Data Security In Laboratory Environments
|
Introduction
The integrity of all spectroscopy-related data has never been more important than it is today. In many cases, nuclear measurements are legal documents that must be readily retrievable many years after the data has been collected and the analysis performed. Additionally, the manager of a laboratory might find the integrity of the data, the quality of the analysis and the qualifications of technicians heavily challenged if sample assays are ever part of a legal proceeding. The likelihood of this happening is increasing as the political climate turns more hostile towards nuclear activity. Therefore, the spectroscopy system must offer a means to archive data in an efficient/secure format for easy retrieval, but it must also control access to prohibit operations from being performed by unqualified personnel.
If your current counting system does not have the ability to control or eliminate activities such as the following, disaster could happen at any time:
- A quasi-knowledgeable electronics tech just can't keep his hands off the knobs of the detector electronics.
- A bored night shift worker decides to "surf" the nuclide libraries and accidentally changes an abundance from 1% to 10%, resulting in under-reported activities for that nuclide.
- An employee who got a bad performance review takes out revenge on the lab by exiting the spectroscopy application and re-formatting the system's hard disk - then immediately leaves for an early retirement with your most recent system backup tape.
Figure 1.
The VMS based Genie-ESP system combined with computer-controlled ICB
NIM offers complete security of the front end subsystem and the host
computer environment.
Even if none of these types of security breaches ever happen, how do you prove to an auditor that they can't happen, or at least can't happen without being detected? While not as catastrophic as the last scenario, the first two breaches are much more subtle and can affect the results of many sample counts before being detected. Therefore, protection is needed from both the casual and malicious intruder to ensure data integrity.
The required level of security that a spectroscopy system must have varies from site to site and depends, in part, on how secure the laboratory is in which the system is located. However, all labs must be able to prove to their customers and auditors that detector calibrations and sample analyses have been performed and approved by qualified individuals. Also, proof is needed that detectors have been properly calibrated prior to samples being counted on them. It is imperative that the spectroscopy computer be able to control access to counting and system management functions which require specialized expertise and to detectors that may be temporarily out of service or uncalibrated for a particular type of sample.
A laboratory manager may have complete faith in all of his/her employees, but an outside auditor cannot operate on this premise. The auditor must be able to compare individual personnel training records to spectroscopy functions that each person is assigned to perform. These functions include, but are not limited to: collecting and preparing samples, calibrating and performing quality assurance measurements on detectors, making any needed adjustments to detector electronics, counting and storing background spectra, counting and analyzing samples, editing nuclide libraries and source certificate files, and approval of the results of the above functions.
How Secure Does My System Need To Be?
This is a very reasonable question and one each laboratory must answer based on its own needs. In determining your required level of security, the first consideration is why your samples are being counted. If the analysis relates to worker/public safety, radioactive waste characterization for disposal, or weapons non-proliferation, then security is essential. These are the types of analyses that cause the most public concern and are the most likely to land a lab manager in a heated courtroom discussion over the integrity of his lab's data.
The second consideration is based on the individual laboratory environment and site security policies. Some labs have relatively secure count rooms and may employ card key access or security cameras. These types of security measures certainly minimize risk to the spectroscopy system from non-count room personnel, but they don't necessarily secure the counting application from accidental or intentional misuse. In reviewing the lab's security requirements, the following types of questions should be answered:
- Will unauthorized personnel, possibly with malicious intent, have access to the equipment?
- Do access limits need to be placed on certain functions requiring special knowledge or expertise?
- What level of security is required/expected by the site and any internal or external customers and auditors?
- If your system is connected to a network, or even worse - a modem, what is the likelihood that someone from outside your area will find your system worthy of "hacking"?
If you are the only user of a non-networked computer system in a secure laboratory, you probably have very few security concerns. At the other extreme, many spectroscopy systems are in use 24 hours a day by two or three shifts of people and are part of a site-wide network. With so many people having access to the spectroscopy computer, data security becomes much more important.
What Security Solutions are Available?
The Canberra Genie family of computer-based Multichannel Analyzers has a number of solutions to the various types of security breaches that can occur in count rooms, or even in portable field assay applications. The family comprises systems that run on the Genie-PC, Genie 2000 and Genie-ESP platforms. Since the Genie-PC and Genie 2000 platforms offer similar security features, they can be grouped together to simplify future discussions. Genie-ESP runs on the OpenVMS operating system and includes the highest level of security available for spectroscopy applications.
