CERN: how does the international research institution manage risk?

Employing proprietary technology can introduce risks, according to Tim Bell, leader of CERN’s IT governance, risk and compliance section, who is responsible for business continuity and disaster recovery. “If you’re a visitor to a university, you’ll want to bring your laptop and use it at CERN. We can’t afford to remove these electronic devices upon arrival at the facility. It would be incompatible with the nature of the organization. The implication is that we must be able to implement BYOD-type security measures.”

Because at the core of everything always remains the collaborative nature of CERN. “Academic papers, open science, freedom of research, are part of our core. Cybersecurity needs to adapt to this,” Lüders notes. “We have 200,000 devices on our network that are BYOD.” How then does the adaptation of cyber protection apply? “It’s called defense in depth,” explains the CISO. “We can’t install anything on these end devices because they don’t belong to us, (…) but we have network monitoring.” In this way, even if you don’t have direct access to each device, you are warned when something is being done against the center’s policies, both at the level of cybersecurity and inappropriate uses, such as employing the technology they provide for particular interests.”

These measures also extend to obsolete systems, which the organization is able to assimilate because they have a network resilient enough that even if one piece of equipment is compromised, it won’t damage any other CERN systems. The legacy technology problem extends to the equipment needed for the physics experiments being performed at the center. “These are protected by dedicated networks, which allows the network protection to kick in and protect them against any kind of abuse,” Lüders explains. On IoT connected devices not designed with cybersecurity in mind, “a problem for all industries,” Lüders is blunt: “You will never get security in IoT devices.” His solution is to connect them to restricted network segments where they are not allowed to communicate with anything else, and then define destinations to which they can communicate.