ICALEPCS2023 - List of Authors (Copy, B.)

Paper	Title	Page
MO4BCO03	Protecting Your Controls Infrastructure Supply Chain	196
	B. Copy, F. Ehm, P.J. Elson, S.T. Page, J.-B. de Martel CERN, Meyrin, Switzerland M. Pratoussy CPE Lyon, Villeurbanne, France L. Van Mol Birmingham University, Birmingham, United Kingdom
	Supply chain attacks have been constantly increasing since being first documented in 2013. Profitable and relatively simple to put in place for a potential attacker, they compromise organizations at the core of their operation. The number of high profile supply chain attacks has more than quadrupled in the last four years and the trend is expected to continue unless countermeasures are widely adopted. In the context of open science, the overwhelming reliance of scientific software development on open-source code, as well as the multiplicity of software technologies employed in large scale deployments make it increasingly difficult for asset owners to assess vulnerabilities threatening their activities. Recently introduced regulations by both the US government (White House executive order EO14028) and the EU commission (E.U. Cyber Resilience Act) mandate that both Service and Equipment suppliers of government contracts provide Software Bills of Materials (SBOM) of their commercial products in a standard and open data format. Such SBOM documents can then be used to automate the discovery, and assess the impact of, known or future vulnerabilities and how to best mitigate them. This paper will explain how CERN investigated the implementation of SBOM management in the context of its accelerator controls infrastructure, which solutions are available on the market today, and how they can be used to gradually enforce secure dependency lifecycle policies for the developer community.
DOI •	reference for this paper ※ doi:10.18429/JACoW-ICALEPCS2023-MO4BCO03
About •	Received ※ 02 October 2023 — Revised ※ 10 October 2023 — Accepted ※ 14 November 2023 — Issued ※ 24 November 2023
Cite •	reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)

TH2AO03	An Update on the CERN Journey from Bare Metal to Orchestrated Containerization for Controls	1138
	T. Oulevey, B. Copy, F. Locci, S.T. Page, C. Roderick, M. Vanden Eynden, J.-B. de Martel CERN, Meyrin, Switzerland
	At CERN, work has been undertaken since 2019 to transition from running Accelerator controls software on bare metal to running in an orchestrated, containerized environment. This will allow engineers to optimise infrastructure cost, to improve disaster recovery and business continuity, and to streamline DevOps practices along with better security. Container adoption requires developers to apply portable practices including aspects related to persistence integration, network exposure, and secrets management. It also promotes process isolation and supports enhanced observability. Building on containerization, orchestration platforms (such as Kubernetes) can be used to drive the life cycle of independent services into a larger scale infrastructure. This paper describes the strategies employed at CERN to make a smooth transition towards an orchestrated containerised environment and discusses the challenges based on the experience gained during an extended proof-of-concept phase.
	Slides TH2AO03 [0.480 MB]
DOI •	reference for this paper ※ doi:10.18429/JACoW-ICALEPCS2023-TH2AO03
About •	Received ※ 06 October 2023 — Revised ※ 24 October 2023 — Accepted ※ 14 December 2023 — Issued ※ 19 December 2023
Cite •	reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)

THPDP067	Towards a Flexible and Secure Python Package Repository Service	1489
	I. Sinkarenko, B. Copy, P.J. Elson, F. Iannaccone, W.F. Koorn CERN, Meyrin, Switzerland
	The use of 3rd-party and internal software packages has become a crucial part of modern software development. Not only does it enable faster development, but it also facilitates sharing of common components, which is often necessary for ensuring correctness and robustness of developed software. To enable this workflow, a package repository is needed to store internal packages and provide a proxy to 3rd-party repository services. This is particularly important for systems that operate in constrained networks, as is common for accelerator control systems. Despite its benefits, installing arbitrary software from a 3rd-party package repository can pose security and operational risks. Therefore, it is crucial to implement effective security measures, such as usage logging, package moderation and security scanning. However, experience at CERN has shown off-the-shelf tools for running a flexible repository service for Python packages not to be satisfactory. For instance, the dependency confusion attack first published in 2021 has still not been fully addressed by the main open-source repository services. An in-house development was conducted to address this, using a modular approach to building a Python package repository that enables the creation of a powerful and security-friendly repository service using small components. This paper describes the components that exist, demonstrates their capabilities within CERN and discusses future plans. The solution is not CERN-specific and is likely to be relevant to other institutes facing comparable challenges.
	Poster THPDP067 [0.510 MB]
DOI •	reference for this paper ※ doi:10.18429/JACoW-ICALEPCS2023-THPDP067
About •	Received ※ 05 October 2023 — Revised ※ 12 October 2023 — Accepted ※ 13 December 2023 — Issued ※ 16 December 2023
Cite •	reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)

