Who is this page for?
Staff and scientists that install, administer, or maintain scientific apparatus that have any form of computer network connection.
What is network-accessible scientific equipment?
Network-accessible scientific equipment is any equipment that can be accessed, controlled, monitored in any way over a network. The term “SCADA” (Supervisory Control and Data Acquisition) or "ICS" (Industrial Control System) is often associated with this type of equipment. Many types of equipment fall into this category, including such things as:
- Electron microscopes
- Chromatographs
- Spectrometers
- Sample-handling robots
This category also includes any sort of custom experimental apparatus that is network-connected. If you can interact with it from a computer, or move files to and from it, it is network connected.
What is the concern?
Networked equipment that is not properly secured can be accessed by bad actors who may try to:
- Deny legitimate access to equipment or data stored on it
- Damage equipment or experiments
- Delete data or invalidate experimental results
- Create an unsafe environment or harm people
- Embarrass you and Berkeley Lab
General Guidance
Restrict Network Access
It is important to restrict network access of equipment to the smallest availability that meets your organization’s business needs. In some cases, this might mean that a particular piece of equipment should be entirely disconnected from the network. At the opposite spectrum, there are systems where there is a legitimate need to provide full network access to the general public — though in such cases, our recommendation would be that you stand up a separate system to serve the public, which in turn pulls data from your system(s). In between, there are many business cases and various ways to make equipment appropriately network accessible. For example, you may need to access a Web-based status interface, but not need to access files on the device (or vice-versa.) Or, if you do need to access files, most people may only need read-only access and only a few people will need to be able to store files.
Specific Guidance
Cyber Security recommends you consider three main variables when deciding how best to secure network-accessible equipment:
- Risk
- Vulnerability
- Use case
Potential Impact
If the potential for impact is low, as defined in the table below, then the equipment may be treated like other common IT equipment, such as your desktop or laptop. However, this does not mean that no precautions should be taken; normal precautions, such as keeping operating systems and applications current, should be taken.
Impact Level | Identifying Characteristics |
Non-Zero | ANY potential for ANY of:
|
Zero | NONE of the characteristics listed above |
Most SCADA/ICS types of equipment, by their very nature, will fall into the non-zero impact category. If so, consider the following matrix of the remaining two variables: use case and vulnerability.
Guidelines for connecting scientific instruments and other equipment to the LBL network | ||||
Use Case | ||||
File Access | Monitoring | Remote Ops | ||
|
|
| ||
|
|
|
|
|
|
|
|
| |
Questions?
If you are in doubt about how to connect a specific piece of equipment, do not hesitate to contact our cyber security team. They will be happy to help you devise an appropriate plan.
