercepted the traffic for a standard Siemens 300-series PLC and manipulated its program such that the controlled centrifuges spun at varying speeds (hence creating wear-out) while the human–machine interface told the operators that all the rotational speeds were constant and nominal. This broke the watershed; the Stuxnet malware itself and variations thereof started infecting control systems worldwide, causing various degrees of damage.

Another major incident combined the office IT, dispatching software and seaborne control systems of the logistics company Maersk. It was compromised by the “Not Petya” ransomware, which “dominoed” from one office system to another, not only disrupting the global operation of one of the world’s largest shipping companies but also inflicting damage of up to 300 million USD. More recent global political events have shown the impact of breaking supply chains on the global economy.

The latter incident in particular illustrates the immense dependency of our civilised way of life on control systems. And accelerator and large experimental physics control systems are not exempt from such doomsday scenarios and certainly not from “lighter” incidents. Many universities and institutes worldwide have been subject to cyberattacks by ransomware gangs in the past decade. Among others, the ransomware gang “Vice Society” explicitly targeted the research and education sector. Hundreds of universities fell to them; their IT infrastructure – data centre services, storage system, networking infrastructure, and laptop and PC endpoints – failed and had to be completely reinitialised. The Helmholtz Zentrum in Berlin (HZB) is another unfortunate example: their IT was crippled for more than a year, their BESSY II accelerator was halted for half a year, and researchers and PhD students were stuck waiting for new data.

A year earlier, in 2022, the ALMA telescope complex in the Atacama Desert in Chile suffered a similar fate. Its control systems compromised by ransomware, research and operations idly awaited reinstallation, causing damage of 250 000 USD a day.

The convergence of OT and IT

Despite all these black swans, control systems have embraced modern IT systems more than ever. As predicted already in 2005, not only are web servers totally integrated in the operation of control and safety systems, but also virtual machines and containerisation have made it to the plant floor of accelerators and experiments. A quick look at the timetable of this year’s ICALEPCS conference reveals that today the development and deployment workflows of accelerator and experiment control systems integrate modern continuous integration and delivery frameworks (like GitLab CI/CD), automatically importing software libraries and packages from the internet (using PyPI and NPM) or moving control systems partially or entirely to the cloud. Following modern trends, machine learning and big data analysis have been embraced for, e.g., predictive maintenance, and artificial intelligence (AI) and large language models (LLM) are being trained with a view to soon allowing 100% autonomous operation of current and future accelerators and experiment data taking.

This, despite all the risks linked to cybersecurity and often neglecting or ignoring the consequences of a successful attack... So, what to do? The next Bulletin will reveal all.

This is an abridged version of an article that first appeared in the proceedings of the ICALEPCS 2025 conference.

________

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Computer Security