Like it or not, the cyber realm is unfortunately developing alongside the physical world. While in the real world, conflicts tragically dominate world politics, the usual commercial cyber-attackers have increased their attacks, too. And, unlike in the past, the research and education (R&E) sector is no longer spared.

Until recently, universities had been attacked only very occasionally. One of the last in this sad line-up was the University of Michigan. But the last year has also seen major attacks against accelerators and telescopes ─ as collateral damage and as the attackers’ main focus, respectively. What we feared in the past has become reality: where there is operational value, there is a business opportunity for malicious evildoers to extract money ─ and this applies to the R&E community as well. To “ransom” the operator, threaten operations, stop production and cause damage.

Over the past 12 months, the CERN Computer Security team has tirelessly helped dozens of universities worldwide to protect themselves against such “ransomware” attacks (see our monthly security reports) and improve their defences, as well as providing training, tipping them off to imminent danger where our threat intel permits and assisting them in incident response when it was too late and damage had been done. Similarly, the base question is not “if” but “when” CERN will be subject to a ransomware attack. The three mantras of ransomware defence are “Don’t get it”, “Don’t pay” and have all-encompassing, complete and thoroughly tested back-ups in place. While CERN has taken a firm position on the second mantra (incidentally, governments are increasingly prohibiting ransom payments), and the IT department, in collaboration with many stakeholders in the Organization, is hard at work on the third, the first mantra – raising our defences – is the hardest one. Many projects are already under way and we’re not done yet:

• 2024 will see an even more all-encompassing roll-out of 2-factor protection, in particular to our user community and to holders of so-called “secondary” accounts. It will eventually also cover LXPLUS and the CERN Windows terminal servers.
• The “new” anti-malware solution will finally be deployed to all CERN/centrally managed Windows PCs and we will investigate whether this protective means can also be forced onto any other Windows laptop or Macbook purchased and owned by the Organization.
• Vulnerability scanning and penetration testing against CERN’s internet presence is currently being tendered and will start in early 2024 (the owners of vulnerable websites and web servers may possibly be required to contribute to the cost).
• Together with HR’s Learning and Development group, we will expand CERN’s training catalogue and offer dedicated hands-on courses on secure programming and software development, as well as IT operations.
• In parallel, Gitlab security scanning may make it into your pipelines and into your choice of virtual machines and containers in order to reduce the risk through the “software supply chain”.
• Our Security Operations Centre will extend its remit to cover even more data sources, enabling us to monitor more network segments than ever before, as well as our main cloud-based services (such as Google and Microsoft).
• Finally, CERN recently concluded an external audit on “cyber security” and its findings and resulting recommendations will be addressed in the course of 2024 (more on that in a future Bulletin article).

In any case, ransomware hits are coming closer. Unlike some of our unfortunate partner universities and some astronomy experiments and particle accelerators, CERN has not been hit yet. Yet! And we hope to keep it that way. Cybersecurity is a permanent marathon: our work will never be done. But for this race, we appreciate (and need!) your help in securing the Organization. As “sec_irty” is not complete without “u”!!! Let’s have a (more) peaceful 2024.

____

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.