Like any other organisation, university, institute or enterprise, CERN is under attack. Permanently. During the day. At night. On weekends. On holidays. From nearby. From far away. Denial-of-service attacks, unauthorised penetration tests, poking for weaknesses, scans for vulnerabilities, reconnaissance and intel gathering, attempts to compromise and exploit, but also more targeted and sophisticated cyberattacks, are all a normal by-product, a kind of pollution, from being connected to the internet. But who are these attackers? What are they up to? What are the cyberthreats CERN is facing? What are the cyber-risks?
The cyber-risks can be split into four categories: operational, financial, legal and reputational. The operational risks are evident: accelerators, experiments, computing services or administrative services are brought to a halt by a successful cyberattack – through sabotage, manipulating or compromising central IT services or control systems, or abusing the computing accounts of experts, administrators and operators. The latter two can also have financial repercussions for the Organization, as the abuse of IT services reduces their availability and utility to CERN, and CERN computing accounts grant access to other costly services, like digital science publications served by the CERN library or the “free” processing power of CERN’s computing clusters. Financial risks include compensation in case software/music/film copyrights are violated or pirated software is used instead of the software centrally licensed by CERN. Financial losses due to financial fraud against the Organization or the theft of data also need to be considered. Most financial risks go hand in hand with legal risks, as copyright violation and software piracy are illegal in many countries and the unauthorised exposure of personal data is subject to legal penalties. Finally, CERN’s appearance in the headlines due to a successful cyberattack could harm its reputation. CERN webpages defaced with “naked teddy bears” or CERN servers attacking external sites like those of the White House or the Vatican would definitely generate negative media coverage.
So, who are the perpetrators trying to exploit CERN? Their portfolio is vast and rather standard, ranging from script kiddies trying to explore their skills to hacktivists seeking kudos from their community for having “hacked” CERN, to more-or-less sophisticated cybercriminals targeting CERN for the purpose of extracting money in any form. CEO fraud. Ransom payments. Besides those groups, there are the nice guys, the white hats, who poke into CERN to help us identify weaknesses and vulnerabilities and usually report them to us – thank you, guys! And then there are the advanced persistent threats or “APTs”, i.e. sophisticated groups of attackers, often state-sponsored or even run by nation states, who have their own (financial) agenda. Those are the most difficult to protect against as they are usually extremely well equipped, financed and skilled and come with resources, patience and (already lots of) money.
In addition to these external threats, CERN also faces internal threats: copyright violations and licence infringements are most likely to be triggered by insiders bringing in their own devices with their own personal stack of music and films or software licensed with their university or home institute. Sabotage and espionage are two other insider risks.
The Computer Security team has been mandated by CERN’s Director-General to protect the operations and reputation of the Organization against any kind of cyber-risk. Our role is governed by Operational Circular No. 5 and its subsidiary policies (the “CERN Computing Rules”). In order to better control the aforementioned risks and protect against these threats, CERN has put in place a multitude of protective means (e.g. firewalls, network segregation, intrusion detection systems, endpoint detection and antivirus software, spam and antimalware filtering, single sign-on and two-factor authentication, proactive vulnerability scanning, audits and training).
Still, most importantly, CERN computer security is not complete without you! CERN’s academic freedom is a valuable thing, but like any kind of freedom, it comes with responsibility. It is the responsibility of us all, not just the experts in the IT department, to protect our IT infrastructure and strike the right balance between security, academic freedom and the unfettered operation of our facilities. CERN needs your help to keep the risks and the threats at bay!
Check out our other Bulletin articles.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.