There are few research institutions in the world with the size and scope of the European Organization for Nuclear Research, CERN. Founded in 1954 by 12 European countries, the European Laboratory for Elementary Particle Physics is located in the Swiss town of Meyrin, in the canton of Geneva, although its facilities extend along the Franco-Swiss border. Among them is the Large Hadron Collider (LHC), the world’s largest particle accelerator. International collaboration is at the core of its origin: more than 3,500 people make up its permanent staff. A small village that expands to 17,000 when adding the scientific staff of around 950 institutions from more than 80 different countries that collaborate on projects at the center. In this homegrown ecosystem, IT risk management poses a challenge.
“The main problem is that we are managing a huge organization,” explains Stefan Lüders, CERN’s CISO. “We are one of the most important particle physics research institutes on the planet. We do sophisticated and interesting things, which makes us a target for attacks from different communities.” He lists several of these potential threats: script kiddies or hackers with basic knowledge, who all pose a potential security risk; ransomware or data exfiltration; sabotage of CERN’s work; espionage actions and criminal groups trying to infiltrate through computers or other devices.
“This is where people come in. Because we have a very large, heterogeneous and very fluctuating research community. There are many physicists who join the organization every year. They come in and leave to do their PhD, do research at CERN and then leave,” he describes, pointing to the challenge of “taking care of this community of users. The other challenge is the flexible and fast-developing world of IT.” This includes programming — importing open-source libraries, their security, etc. — and AI. “The more sophisticated AI becomes, the greater the likelihood that those AI-driven security or attack tools will try to infiltrate the organization.”
Securing CERN
How do you ensure effective implementation of cybersecurity initiatives that don’t disrupt scientific work? “You can’t,” Lüders asserts. “Cybersecurity is inconvenient. Let’s face it.” Lüders equates it to locking your front door or using your PIN to get cash out of the ATM; they can be annoying, but necessary. “We try to explain to our community why security measures are needed,” he says. “And if we adapt our security measures to our environment, people adopt them. Yes, it makes the research a little more complicated, but only a little.”
Lüders insists on the research work factor. “We are not a bank. We don’t have billions of dollars. We are not a military base, which means we don’t have to protect a country. We do research, which means adapting the level of security and the level of academic freedom so that the two go hand in hand. And that’s an ongoing conversation with our user community.” This ranges from scientific personnel to industrial control systems management, IT or human resources. “To meet this challenge, it is essential to talk to people. That’s why, I insist, cybersecurity is a very sociological issue: talking to people, explaining to them why we do this.”
For example, not everyone willingly uses multifactor authentication because “let’s face it, they’re a pain. It’s much easier to type in a password, and who even wants to type in a password? You just want to log in. But for protection needs, today we have passwords and multifactor authentication. So you explain to people what you’re protecting. We tell them why it’s important to protect their work, as well as research results. And the vast majority understand that you need a certain level of security,” he says. “But it’s a challenge because there are so many different cultures here, different nationalities, different opinions and thoughts, and different backgrounds. That’s what we are constantly trying to adapt to.”
Stefan Lüders and Tim Bell of CERN.
CERN
Employing proprietary technology can introduce risks, according to Tim Bell, leader of CERN’s IT governance, risk and compliance section, who is responsible for business continuity and disaster recovery. “If you’re a visitor to a university, you’ll want to bring your laptop and use it at CERN. We can’t afford to remove these electronic devices upon arrival at the facility. It would be incompatible with the nature of the organization. The implication is that we must be able to implement BYOD-type security measures.”
Because at the core of everything always remains the collaborative nature of CERN. “Academic papers, open science, freedom of research, are part of our core. Cybersecurity needs to adapt to this,” Lüders notes. “We have 200,000 devices on our network that are BYOD.” How then does the adaptation of cyber protection apply? “It’s called defense in depth,” explains the CISO. “We can’t install anything on these end devices because they don’t belong to us, (…) but we have network monitoring.” In this way, even if you don’t have direct access to each device, you are warned when something is being done against the center’s policies, both at the level of cybersecurity and inappropriate uses, such as employing the technology they provide for particular interests.”
These measures also extend to obsolete systems, which the organization is able to assimilate because they have a network resilient enough that even if one piece of equipment is compromised, it won’t damage any other CERN systems. The legacy technology problem extends to the equipment needed for the physics experiments being performed at the center. “These are protected by dedicated networks, which allows the network protection to kick in and protect them against any kind of abuse,” Lüders explains. On IoT connected devices not designed with cybersecurity in mind, “a problem for all industries,” Lüders is blunt: “You will never get security in IoT devices.” His solution is to connect them to restricted network segments where they are not allowed to communicate with anything else, and then define destinations to which they can communicate.
General framework
This is part of a larger challenge: aligning the IT and OT sides so that security continuity is established throughout the organization. A challenge that goes through centralization. “Today the OT part, the controls systems at CERN, are using IT virtualization,” explains Lüders. “The strategy is to bring IT and control people together so that the control people can use the IT services to their advantage. From the technology department, a central system is provided with different functionalities for operations, as well as for other areas of the organization, accessible through a single point of entry. “That’s the power of centralization.” This system also includes new tools such as AI tools in LLM, where they have a working group in place to find the best way to employ them. “We are facing a big discovery and, later on, we will centralize it through a central IT service. And that’s how we do it with all technologies.”
Just as the subjects they research at CERN are evolving, so is their IT governance framework. This has been keeping up with industry developments, Bell explains, hand in hand with audits that allow it to operate according to best practice. “The governance part is becoming more formal. In general, everything was well organized; it was just a matter of standardizing it and developing policy frameworks around it.” Despite the establishment of these standards, the result is the opposite of rigid, explains Bell, who exemplifies this with the case of a recent cybersecurity audit in which CERN was assessed against one of the international standards, which served to improve the level of maturity. “We are adopting a fairly flexible IT governance policy, learning from the experience of others in adopting industry standards.”
No Responses