![[site.logo.alt]](/presentation/images/RO_VJ_Logo.png){kind=logo}
Stefan Lueders
Computer Security Officer, CERN - The European Organization for Nuclear Research
Biography
Stefan Lueders, PhD, graduated from the Swiss Federal Institute of Technology in Zurich and joined CERN in 2002. Being initially developer of a common safety system used in all four experiments at the Large Hadron Collider, he gathered expertise in cyber-security issues of control systems. Consequently in 2004, he took over responsibilities in securing CERN's accelerator and infrastructure control systems against cyber-threats. Subsequently, he joined the CERN Computer Security Incident Response Team and is today heading this team as CERN’s Computer Security Officer with the mandate to coordinate all aspects of CERN’s computer security office computing security, computer centre security, GRID computing security and control system security whilst maintaining CERN’s academic environment and taking into account CERN’s operational needs. Dr. Lueders has presented on these topics at many different occasions to international bodies, governments, and companies, and published several articles.
Presentation: Why Control System Cyber Security sucks
Control system cyber-security is now around for more than a decade, but got appropriate (or even exaggerated?) attention only recently due to the Stuxnet worm attacking Siemens PLCs. Despite all the concerns from know-it-all IT security experts, securing today’s commercial-off-the-shelf control system is far from being easy. Still too many control systems are designed without security in mind, lack basic security protections, or are not even robust enough to withstand basic attacks. While embracing standard IT technologies, only few manufacturers also apply good security practises. And (too) few customers ask for it. On the customer side, a change of mind is necessary, too: control system cyber-security must become fundamental ingredient when running a plant.
This presentation shall recap the current situation and outline why the presenter is still waiting for a change in paradigm: Control systems must not only embrace IT technology but also thoroughly apply standard IT security measures: timely patching, deployment of anti-virus software, integration of personal account and fine-grained access control, elevated robustness and resilience of control devices, and free information sharing between all stakeholders…