Stefan Lüders and Tim Bell of CERN.
CERNEmploying proprietary technology can introduce risks, according to Tim Bell, leader of CERN’s IT governance, risk and compliance section, who is responsible for business continuity and disaster recovery. “If you’re a visitor to a university, you’ll want to bring your laptop and use it at CERN. We can’t afford to remove these electronic devices upon arrival at the facility. It would be incompatible with the nature of the organization. The implication is that we must be able to implement BYOD-type security measures.”Because at the core of everything always remains the collaborative nature of CERN. “Academic papers, open science, freedom of research, are part of our core. Cybersecurity needs to adapt to this,” Lüders notes. “We have 200,000 devices on our network that are BYOD.” How then does the adaptation of cyber protection apply? “It’s called defense in depth,” explains the CISO. “We can’t install anything on these end devices because they don’t belong to us, (“¦) but we have network monitoring.” In this way, even if you don’t have direct access to each device, you are warned when something is being done against the center’s policies, both at the level of cybersecurity and inappropriate uses, such as employing the technology they provide for particular interests.”These measures also extend to obsolete systems, which the organization is able to assimilate because they have a network resilient enough that even if one piece of equipment is compromised, it won’t damage any other CERN systems. The legacy technology problem extends to the equipment needed for the physics experiments being performed at the center. “These are protected by dedicated networks, which allows the network protection to kick in and protect them against any kind of abuse,” Lüders explains. On IoT connected devices not designed with cybersecurity in mind, “a problem for all industries,” Lüders is blunt: “You will never get security in IoT devices.” His solution is to connect them to restricted network segments where they are not allowed to communicate with anything else, and then define destinations to which they can communicate.
General framework: This is part of a larger challenge: aligning the IT and OT sides so that security continuity is established throughout the organization. A challenge that goes through centralization. “Today the OT part, the controls systems at CERN, are using IT virtualization,” explains Lüders. “The strategy is to bring IT and control people together so that the control people can use the IT services to their advantage. From the technology department, a central system is provided with different functionalities for operations, as well as for other areas of the organization, accessible through a single point of entry. “That’s the power of centralization.” This system also includes new tools such as AI tools in LLM, where they have a working group in place to find the best way to employ them. “We are facing a big discovery and, later on, we will centralize it through a central IT service. And that’s how we do it with all technologies.”Just as the subjects they research at CERN are evolving, so is their IT governance framework. This has been keeping up with industry developments, Bell explains, hand in hand with audits that allow it to operate according to best practice. “The governance part is becoming more formal. In general, everything was well organized; it was just a matter of standardizing it and developing policy frameworks around it.” Despite the establishment of these standards, the result is the opposite of rigid, explains Bell, who exemplifies this with the case of a recent cybersecurity audit in which CERN was assessed against one of the international standards, which served to improve the level of maturity. “We are adopting a fairly flexible IT governance policy, learning from the experience of others in adopting industry standards.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4109133/cern-how-does-an-international-research-institution-manage-risk.html
