Upload
trinhanh
View
252
Download
0
Embed Size (px)
Citation preview
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Presented by
What’s new in
PI System Security?
Brian Bostwick
Kevin Geneva
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@ 2
1. Ransomware
2. IoT Attack Platforms
3. Ransomware + IoT
4. Control System Attacks
5. Weak cryptography
6. Ad-hoc Web Services
7. Threats on NoSQL DB
The Seven Most Dangerous New Attack TechniquesSANS: Alan Paller, Ed Skoudis, Michael Assante, Johannes Ullrich
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
OSIsoft Security Mindset
• Security champions in all facets of OSIsoft
• Ethical disclosure for software vulnerabilities
• Incident response readiness
• Independent ratings and verification
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
OSIsoft Security Mindset
• Security champions in all facets of OSIsoft
• Ethical disclosure for software vulnerabilities
• Incident response readiness
• Independent ratings and verification
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Baseline PI System SecurityUse the PI Security Audit Tool to assess and improve PI System defenses.
ID Server Validation Result Severity Message Category Area
AU10001 CP-VM1 Domain Membership Check Fail Severe Machine is not a member of an AD Domain. Machine Domain
AU10002 CP-VM1 Operating System SKU Fail Severe The following product is used: Server Standard Machine Operating System
AU20002 CP-VM1 PI Admin Trusts Disabled Fail Severe The piadmin user can be assigned to a trust. PI System PI Data Archive
AU20004 CP-VM1 Edit Days Fail Severe EditDays not specified, using non-compliant default of 0. PI System PI Data Archive
AU10004 CP-VM1 AppLocker Enabled Fail Moderate AppLocker is not configured to enforce. Machine Policy
AU20001 CP-VM1 PI Data Archive Table Security Fail Moderate
The following databases present weaknesses: PIBatch;
PIBATCHLEGACY; PICampaign; PIDBSEC; PIDS;
PIHeadingSets; PIModules; PITransferRecords; PIUSER.
PI System PI Data Archive
AU20009 CP-VM1 PI Data Archive SPN Check Fail ModerateThe Service Principal Name does NOT exist or is NOT
assigned to the correct Service Account.PI System PI Data Archive
AU10005 CP-VM1 UAC Enabled Fail LowRecommended UAC feature ValidateAdminCodeSignatures
disabled.Machine Policy
AU10003 CP-VM1 Firewall Enabled Pass N/A Firewall enabled. Machine Policy
AU20003 CP-VM1PI Data Archive SubSystem
VersionsPass N/A Version is compliant PI System PI Data Archive
AU20005 CP-VM1 Auto Trust Configuration Pass N/ATuning parameter compliant: Create the trust entry for the
loopback IP address 127.0.0.1PI System PI Data Archive
AU20006 CP-VM1 Expensive Query Protection Pass N/A Using the compliant default of 260. PI System PI Data Archive
AU20007 CP-VM1 Explicit login disabled Pass N/A Using compliant policy: All authentication options enabled. PI System PI Data Archive
AU20008 CP-VM1 piadmin is not used Pass N/A No Trust(s) or Mapping(s) identified as weaknesses. PI System PI Data Archive
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Top Three DHS ICS-CERT Weaknesses
1. Boundary Protection:
Architecture issues including ICS discoverable on the internet
2. Least Functionality:
Unnecessary open ports
3. Authenticator Management:
Simple passwords and lack of encryption
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Boundary Protection with the PI System
Environmental
Systems
Plant DCS
Transmission
& Distribution
SCADA
PLCs
Other critical
operations systems Security Perimeter
Limits direct access to critical
systems while expanding the
value use of information.
