EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  <20152016  2017  2018  2019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  <20152016  2017  2018  2019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>

Subject: Re: "security audit" of EPICS / Channel Access?
From: "J. Lewis Muir" <[email protected]>
To: "Hartman, Steven M." <[email protected]>, EPICS Tech Talk <[email protected]>
Date: Fri, 18 Sep 2015 10:48:35 -0500
On 9/17/15 10:43 AM, Hartman, Steven M. wrote:
> We are currently in the middle of a cyber security audit of our
> accelerator control system. The auditors have asked if there has ever
> been a formal security assessment of EPICS / Channel Access.
>
> Any comments?

Hi, Steven.

I don't know if there has ever been a security audit, but I can tell
you the result of an audit if there were one: EPICS/CA is completely
insecure.

This is not intended as a knock against EPICS; it was designed that
way.  Anyone on the same network as an IOC can write to any PV on that
IOC.  The EPICS access security subsystem is trivial to bypass.  The
Application Developer's Guide says as much about access security: "No
attempt has been made to protect against the sophisticated saboteur.
Network and physical security methods must be used to limit access to
the subnet on which the iocs reside."[1]

As far as traditional security vulnerabilities--buffer overflows,
etc.--that could lead to remote code execution, I'm sure EPICS is
riddled with them.  EPICS is designed only to be run on a trusted
network.

Regards,

Lewis

[1] Application Developer's Guide, c. 8, "Access Security," s. 8.3.2,
    "Limitations"

References:
"security audit" of EPICS / Channel Access? Hartman, Steven M.

Navigate by Date:
Prev: Re: *****SPAM*****makeBaseApp.pl Error J. Lewis Muir
Next: ai record doesn't do convert for floats? Pearson, Matthew R.
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  <20152016  2017  2018  2019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: Re: "security audit" of EPICS / Channel Access? Hermann-Josef Mathes
Next: makeBaseApp.pl Error ishita bhatia
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  <20152016  2017  2018  2019  2020  2021  2022  2023  2024 
ANJ, 16 Dec 2015 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·