PI System Security? - OSIsoft · Baseline PI System Security Use the PI Security Audit Tool to assess and improve PI System defenses. ... PI Interface for Cisco Phone PI Interface

© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@

Presented by

What’s new in

PI System Security?

Brian Bostwick

Kevin Geneva

© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@ 2

1. Ransomware

2. IoT Attack Platforms

3. Ransomware + IoT

4. Control System Attacks

5. Weak cryptography

6. Ad-hoc Web Services

7. Threats on NoSQL DB

The Seven Most Dangerous New Attack TechniquesSANS: Alan Paller, Ed Skoudis, Michael Assante, Johannes Ullrich

https://www.sans.org/the-seven-most-dangerous-new-attack-techniques


OSIsoft Security Mindset

• Security champions in all facets of OSIsoft

• Ethical disclosure for software vulnerabilities

• Incident response readiness

• Independent ratings and verification


OSIsoft Security Mindset

• Security champions in all facets of OSIsoft

• Ethical disclosure for software vulnerabilities

• Incident response readiness

• Independent ratings and verification


Baseline PI System SecurityUse the PI Security Audit Tool to assess and improve PI System defenses.

ID Server Validation Result Severity Message Category Area

AU10001 CP-VM1 Domain Membership Check Fail Severe Machine is not a member of an AD Domain. Machine Domain

AU10002 CP-VM1 Operating System SKU Fail Severe The following product is used: Server Standard Machine Operating System

AU20002 CP-VM1 PI Admin Trusts Disabled Fail Severe The piadmin user can be assigned to a trust. PI System PI Data Archive

AU20004 CP-VM1 Edit Days Fail Severe EditDays not specified, using non-compliant default of 0. PI System PI Data Archive

AU10004 CP-VM1 AppLocker Enabled Fail Moderate AppLocker is not configured to enforce. Machine Policy

AU20001 CP-VM1 PI Data Archive Table Security Fail Moderate

The following databases present weaknesses: PIBatch;

PIBATCHLEGACY; PICampaign; PIDBSEC; PIDS;

PIHeadingSets; PIModules; PITransferRecords; PIUSER.

PI System PI Data Archive

AU20009 CP-VM1 PI Data Archive SPN Check Fail ModerateThe Service Principal Name does NOT exist or is NOT

assigned to the correct Service Account.PI System PI Data Archive

AU10005 CP-VM1 UAC Enabled Fail LowRecommended UAC feature ValidateAdminCodeSignatures

disabled.Machine Policy

AU10003 CP-VM1 Firewall Enabled Pass N/A Firewall enabled. Machine Policy

AU20003 CP-VM1PI Data Archive SubSystem

VersionsPass N/A Version is compliant PI System PI Data Archive

AU20005 CP-VM1 Auto Trust Configuration Pass N/ATuning parameter compliant: Create the trust entry for the

loopback IP address 127.0.0.1PI System PI Data Archive

AU20006 CP-VM1 Expensive Query Protection Pass N/A Using the compliant default of 260. PI System PI Data Archive

AU20007 CP-VM1 Explicit login disabled Pass N/A Using compliant policy: All authentication options enabled. PI System PI Data Archive

AU20008 CP-VM1 piadmin is not used Pass N/A No Trust(s) or Mapping(s) identified as weaknesses. PI System PI Data Archive


Top Three DHS ICS-CERT Weaknesses

1. Boundary Protection:

Architecture issues including ICS discoverable on the internet

2. Least Functionality:

Unnecessary open ports

3. Authenticator Management:

Simple passwords and lack of encryption


Boundary Protection with the PI System

Environmental

Systems

Plant DCS

Transmission

& Distribution

SCADA

PLCs

Other critical

operations systems Security Perimeter

Limits direct access to critical

systems while expanding the

value use of information.

Critical Systems

Reduce the risks on critical systems

Infrastructure


Undesirable Topology

8

Control Network DMZ

Connector

Node

PI Servers

Enterprise Network

xConnector

Node

PI Connector/

PI Interface PI ServersPI Serversx

a)

b)


Today’s Workaround

9

Control Network DMZ

PI to PI

Interface

PI Server Security

Connector

Node

PI Connector/

PI Interface PI ServersPI Servers

PI

Server

PI Server Security

Enterprise Network


PI Connector Relay

10

Control Network DMZ

Relay Node

PI Server SecurityCertificates

PI ServersPI ServersPI Connector

Enterprise Network


PI System Connector Deployment

11

PI Points

Real-time Data

Elements

Templates

PI Connector Relay Destination PI System

(1 or More)