Table 1 shows how the three kinds of security problems that were described earlier can be dealt with. The solutions to the problems will be discussed separately.
In some laboratories, all three types of problems may exist. Table 1 shows that the Genie-ESP platform is required in this case. Most labs should at least be concerned with problems 1 and 2, and may select any of the Genie family platforms to correct these security problems dependent upon which best meets the requirements of the application.
Table 1.
Genie Family Security Solutions
Solution 1: Computer-Controlled Detector Electronics
The simplest way to deal with temptation is to get rid of it - out of sight, out of mind! Canberra's computer-controlled Instrument Control Bus (ICB) NIM electronics, Alpha Analyst, portable InSpector systems, and neutron counter electronics such as the JSR-14 and 2150 extend this basic security concept to the electronics that interface detectors to their respective analyzers. By eliminating the front panel controls, there is virtually no way for someone to casually or intentionally turn a knob or flip a switch and ruin the detector's calibration. It's as if the electronics, themselves, were locked in a safe.
Using ICB NIM as an example, Figure 2 shows a comparison between a standard, manually controlled Spectroscopy Amplifier and an ICB model with similar specifications. The ICB Amplifier has informational lights and cable connectors, but the knobs and switches are not present. As Figure 3 shows, the various parameter settings are accessed via the MCA View Control Window in the Genie Spectroscopy Assistant. Adjustments are made with the mouse via push buttons and scrollbars. ICB High Voltage Bias Supplies, Analog-to-Digital Converters and Digital Signal Processors have a similar appearance to the Spectroscopy Amplifier and are adjusted in the same manner.
Figure 2.
Left: Traditional NIM amplifier with manually adjustable knobs and dials.
Right: Front Panel of a comparable ICB NIM model with all computer control.
Figure 3.
Adjustment Screen for ICB Amplifier Parameters.
In some cases, taking the knobs off of the electronics still doesn't offer the level of security required by a counting application because someone could just go over to the computer and "fix" them. The Genie software handles this problem by allowing the system manager to control which users can and cannot make adjustments to the NIM parameters. Designating users with the privilege to adjust the electronics requires a Counting Application Package such as PROcount on the Genie-PC and Genie 2000 platforms, but is a standard part of the Genie-ESP software. See Figure 4 for an example of how the ability to adjust ICB NIM, and other important privileges, can be granted or denied to a particular user simply by the system manager clicking on appropriate check boxes.
Figure 4.
Security Editor for Genie-ESP Spectroscopy Assistant.
The results of spectra that are collected and analyzed by Genie systems are stored in Configuration Access Method (CAM) files. Not only do these files include descriptive sample information, raw channel data and analysis results, they also include pertinent calibration, source certificate and nuclide library information. As an aid to keeping track of all the various ICB NIM parameter settings, the value of each parameter is stored in the CAM file along with the rest of the sample count data. Even the serial numbers of the modules in use at the time of the count are stored. This can be particularly valuable if a sample count needs to be verified by a recount using the same NIM set up in the same way as the original count. Having the serial numbers of the modules stored also acts as proof that once a detector and NIM set is calibrated, it is not changed for subsequent counts. It is easy to print out all the settings and serial numbers from an individual sample count and compare them to the settings from the last calibration run to prove nothing has changed in the system. Tracking all this manually is time consuming and subject to error. A detailed discussion of these and other ICB NIM features can be found in the Canberra Application Note entitled "Programmable Signal Processing Electronics, and Its Benefits in Nuclear Counting Systems."
While the above discussion centered on ICB NIM, the feature of having the electronics settings stored in CAM files also applies to the other Canberra computer-controlled electronics (Alpha Analyst, InSpector, neutron counters). The ability to control who can change the electronics settings is also provided by the corresponding counting application package which is needed to operate the equipment.
Solution 2: Counting Application Packages
With the electronics taken care of, it's time to move on to the application itself. Canberra has a number of Counting Application Packages to support the counting of samples, people, waste containers - almost anything imaginable. Packages are frequently added to the product line as additional applications are identified. Many of the applications are supported on both the PC (Genie-PC, Genie 2000) and OpenVMS (Genie-ESP) platforms, but Genie-ESP tends to focus more on the count room where the higher performance and multi-user features of Alpha processors and OpenVMS can best be used for increased sample throughput and system security. All applications requiring system portability are offered on the PC platform.
