Speaker
Description
We present a Secure EPICS PVAccess (SPVA) deployment framework developed at SLAC to enable authenticated, encrypted and authorized access to control systems from external scientific networks. In Phase 1, SPVA has been deployed to connect HPC clients and services on SLAC’s Scientific External Network to internal PVAccess gateways supporting production accelerators.
SPVA enforces strong mutual authentication using Kerberos service principals, which establish the runtime identity of services and clients. These identities are used to request short-lived X.509 certificates from the SLAC-managed PVAccess Certificate Management Service (PVACMS). The certificates are used for TLS-secured PVAccess communication, ensuring cryptographic trust between peers.
Authorization decisions are enforced through Access Security Files (ACFs) that define PVAccess security groups (ASGs) referencing User Access Groups (UAGs) and Host Access Groups (HAGs). These groups are centrally managed in LDAPS, allowing fine-grained control based on organizational roles and host policies.
This framework provides secure, traceable access to EPICS PVs across administrative domains while maintaining compatibility with PVXS-based IOCs and tools. This abstract outlines the architectural design and operational lessons from the Phase 1 rollout, providing a model for deploying secure control system access in federated scientific computing environments.