Source PI System

DMZ CorporatePlant

PI System Connector

PI 3 Security

PI 3 SecurityCertificates/

Encryption

PI 3 Security

PI 3 Security

Site1

Site2

Site3


Advanced Security in PI Coresight 2016 R2 and PI WebAPI 2017

• Login using an external Identity Provider

• No need to expose corporate AD credentials

Business Network

PI Coresight

PI3, WCF

PI Server

Claims

ID Provider

OpenID Connect

Active

Directory

Business Partner/Cloud/Mobile Network

Claims Authentication protects Active Directory


Least Functionality – Server Core

PI Server – Recommended on Windows Server Core

Less installed, less running, No GUI applications

Fewer open ports

Less patching

Less Maintenance

Lower TCO

…. More Secure Microsoft Mechanics. "Exploring Nano Server for Windows Server 2016 with Jeffrey Snover." Online video clip. YouTube, 10 Feb. 2016


Least Functionality – Architecture

Browser Based Thin Client with PI Vision Server

Less installed, less running

Less patching

Less Maintenance

Lower TCO

…. More Secure


PI Interfaces – New options for securing

15

Operating

System

PI InterfaceData SourceRead

Write

Input

Output


PI Interfaces – New options for securing

16

Operating

System

PI InterfaceData SourceRead

Write

Input

Output

White list

New Features:

1. Least privileges

2. Read-only and read-write

3. White list output points

XX


PI Interfaces: Hardened and Read Only

Hardened Hardened + Read-Only Available

PI Interface for ESCA HABConnect Alarms and Events PI Interface for Foxboro I/A 70 Series

PI Interface for Cisco Phone PI Interface for Metso maxDNA

PI Interface for ESCA HABConnect PI Interface for Citect

PI to PI Interface PI Interface for SNMP Trap

PI Interface for CA ISO ADS Web Service PI Interface for Modbus Ethernet PLC

PI Interface for IEEE C37.118 PI Interface for OPC HDA

PI Interface for Performance Monitor PI Interface for GE FANUC Cimplicity HMI

PI Interface for Siemens Spectrum Power TG PI Interface for ACPLT/KS

PI Interface for Relational Database (RDBMS via ODBC) PI Interface for OPC DA

PI Interface for Universal File and Stream Loading (UFL)

17


Authentication Management

Use Windows Integrated Security (WIS)


HA Collectives: Enhanced Security

Added support for Transport Security

• Now available in Data Archive, between HA Collective Nodes, PI SDK, AF SDK, and API 2016 for WIS

All Collective members must be upgraded

Implemented via Certificates

• You can use your own, or the one we generate for you

19


PI API 2016 for Windows Integrated Security

• Connection to PI uses Windows security only

• Login is over PI network port TCP 5450

• Active Directory is recommended but not required

20


s

PI Interface

Goal: Encrypted Data with WIS

21

PI Server

Workgroup

Buffer runs as .\student01

OPC Interface runs as .\OPC

Domain

Buffer has mapping

OPC Interface uses trust


PI Trust


22

PI Mapping

IP Addr

+ App

Name

PI Identity Windows Account = PI Identity


s

PI Interface


23

PI Server

Install PI API 2016

Follow KB 1457

Windows Credential

Manager


DEMO

24


Key PI System Security Resources

https://pisquare.osisoft.com/groups/security

https://www.youtube.com/user/OSIsoftLearning/

https://techsupport.osisoft.com/Troubleshooting/PI-System-Cyber-Security


“Infrastructure Hardened” PI System

Global. Trusted. Sustainable.


What is “Infrastructure Hardened”?

• Extremely Reliable

• Well Tested

• Proven Capability

27

“Trusted”

Training Requirements Design Implementation Verification Release Response

Security Development Lifecycle Process


Actions with your Security Mindset

• Protect your boundaries

28

• Use strong authentication

and least privileges

• Baseline and prioritize


Contact Information

Brian Bostwick

[email protected]

Cyber Security Market Principal

OSIsoft, LLC

Kevin Geneva

[email protected]

Systems Engineer

OSIsoft, LLC

29

mailto:[email protected]

mailto:[email protected]


Questions

Please wait for the

microphone before asking

your questions

Please remember to…

Complete the Online Survey

for this session

State your

name & company

http://bit.ly/uc2017-app


Thank You

Documents

PI System Security? - OSIsoft · Baseline PI System Security Use the PI Security Audit Tool to assess and improve PI System defenses. ... PI Interface for Cisco Phone PI Interface