Table 2 provides a listing of Canberra's Counting Application Packages. Literature is available which describes the applications in more detail. Each package in the Table is given a security ranking of either 1 or 2. Packages with a ranking of 1 take advantage of the security features of OpenVMS plus have additional features built-in. Those packages with a ranking of 2 only have the built-in security features. While all packages are capable of working with Canberra's computer-controlled electronics, some are specifically designed for use with certain computer-controlled instrumentation. Packages which support instrumentation that has computer-control as a standard feature are designated with an S in the Computer Control column. The other packages have an O in the column meaning they optionally support manual or computer-controlled electronics specific to the application.
Table 2.
Counting Application Packages*
* Consult factory for availability of the packages on the Genie
2000 platform.
Click for enlarged view. To return to this page, click the "Back" button.
Legend:
Security Ranking: 1 = Full OpenVMS operating system security
2 = Application level security protection only
Computer Control: S = Computer controlled electronics – standard
O
= Computer controlled electronics – optional
The packages listed in Table 2 cover a wide range of counting applications, and the ability to employ them on such a large variety computer processors/operating systems is unmatched in the industry. Although the applications vary, Canberra's approach to protecting the integrity of each is consistent through the use of password protected menus that control access to all counting functions. Each package is provided with default menus for various levels of technical ability ranging from system manager to count room technician, but the menus can easily be edited by the system manager to meet individual lab requirements. Passwords, while highly recommended, are optional for each different menu.
Figure 5 shows how the menu presentation is different for two different types of users. Note that the system manager has access to all of the functions, but menu selections which may be inappropriate for the technician such as Calibration and System Maintenance do not even appear and, thus, cannot be used. This same concept applies to menus that are more than one level deep. Again, menus can be tailored at any time as deemed necessary by the system manager. Figure 6 gives an example of the security editor used in conjunction with PROcount-ESP. Once the particular user is selected, privileges can be granted or denied just by clicking on a check box. While security editors may differ somewhat from one package to another, the functionality of adding or removing sensitive menu selections is the same for each.
Figure 5.
Example Menus for a Technician (top) and a System Manager (bottom).
Figure 6.
Security Editor for PROcount-ESP.
By having unique, password-protected menus on the spectroscopy system for each employee (or each level of expertise), the lab manager can prove to auditors, customers or jurors that less experienced personnel are denied access to the functions requiring a higher level of training than they possess. For example, a newly hired technician's menu could be limited to entering sample information and initiating sample counts. As the technician's knowledge and experience increase, the menu choices could be extended to include detector calibration and quality assurance functions. The laboratory manager could retain the sole capability to perform all system management responsibilities and calibration/analysis approvals.
However, an orderly, menu-driven interface for the spectroscopy system offers much more value to the user than just a means to make audits less lengthy and painful. Counting time is an extremely valuable commodity in most laboratories. Having to recount a source or a sample because the original count was performed incorrectly (wrong sample or no sample in the shield, sample counted at the wrong distance from the detector face, etc.) is a waste of this commodity. If the sample is disposed of before the error is recognized, a recount will not even be possible unless additional raw material is available from which to generate another sample. While Canberra's Genie family of Counting Application Packages cannot force a user to place the sample on the correct detector, it can at least instruct the user to choose a detector that is not already counting and has been properly calibrated for the particular sample's geometry. In addition, the menu interfaces guide the user through the various data input steps of each counting or calibration function to minimize confusion and maximize sample throughput.
Another security feature which is incorporated into Counting Application Packages such as PROcount, Gamma and Alpha Analyst and the Countroom Analysis System is the log file. The log file mechanism acts like a watchdog for the application by tracking what spectroscopy functions have been performed and at what time. If a problem occurs during a counting process, the log file can be reviewed to determine when the error may have occurred and a possible solution to prevent the error from happening again. Once the contents of the file are no longer needed, they can be deleted to save disk space, and the file will continue to collect data.
Collecting reliable, defensible spectroscopy data is the major task of any counting laboratory, but it is not the only task. If the data can't be retrieved at some later time, who's to say that it ever existed. Two features of the Genie family which help in this regard are the CAM file format (discussed previously) and Detector Quality Assurance software packages.
