{"id":15386,"date":"2025-12-25T07:06:17","date_gmt":"2025-12-25T07:06:17","guid":{"rendered":"https:\/\/newestek.com\/?p=15386"},"modified":"2025-12-25T07:06:17","modified_gmt":"2025-12-25T07:06:17","slug":"cern-how-does-the-international-research-institution-manage-risk","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15386","title":{"rendered":"CERN: how does the international research institution manage risk?"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>There are few research institutions in the world with the size and scope of the European Organization for Nuclear Research, CERN. Founded in 1954 by 12 European countries, the <a href=\"https:\/\/home.cern\/\" target=\"_blank\" rel=\"noreferrer noopener\">European Laboratory for Elementary Particle Physics<\/a> is located in the Swiss town of Meyrin, in the canton of Geneva, although its facilities extend along the Franco-Swiss border. Among them is the Large Hadron Collider (LHC), the world\u2019s largest particle accelerator. International collaboration is at the core of its origin: more than 3,500 people make up its permanent staff. A small village that expands to 17,000 when adding the scientific staff of around 950 institutions from more than 80 different countries that collaborate on projects at the center. In this homegrown ecosystem, IT risk management poses a challenge.<\/p>\n<p>\u201cThe main problem is that we are managing a huge organization,\u201d explains Stefan L\u00fcders, CERN\u2019s CISO. \u201cWe are one of the most important particle physics research institutes on the planet. We do sophisticated and interesting things, which makes us a target for attacks from different communities.\u201d He lists several of these potential threats: <em>script kiddies<\/em> or hackers with basic knowledge, who all pose a potential security risk; ransomware or data exfiltration; sabotage of CERN\u2019s work; espionage actions and criminal groups trying to infiltrate through computers or other devices.<\/p>\n<p>\u201cThis is where people come in. Because we have a very large, heterogeneous and very fluctuating research community. There are many physicists who join the organization every year. They come in and leave to do their PhD, do research at CERN and then leave,\u201d he describes, pointing to the challenge of \u201ctaking care of this community of users. The other challenge is the flexible and fast-developing world of IT.\u201d This includes programming \u2014 importing open-source libraries, their security, etc. \u2014 and AI. \u201cThe more sophisticated AI becomes, the greater the likelihood that those AI-driven security or attack tools will try to infiltrate the organization.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"securing-cern\">Securing CERN<\/h2>\n<p>How do you ensure effective implementation of cybersecurity initiatives that don\u2019t disrupt scientific work? \u201cYou can\u2019t,\u201d L\u00fcders asserts. \u201cCybersecurity is inconvenient. Let\u2019s face it.\u201d L\u00fcders equates it to locking your front door or using your PIN to get cash out of the ATM; they can be annoying, but necessary. \u201cWe try to explain to our community why security measures are needed,\u201d he says. \u201cAnd if we adapt our security measures to our environment, people adopt them. Yes, it makes the research a little more complicated, but only a little.\u201d<\/p>\n<p>L\u00fcders insists on the research work factor. \u201cWe are not a bank. We don\u2019t have billions of dollars. We are not a military base, which means we don\u2019t have to protect a country. We do research, which means adapting the level of security and the level of academic freedom so that the two go hand in hand. And that\u2019s an ongoing conversation with our user community.\u201d This ranges from scientific personnel to industrial control systems management, IT or human resources. \u201cTo meet this challenge, it is essential to talk to people. That\u2019s why, I insist, cybersecurity is a very sociological issue: talking to people, explaining to them why we do this.\u201d <\/p>\n<p>For example, not everyone willingly uses multifactor authentication because \u201clet\u2019s face it, they\u2019re a pain. It\u2019s much easier to type in a password, and who even wants to type in a password? You just want to log in. But for protection needs, today we have passwords and multifactor authentication. So you explain to people what you\u2019re protecting. We tell them why it\u2019s important to protect their work, as well as research results. And the vast majority understand that you need a certain level of security,\u201d he says. \u201cBut it\u2019s a challenge because there are so many different cultures here, different nationalities, different opinions and thoughts, and different backgrounds. That\u2019s what we are constantly trying to adapt to.\u201d<\/p>\n<div class=\"extendedBlock-wrapper block-coreImage undefined\">\n<figure class=\"wp-block-image size-full\"><figcaption class=\"wp-element-caption\">\n<p>Stefan L\u00fcders and Tim Bell of CERN.