Paper

Title

Page

Protecting Your Controls Infrastructure Supply Chain

196

B. Copy, F. Ehm, P.J. Elson, S.T. Page, J.-B. de Martel
CERN, Meyrin, Switzerland
M. Pratoussy
CPE Lyon, Villeurbanne, France
L. Van Mol
Birmingham University, Birmingham, United Kingdom

Supply chain attacks have been constantly increasing since being first documented in 2013. Profitable and relatively simple to put in place for a potential attacker, they compromise organizations at the core of their operation. The number of high profile supply chain attacks has more than quadrupled in the last four years and the trend is expected to continue unless countermeasures are widely adopted. In the context of open science, the overwhelming reliance of scientific software development on open-source code, as well as the multiplicity of software technologies employed in large scale deployments make it increasingly difficult for asset owners to assess vulnerabilities threatening their activities. Recently introduced regulations by both the US government (White House executive order EO14028) and the EU commission (E.U. Cyber Resilience Act) mandate that both Service and Equipment suppliers of government contracts provide Software Bills of Materials (SBOM) of their commercial products in a standard and open data format. Such SBOM documents can then be used to automate the discovery, and assess the impact of, known or future vulnerabilities and how to best mitigate them. This paper will explain how CERN investigated the implementation of SBOM management in the context of its accelerator controls infrastructure, which solutions are available on the market today, and how they can be used to gradually enforce secure dependency lifecycle policies for the developer community.

DOI •

reference for this paper ※ doi:10.18429/JACoW-ICALEPCS2023-MO4BCO03

About •

Received ※ 02 October 2023 — Revised ※ 10 October 2023 — Accepted ※ 14 November 2023 — Issued ※ 24 November 2023

Cite •

reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)

TH2AO03

An Update on the CERN Journey from Bare Metal to Orchestrated Containerization for Controls

1138

T. Oulevey, B. Copy, F. Locci, S.T. Page, C. Roderick, M. Vanden Eynden, J.-B. de Martel
CERN, Meyrin, Switzerland

At CERN, work has been undertaken since 2019 to transition from running Accelerator controls software on bare metal to running in an orchestrated, containerized environment. This will allow engineers to optimise infrastructure cost, to improve disaster recovery and business continuity, and to streamline DevOps practices along with better security. Container adoption requires developers to apply portable practices including aspects related to persistence integration, network exposure, and secrets management. It also promotes process isolation and supports enhanced observability. Building on containerization, orchestration platforms (such as Kubernetes) can be used to drive the life cycle of independent services into a larger scale infrastructure. This paper describes the strategies employed at CERN to make a smooth transition towards an orchestrated containerised environment and discusses the challenges based on the experience gained during an extended proof-of-concept phase.

Slides TH2AO03 [0.480 MB]

DOI •

reference for this paper ※ doi:10.18429/JACoW-ICALEPCS2023-TH2AO03

About •

Received ※ 06 October 2023 — Revised ※ 24 October 2023 — Accepted ※ 14 December 2023 — Issued ※ 19 December 2023

Cite •

reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)

THPDP067

Towards a Flexible and Secure Python Package Repository Service

1489

I. Sinkarenko, B. Copy, P.J. Elson, F. Iannaccone, W.F. Koorn
CERN, Meyrin, Switzerland

The use of 3rd-party and internal software packages has become a crucial part of modern software development. Not only does it enable faster development, but it also facilitates sharing of common components, which is often necessary for ensuring correctness and robustness of developed software. To enable this workflow, a package repository is needed to store internal packages and provide a proxy to 3rd-party repository services. This is particularly important for systems that operate in constrained networks, as is common for accelerator control systems. Despite its benefits, installing arbitrary software from a 3rd-party package repository can pose security and operational risks. Therefore, it is crucial to implement effective security measures, such as usage logging, package moderation and security scanning. However, experience at CERN has shown off-the-shelf tools for running a flexible repository service for Python packages not to be satisfactory. For instance, the dependency confusion attack first published in 2021 has still not been fully addressed by the main open-source repository services. An in-house development was conducted to address this, using a modular approach to building a Python package repository that enables the creation of a powerful and security-friendly repository service using small components. This paper describes the components that exist, demonstrates their capabilities within CERN and discusses future plans. The solution is not CERN-specific and is likely to be relevant to other institutes facing comparable challenges.

Poster THPDP067 [0.510 MB]

DOI •

reference for this paper ※ doi:10.18429/JACoW-ICALEPCS2023-THPDP067

About •

Received ※ 05 October 2023 — Revised ※ 12 October 2023 — Accepted ※ 13 December 2023 — Issued ※ 16 December 2023

Cite •

reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)