The CAM file format is used by all Genie systems to store spectroscopy data and includes all data components required to perform a recalibration of the sample's detector or reanalysis of the spectrum should this ever become necessary. Having all the data in one file greatly simplifies data archival and retrieval. If you need to recall something as simple as who counted a particular sample three years ago or which nuclide library was used for analysis, all you need to know is the name of the sample file. Since all Canberra Genie systems use CAM files, data collected on one type of system can be analyzed on any other type.
While Detector Quality Assurance software does not make a system more secure, it does make the storage and retrieval of essential detector QA records much easier. Like the CAM file, the QAF or Quality Assurance File produced by the software includes all the QA data for a particular detector/geometry combination. The data can be used for bounds comparisons to make sure the detector's energy, FWHM, efficiency, and background parameters are within specification and for historical trending to make sure the parameters are not becoming biased over time. In addition to storing the data, the software performs the statistical analysis and bounds tests, and generates the trend plots. Therefore, hand graphing of detector QA data is completely unnecessary. Any desired CAM parameter can be monitored (including serial numbers of ICB NIM to make sure the modules haven't changed between calibrations), and the user can even manually enter information such as count room temperature and humidity for trending purposes. All the Genie platforms have an optional Detector Quality Assurance Package which can be tied into the various Counting Application Packages. (See Figures 4, 5 and 6.) The product menus include options to initiate a QA count and automatically transfer the results into the QA file. Other menu selections are available to view and analyze the data.
The Operating System - Where Security Begins
Solutions 1 and 2 describe security features that Canberra has built into its computer-controlled detector electronics and application software. These features are layered on top of any available operating system security employed by the computer on which the software runs. As Table 1 shows, the most secure spectroscopy environment is provided by Genie-ESP and OpenVMS. However, most of the various types of spectroscopy systems on the market are based on the Personal Computer platform. Regardless of the specific PC operating system: DOS, OS/2, or any of the numerous flavors of Microsoft Windows; data and system access security is not one of the strengths and may even be non-existent. Personal Computers, as the name implies, were designed as a platform for individuals to do work. Sharing them, which is typically necessary in a count room environment, requires that all parties trust one another because all data on the system is accessible to anyone using it.
Some PCs today have a few built-in security features such as:
- A locking sliding door that covers the power button and floppy drive.
- Sensors that tell if the system's cover has been removed.
- A password that must be entered when system is turned on.
- The ability to password protect the floppy drive so files can't be copied to it.
While these features may give some assurance that a system has not been tampered with while the owner is away, they offer little protection to a system that is up and running 24 hours a day and/or in use by a number of people. The use of a network operating system such as Novell, Warp Server, Pathworks or Windows NT Server adds a degree of security to a PC-based spectroscopy system. At least, critical files can be protected by copying them from the laboratory PC to a more secure Server PC or OpenVMS system. However, a network operating system solution may not be desirable in than it adds the expense and management responsibilities of an additional computer that would not be needed otherwise.
As has been discussed, Canberra provides password protected menus for various Personal Computer based applications through Genie-PC and Genie 2000 Counting Application Packages. (See Table 2.) These packages offer varying degrees of customization and provide the ability to create a number of different menus for various levels of user technical ability. Without doubt, they offer much more flexibility of control than simply password protecting all access to various detectors on a go, no-go basis. However, PCs do not afford the ability to force a person to use a menu. While a user who only has basic menu privileges cannot perform system manager functions from his menu, there is nothing to stop a knowledgeable user from doing anything he wants outside of the menu. Spectroscopy, and other types of functions, can be performed manually without the need for a menu. And of course, FORMAT C:, the most powerful system management command of all, can be run without using any menu.
Absolute computer system security may not be a requirement of all laboratories due to other security measures that may be in place or to a perceived lack of threat. However, many labs appreciate the value of a secure computer environment which can withstand the attack of a malicious intruder and can keep a user from straying from an application by forcing him to use a specified menu. For these laboratories, the Genie-ESP spectroscopy platform based on the OpenVMS operating system is the perfect solution.