Critical Systems
Reduce the risks on critical systems
Infrastructure
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Undesirable Topology
8
Control Network DMZ
Connector
Node
PI Servers
Enterprise Network
xConnector
Node
PI Connector/
PI Interface PI ServersPI Serversx
a)
b)
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Today’s Workaround
9
Control Network DMZ
PI to PI
Interface
PI Server Security
Connector
Node
PI Connector/
PI Interface PI ServersPI Servers
PI
Server
PI Server Security
Enterprise Network
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
PI Connector Relay
10
Control Network DMZ
Relay Node
PI Server SecurityCertificates
PI ServersPI ServersPI Connector
Enterprise Network
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
PI System Connector Deployment
11
PI Points
Real-time Data
Elements
Templates
PI Connector Relay Destination PI System
(1 or More)
Source PI System
DMZ CorporatePlant
PI System Connector
PI 3 Security
PI 3 SecurityCertificates/
Encryption
PI 3 Security
PI 3 Security
Site1
Site2
Site3
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@ 12
Advanced Security in PI Coresight 2016 R2 and PI WebAPI 2017
• Login using an external Identity Provider
• No need to expose corporate AD credentials
Business Network
PI Coresight
PI3, WCF
PI Server
Claims
ID Provider
OpenID Connect
Active
Directory
Business Partner/Cloud/Mobile Network
Claims Authentication protects Active Directory
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Least Functionality – Server Core
PI Server – Recommended on Windows Server Core
Less installed, less running, No GUI applications
Fewer open ports
Less patching
Less Maintenance
Lower TCO
…. More Secure Microsoft Mechanics. "Exploring Nano Server for Windows Server 2016 with Jeffrey Snover." Online video clip. YouTube, 10 Feb. 2016
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Least Functionality – Architecture
Browser Based Thin Client with PI Vision Server
Less installed, less running
Less patching
Less Maintenance
Lower TCO
…. More Secure
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
PI Interfaces – New options for securing
15
Operating
System
PI InterfaceData SourceRead
Write
Input
Output
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
PI Interfaces – New options for securing
16
Operating
System
PI InterfaceData SourceRead
Write
Input
Output
White list
New Features:
1. Least privileges
2. Read-only and read-write
3. White list output points
XX
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
PI Interfaces: Hardened and Read Only
Hardened Hardened + Read-Only Available
PI Interface for ESCA HABConnect Alarms and Events PI Interface for Foxboro I/A 70 Series
PI Interface for Cisco Phone PI Interface for Metso maxDNA
PI Interface for ESCA HABConnect PI Interface for Citect
PI to PI Interface PI Interface for SNMP Trap
PI Interface for CA ISO ADS Web Service PI Interface for Modbus Ethernet PLC
PI Interface for IEEE C37.118 PI Interface for OPC HDA
PI Interface for Performance Monitor PI Interface for GE FANUC Cimplicity HMI
PI Interface for Siemens Spectrum Power TG PI Interface for ACPLT/KS
PI Interface for Relational Database (RDBMS via ODBC) PI Interface for OPC DA
PI Interface for Universal File and Stream Loading (UFL)
17
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Authentication Management
Use Windows Integrated Security (WIS)
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
HA Collectives: Enhanced Security
Added support for Transport Security
• Now available in Data Archive, between HA Collective Nodes, PI SDK, AF SDK, and API 2016 for WIS
All Collective members must be upgraded
Implemented via Certificates
• You can use your own, or the one we generate for you
19
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
PI API 2016 for Windows Integrated Security
• Connection to PI uses Windows security only
• Login is over PI network port TCP 5450
• Active Directory is recommended but not required
20
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
s
PI Interface
Goal: Encrypted Data with WIS
21
PI Server
Workgroup
Buffer runs as .\student01
OPC Interface runs as .\OPC
Domain
Buffer has mapping
OPC Interface uses trust
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
PI Trust
Goal: Encrypted Data with WIS
22
PI Mapping
IP Addr
+ App
Name
PI Identity Windows Account = PI Identity
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
s
PI Interface
Goal: Encrypted Data with WIS
23
PI Server
Install PI API 2016
Follow KB 1457
Windows Credential
Manager
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Key PI System Security Resources
https://pisquare.osisoft.com/groups/security
https://www.youtube.com/user/OSIsoftLearning/
https://techsupport.osisoft.com/Troubleshooting/PI-System-Cyber-Security
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@ 26
“Infrastructure Hardened” PI System
Global. Trusted. Sustainable.
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
What is “Infrastructure Hardened”?
• Extremely Reliable
• Well Tested
• Proven Capability
27
“Trusted”
Training Requirements Design Implementation Verification Release Response
Security Development Lifecycle Process
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Actions with your Security Mindset
• Protect your boundaries
28
• Use strong authentication
and least privileges
• Baseline and prioritize
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@
Contact Information
Brian Bostwick
Cyber Security Market Principal
OSIsoft, LLC
Kevin Geneva
Systems Engineer
OSIsoft, LLC
29
© Copyright 2017 OSIsoft, LLCUSERS CONFERENCE 2017 #OSIsoftUCosisoft@ 30
Questions
Please wait for the
microphone before asking
your questions
Please remember to…
Complete the Online Survey
for this session
State your
name & company
http://bit.ly/uc2017-app