Computer security is a marathon ran by some of us since decades. Trying to keep the malicious evil out while not inhibiting or strongly impacting accelerator operations and data taking. This talk shall review what worked and what less, and takes a view onto the upcoming challenges in maintaining a fair balance between operations and “security”.

The High Energy Photon Source (HEPS) is a low-emittance synchrotron radiation-based light source located in suburban Beijing. The HEPS control system encompasses both the accelerator and the beamlines. The system design principles incorporate industrial standards, a global timing system, and modular subsystems. The development of effective cybersecurity techniques for the HEPS control system is critical for enabling scientific exchange, ensuring adequate access for remote participation, and maintaining reliable equipment control, particularly in light of the increasing number of cybersecurity threats. Network traffic detection is a vital method for identifying network attacks. In this presentation, we introduce a deep learning-based network traffic detection method for the HEPS control system. First, the HEPS control system network traffic is collected and divided into sessions using five-tuple segmentation. Second, the traffic is converted into grayscale images which reflect the intrinsic characteristics of the traffic. Finally, these images are input into the deep learning algorithm to train the control system network traffic detection model, allowing for the automatic learning of original network traffic features without manual efforts. The proposed approach is evaluated using four commonly used metrics, and the results demonstrate that our method can effectively detect network traffic for the HEPS control system.

At NSLS-II, EPICS servers for the accelerator and beamlines reside on dedicated VLANs isolated for security and network bandwidth. Since clients must run applications within respective networks, this poses a challenge for enabling centralized observability and control for staff with various roles. We have created a portal to access EPICS process variables (PVs) across the facility, using Virtual Desktop Infrastructure (VDI) and a dual Channel Access Gateway (CAGW) architecture on a dedicated “EPICS VDI” network. For each beamline and the accelerator two CAGW instances are deployed: one on the “EPICS VDI” network serving client applications, and one on the control system VLAN communicating with IOCs. The controls-side gateway bridges the isolated “Controls” network and the routable “Services” network. CAGW security enforces PVs as read-only by default, with Active Directory group membership granting beamline-specific write access. Any EPICS CA-based client can run in the VDI environment, including CS-Studio Phoebus—the primary tool enabling staff to interact with PVs across the facility from a single session. PV access via VDI removes the need to run client software in the Controls environment, reducing system exposure and improving architectural separation. CAGW deployment is automated by Ansible using templated generation of network settings, PV lists, and access rules. This approach builds on a proven accelerator-beamline communication model and has shown stable performance.

The Electron-Ion Collider (EIC) aims to unlock the secrets of the strong nuclear force and revolutionize our understanding of the fundamental structure of visible matter. It is being built at Brookhaven National Laboratory (BNL) and could possibly be the only large collider built in the world in the next 20-30 years, during the “Age of AI”. This creates the very unique opportunity for a complete AI/ML lifecycle of a large-scale state-of-the-art scientific research facility, but also many challenges, as this lifecycle overlaps with a rapidly changing cybersecurity landscape. Standards, regulations, and guidance are likely to be released (and then possibly revised) at the same time that design, construction, and then finally operations of the EIC must proceed. We present the use of the new Trust, Identity, Privacy, Protection, Safety, and Security (TIPPSS) framework from the IEEE/UL 2933 TIPPSS standard as a framework for scientific research facilities. This will enable us to design and build a safe and secure infrastructure, and robust trust and identity architecture, to protect the scientific instrument ecosystem as we enable “AI readiness” and AI/ML deployment (especially at scale) in the face of increasing cybersecurity challenges, using the EIC as a case study.

Secure PVAccess (SPVA) brings production-grade cybersecurity to the Experimental Physics and Industrial Control System (EPICS) framework by encapsulating the PVAccess protocol within Transport Layer Security (TLS). It integrates X.509 certificate-based authentication with common laboratory-wide services such as Kerberos and LDAP, and delivers a full certificate authority, management, and distribution solution. Leveraging this robust authentication layer, Secure PVAccess extends the existing EPICS Security model to enforce true Process Variable (PV) access control based on verified peer identities, attributes, and connection modes. We describe the overall architecture, key design decisions, software components, current status, envisioned future capabilities, and the collaborative effort driving this initiative.