Solution 3: OpenVMS Security - The Ultimate in Application Protection
Digital Equipment Corporation calls OpenVMS a bullet-proof, 24 hour by 365 days a year operating system. However, the company is not alone in touting its security. The United States National Computer Security Center (NCSC) first granted DEC the C2 security rating for VMS version 4.3 back in 1988. DEC has since been granted the C2 rating for OpenVMS VAX version 6.1 and an even more secure B1 rating for a special security enhanced version of the operating system. Testing is ongoing of current OpenVMS versions on both the VAX and Alpha platforms to maintain the C2 and B1 ratings.
A C2 (or Division C, class 2) environment is one that meets the United States Department of Defense Trusted Computer System Evaluation Criteria. The combination of the computer hardware and operating system must include the following capabilities:
- Access controls that can identify individual or groups of users.
- User accountability through login procedures that are specific for each user.
- Auditing of security relevant events.
- Isolation of data in memory and on disk devices so the data is protected from other users and erased before the resources are reused.
Each OpenVMS System, regardless of model or price, includes the C2 security features. The system manager is free to make use of as many of the features as he sees fit.
Since OpenVMS is a multi-user operating system, meaning that numerous people can access a single computer at the same time via separate terminals, much tighter security is needed than on a Personal Computer to keep the users from interfering with each other. To this end, OpenVMS uses the Reference Monitor Concept to protect computer resources from unwarranted access by unauthorized users. The concept consists of four elements which interact with each other to provide the necessary data security. The elements are:
- Subjects
- Objects
- Authorization Database
- Audit Trail
Subjects are the actual users, or the batch jobs submitted by them, to obtain data. Objects are any computer resource which contain, or provide access to, data. These include files, directories, disks, any peripheral device, memory and batch/print queues. The Authorization Database is a matrix of Subjects and the Objects which each has the privilege to use. The Audit Trail, similar to the log file mentioned previously, is a record of all attempts by Subjects to gain access to Objects.
It is easy to visualize the Reference Monitor Concept by imagining a room full of various types of parcels (Objects). The room has only one door, and an armed security guard (Reference Monitor) stands at that door. People (Subjects) needing to get a particular parcel queue up at the door, show their identification to the guard and state what item they need. The guard compares the name to a list of items each person is entitled to receive (Authorization Database). If the name and privilege coincide, the guard gives the person the requested item. If not, the guard sends the user on his way empty handed. To complete the transaction, the guard writes down what transpired with each request (Audit Trail) and can even alert the security manager if a request is considered to be threatening. With OpenVMS, the system manager can control how strenuously the "guard" performs his duties. Maybe some items aren't to be restricted at all (a general use disk drive or directory), or the Audit Trail should only be maintained for certain types of security sensitive transactions (each dialup attempt from a modem connected to one of the computer's serial ports). However, an alarm might need to be triggered directly at the system manager's terminal after a certain number of unsuccessful login attempts from any source as this suggests an intruder could be trying to guess someone's password.
The Reference Monitor comes into play as soon as any user tries to log into an OpenVMS system. When a PC is booted, the user is typically presented immediately with a Desktop interface that provides access to all of the computer's resources. However, a user must log into his "account" on an OpenVMS system prior to gaining any further access to the computer. The account may be an individual account for use by one person, or a general, task oriented account such as one used by a number of technicians for counting samples. The login is done by typing the name of the account and, optionally, one or two passwords of up to 32 characters. Once this is accomplished, the user still doesn't have access to the entire computer _ just the resources granted by the system manager. Although resources such as files and directories can be shared by groups of users via their individual accounts, each user may be provided with his own protected directory at the discretion of the manager. A login command procedure automatically sets up the user's computer environment with the approved resource access privileges each time the user logs in. Of course, each user should log out of his account when he is finished working to protect it from use by unauthorized personnel.
A major source of the information described above as the Authorization Database is found in the User Authorization File (UAF). The UAF includes a unique record for each account, and an example record is shown in Figure 7. The record is created when the account is initiated by the system manager and can be edited by the manager as necessary to add or remove privileges. The record includes, among other parameters: the name of the account and the user name, the one or two passwords (not shown for security reasons), the length of time before a new password must be employed, the minimum number of characters for a password, the number of times a login attempt can fail before access to the account is locked (to be unlocked only by the system manager), the days of the week and hours in which the account can be used, an expiration date for the account if appropriate, the default user directory and any disk or memory usage limitations the account may have. There are thirty-nine different privileges which may be granted to the account and which affect the user's ability to gain access to various computer resources. The privileges are issued as either default, available upon login, or authorized, available upon request for a single session. The system manager account record shown in Figure 7 has been given all the privileges. However, they should be given conservatively to user accounts based on the need and skill to use them.
