ICALEPCS2019 - List of Authors (Mudingay, R.)

Paper	Title	Page
WEAPP04	ICS Infrastructure Deployment Overview at ESS	875
	B. Bertrand, S. Armanet, J. Christensson, A. Curri, A. Harrisson, R. Mudingay ESS, Lund, Sweden
	The ICS Control Infrastructure group at the European Spallation Source (ESS) is responsible for deploying many different services. We treat Infrastructure as code to deploy everything in a repeatable, reproducible and reliable way. We use three main tools to achieve that: Ansible (an IT automation tool), AWX (a GUI for Ansible) and CSEntry (a custom in-house developed web application used as Configuration Management Database). CSEntry (Control System Entry) is used to register any device with an IP address (network switch, physical machines, virtual machines). It allows us to use it as a dynamic inventory for Ansible. DHCP and DNS are automatically updated as soon as a new host is registered in CSEntry. This is done by triggering a task that calls an Ansible playbook via AWX API. Virtual machines can be created directly from CSEntry with one click, again by calling another Ansible playbook via AWX API. This playbook uses proxmox (our virtualization platform) API for the VM creation. By using Ansible groups, different proxmox clusters can be managed from the same CSEntry web application. Those tools give us an easy and flexible solution to deploy software in a reproducible way.
	Slides WEAPP04 [13.604 MB]
DOI •	reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2019-WEAPP04
About •	paper received ※ 30 September 2019 paper accepted ※ 10 October 2019 issue date ※ 30 August 2020
Export •	reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)

WEPHA104	Managing Cybersecurity for Control System Safety System development environments	1343
	R. Mudingay, S. Armanet ESS, Lund, Sweden
	At ESS, we manage cyber security for our control system infrastructure by mixing together technologies that are relevant for each system. User access to the control system networks is controlled by an internal DMZ concept whereby we use standard security tools (vulnerability scanners, central logging, firewall policies, system and network monitoring), and users have to go through dedicated control points (reverse proxy, jump hosts, privileged access management solutions or EPICS channel or PV access gateways). The infrastructure is managed though a DevOps approach: describing each component using a configuration management solution; using version control to track changes, with continuous integration workflows to our development process; and constructing the deployment of the lab/staging area to mimic the production environment. We also believe in the flexibility of visualization. This is particularly true for safety systems where the development of safety-critical code requires a high level of isolation. To this end, we utilize dedicated virtualized infrastructure and isolated development environments to improve control (remote access, software update, safety code management).
	Poster WEPHA104 [0.840 MB]
DOI •	reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2019-WEPHA104
About •	paper received ※ 27 September 2019 paper accepted ※ 03 November 2019 issue date ※ 30 August 2020
Export •	reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)

Paper

Title

Page

ICS Infrastructure Deployment Overview at ESS

875

B. Bertrand, S. Armanet, J. Christensson, A. Curri, A. Harrisson, R. Mudingay
ESS, Lund, Sweden

The ICS Control Infrastructure group at the European Spallation Source (ESS) is responsible for deploying many different services. We treat Infrastructure as code to deploy everything in a repeatable, reproducible and reliable way. We use three main tools to achieve that: Ansible (an IT automation tool), AWX (a GUI for Ansible) and CSEntry (a custom in-house developed web application used as Configuration Management Database). CSEntry (Control System Entry) is used to register any device with an IP address (network switch, physical machines, virtual machines). It allows us to use it as a dynamic inventory for Ansible. DHCP and DNS are automatically updated as soon as a new host is registered in CSEntry. This is done by triggering a task that calls an Ansible playbook via AWX API. Virtual machines can be created directly from CSEntry with one click, again by calling another Ansible playbook via AWX API. This playbook uses proxmox (our virtualization platform) API for the VM creation. By using Ansible groups, different proxmox clusters can be managed from the same CSEntry web application. Those tools give us an easy and flexible solution to deploy software in a reproducible way.

Slides WEAPP04 [13.604 MB]

DOI •

reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2019-WEAPP04

About •

paper received ※ 30 September 2019 paper accepted ※ 10 October 2019 issue date ※ 30 August 2020

Export •

reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)

WEPHA104

Managing Cybersecurity for Control System Safety System development environments

1343

R. Mudingay, S. Armanet
ESS, Lund, Sweden

At ESS, we manage cyber security for our control system infrastructure by mixing together technologies that are relevant for each system. User access to the control system networks is controlled by an internal DMZ concept whereby we use standard security tools (vulnerability scanners, central logging, firewall policies, system and network monitoring), and users have to go through dedicated control points (reverse proxy, jump hosts, privileged access management solutions or EPICS channel or PV access gateways). The infrastructure is managed though a DevOps approach: describing each component using a configuration management solution; using version control to track changes, with continuous integration workflows to our development process; and constructing the deployment of the lab/staging area to mimic the production environment. We also believe in the flexibility of visualization. This is particularly true for safety systems where the development of safety-critical code requires a high level of isolation. To this end, we utilize dedicated virtualized infrastructure and isolated development environments to improve control (remote access, software update, safety code management).

Poster WEPHA104 [0.840 MB]

DOI •

reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2019-WEPHA104

About •

paper received ※ 27 September 2019 paper accepted ※ 03 November 2019 issue date ※ 30 August 2020

Export •

reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)