<\/p>\n<\/figcaption><\/figure>\n<p class=\"imageCredit\">CERN<\/p>\n<\/div>\n<p>Employing proprietary technology can introduce risks, according to Tim Bell, leader of CERN\u2019s IT governance, risk and compliance section, who is responsible for business continuity and disaster recovery. \u201cIf you\u2019re a visitor to a university, you\u2019ll want to bring your laptop and use it at CERN. We can\u2019t afford to remove these electronic devices upon arrival at the facility. It would be incompatible with the nature of the organization. The implication is that we must be able to implement BYOD-type security measures.\u201d<\/p>\n<p>Because at the core of everything always remains the collaborative nature of CERN. \u201cAcademic papers, open science, freedom of research, are part of our core<strong>.<\/strong> Cybersecurity needs to adapt to this,\u201d L\u00fcders notes. \u201cWe have 200,000 devices on our network that are BYOD.\u201d How then does the adaptation of cyber protection apply? \u201cIt\u2019s called defense in depth,\u201d explains the CISO. \u201cWe can\u2019t install anything on these end devices because they don\u2019t belong to us, (\u2026) but we have network monitoring.\u201d In this way, even if you don\u2019t have direct access to each device, you are warned when something is being done against the center\u2019s policies, both at the level of cybersecurity and inappropriate uses, such as employing the technology they provide for particular interests.\u201d<\/p>\n<p>These measures also extend to obsolete systems, which the organization is able to assimilate because they have a network resilient enough that even if one piece of equipment is compromised, it won\u2019t damage any other CERN systems. The legacy technology problem extends to the equipment needed for the physics experiments being performed at the center. \u201cThese are protected by dedicated networks, which allows the network protection to kick in and protect them against any kind of abuse,\u201d L\u00fcders explains. On IoT connected devices not designed with cybersecurity in mind, \u201ca problem for all industries,\u201d L\u00fcders is blunt: \u201cYou will never get security in IoT devices.\u201d His solution is to connect them to restricted network segments where they are not allowed to communicate with anything else, and then define destinations to which they can communicate.<\/p>\n<h2 class=\"wp-block-heading\" id=\"general-framework\">General framework<\/h2>\n<p>This is part of a larger challenge: aligning the IT and OT sides so that security continuity is established throughout the organization. A challenge that goes through centralization. \u201cToday the OT part, the controls systems at CERN, are using IT virtualization,\u201d explains L\u00fcders. \u201cThe strategy is to bring IT and control people together so that the control people can use the IT services to their advantage. From the technology department, a central system is provided with different functionalities for operations, as well as for other areas of the organization, accessible through a single point of entry. \u201cThat\u2019s the power of centralization.\u201d This system also includes new tools such as AI tools in LLM, where they have a working group in place to find the best way to employ them. \u201cWe are facing a big discovery and, later on, we will centralize it through a central IT service. And that\u2019s how we do it with all technologies.\u201d<\/p>\n<p>Just as the subjects they research at CERN are evolving, so is their IT governance framework. This has been keeping up with industry developments, Bell explains, hand in hand with audits that allow it to operate according to best practice. \u201cThe governance part is becoming more formal. In general, everything was well organized; it was just a matter of standardizing it and developing policy frameworks around it.\u201d Despite the establishment of these standards, the result is the opposite of rigid, explains Bell, who exemplifies this with the case of a recent cybersecurity audit in which CERN was assessed against one of the international standards, which served to improve the level of maturity. \u201cWe are adopting a fairly flexible IT governance policy, learning from the experience of others in adopting industry standards.\u201d<\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>There are few research institutions in the world with the size and scope of the European Organization for Nuclear Research, CERN. Founded in 1954 by 12 European countries, the European Laboratory for Elementary Particle Physics is located in the Swiss town of Meyrin, in the canton of Geneva, although its facilities extend along the Franco-Swiss border. Among them is the Large Hadron Collider (LHC), the&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15386\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15386","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15386"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15386\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}