Figure 7.
Example User Authorization File for a System Manager.
When a user logs into his account, he is free to use all the privileges granted him by the system manager. In the count room environment, that means he can type computer commands, start the Genie-ESP Spectroscopy Assistant or enter one of the Genie-ESP Counting Application Packages. As was stated earlier, the features the user can access in both the Spectroscopy Assistant and the application packages can be limited as appropriate. (See Figures 4 and 6.) However, this may still offer too much flexibility to the user in certain situations. The system manager may want a particular user, or group of users, to have access only to the application package menu and nothing else. OpenVMS provides this option through the "captive account". With a captive account, the user logs in as usual, but is immediately presented with the Counting Application Package menu appropriate to his level of expertise. The only choices are those provided by the menu. Upon exiting the menu, the captive account then logs off, and the user is completely isolated from any other part of the application. The captive account is an extremely powerful feature, and should be used whenever tight restrictions on computer/application access are merited.
A Few Final Words on Passwords and Backups
No discussion of security would be complete without a brief mention of the importance of passwords and system backups. The most elaborate security system can easily be foiled if the users do not respect the importance of passwords, and a system backup is the last defense against data loss or corruption through careless/malicious behavior or system failure.
Passwords: Passwords are not always needed, especially for application menus or accounts with no dangerous privileges. But if required, passwords should not be shared beyond the immediate group that must have access to the menu or account. The more people who have access to a password, the more frequently it should be changed. OpenVMS focuses a lot of attention on password maintenance, and even provides an application to generate them for the user. OpenVMS also has the ability to refuse the choice of a password that has already been used or might be easy to guess based on a comparison to a system dictionary.
The following are a few guidelines on how to protect password integrity which can be used on any computer system:
- Do not use a simple, obvious password such as your account/menu name, your name, that of a family member or a word which can easily be associated with you or your site. Also, don't use a word which could easily be copied by a casual observer (such as qwerty).
- Do not use words from a dictionary. Dictionaries can be used by password cracking programs for trial and error attempts at breaking into an account or menu.
- Do not use the same password in multiple places. An intruder might discover the password on a relatively powerless account or menu, but then will certainly try the same password on other accounts, menus or computer systems.
- Do use a combination of letters and numbers in the password. Use at least 6 characters and preferably closer to 10. (OpenVMS allows up to 32.)
- Change your password every 3 _ 6 months, monthly if the password is shared. Obviously, site requirements should be followed if they are more restrictive. Never reuse an old password.
- Always log out or exit the account or menu when work is done.
- If you have any reason to suspect the integrity of your password, change it immediately.
Backups: Even with the best security measures in place, files are sometime deleted accidentally; and there is always the possibility that a privileged menu or account will be left open for access by someone intent on doing damage. Current disk drives have Mean Time Between Failure (MTBF) rates as high as 500000 to 800000 powered on hours making disk failure of little concern to most users. However, premature disk failure is possible if the computer system will be exposed to an environment with one or more of the following: poor quality power, excessive vibrations, magnetic fields, excessive heat and/or humidity. For these reasons, backing up critical data on backup media or to another secure computer on the network is the best way to assure the data will always be available.
While the process may be time consuming, operating systems and application packages can be restored from their original media. However, counting data is irreplaceable if lost before it has been archived. Each of the Counting Application Packages assists with the archival of count data. The best practice is to archive count data and to also perform a complete system backup periodically dependent upon how frequently system parameters change. All media should be placed in a safe location. This precaution allows the system to be returned to its original state in as little time as possible and also serves as an effective disk defragmentation procedure.
Conclusion
Canberra has a solution to virtually any data security problem that may exist in the count room. The tools are provided through computer-controlled electronics and a wide range of Counting Application Packages to customize the security environment to almost any degree. The result is better data integrity and streamlined operations through the use of specialized menus for each supported application. The benefit is an efficient counting environment which can better defend itself from the scrutiny of auditors, customers and, if necessary, courts.
|
| Top of Page |