Which is more secure EPICS ot TANGO?

I am new to TANGO but I have a lot of work with EPICS. Now I want to know winch is the best DCS ,either EPICS based DCS or TANGO based DCS with respect to cyber security and other functionalities . Is there ant report present regarding their difference (EPICS / TANGO). What are security benefits of TANGO based DCS.

Tanks


Azra
Hi Azra,

there have been a number of studies comparing EPICS and TANGO in the past years. I do not know of any recent ones i.e. in the last 2 years. But seeing as the two systems have not evolved so much the studies are still valid. Basically the two systems differ in their approach to how to model the control points. EPICS has a channel approach (in V3) and a micro-service approach (in V4). TANGO has an object oriented approach with all control points being modeled as Devices, Commands and Attributes. You can find a presentation on the concepts of TANGO in these slides [1]. Once you have decided on which approach is suited to your needs / preferences you make your choice.

What do you mean by cyber-security? Access via internet or intranet? Crypted or un-crypted? TANGO has a filtering mechanism called the TAC which allows you to filter on uid+gid on the same network i.e. behind a firewall. If you need access via internet TANGO offers a REST interface which supports https and the usual security offered by tomcat. You can also mirror the devices you need to expose so that not all devices are exposed to internet.

If you need secure access on intranet then probably you need another solution. AFAIK neither of these systems offer this. To add this to TANGO would need quite some work. It would depend on if you need this for READ or WRITE or both.

Hope this helps

Andy
Sir Andy
Thanks your kind reply. Sir as TCP/IP protocol is exposed to any other user without permission. e.g. EPICS PV can be accessible to all users present on the net. I want a secure solution for data communication on the net. Is there any solution present in TANGO or CORBA for such type of security ? I need a secure data communication . Please can any solution present for such a problem?

Thanks Sir.

Azra
Hi Azra,
I think the short answer is that neither system has a solution for security in the sense I think you mean. However, in their chosen environment, both systems have operated successfully on many big systems for years and so they appear to have managed their risks. In case you aren't aware of it, there have been a number of workshops in this area at ICALEPCS:


Both EPICS and Tango have systems to manage non-deliberate threats - Andy mentioned the Tango TAC system, and EPICS has Channel Access Security. However, neither of these are secure - they just reduce the possibility of accidental or non-technical abuse. Typically both manage true security risks by containment - EPICS is typically set up to be only mostly read-only outside a local subnet, and more critical systems don't allow routing onto critical subnets. Tango can be managed in a similar way.

Going forward, at SKA we are trying to work out how to manage security in a reasonable way. All user interfaces and access from outside the controls network will be web based, and we will have standard security layers there. Now Tango is looking to have pluggable network drivers, a security layer could possibly be implemented there (but as Andy says, it wouldn't be simple). We are also looking at a fully containerised implementation with one Tango Server per container, so some aspects of security could be managed at the container level. However, like other scientific control systems, the SKA system will be modified frequently with a limited work-force, and so we have to trade-off security against other qualities of the system. The security architecture we chose must not impact other, more scientifically important aspects of the system.
Nick Rees
 
Register or login to create to post a reply.