Challenge: Harden the PI System against cyber threats. Copyr i ght 2014 O SIs oft, LLC.

Size: px

Start display at page:

Download "Challenge: Harden the PI System against cyber threats. Copyr i ght 2014 O SIs oft, LLC."

Alicia Stevens
6 years ago
Views:

1 1

2 Challenge: Harden the PI System against cyber threats Presented by Bryan S. Owen PE

3 4: Least Privileges 3

4 Hmmm. How do we get started? 4

5 Knowledge Base Step by Step 5

6 Excellent! We are just getting started. What else should we know? 6

7 Learning from history Steelmaking Very expensive prior to 1860 s knives, swords, armor, etc. Engineering innovation Now basic to the world industrial economy

Hardened in Development Steel Fe, C, Mn, Ni, Cr, etc Heat treating Software Input validation, Least privilege SDL process Code PI Server Version SDL Defense Pointer Encoding /Analyze PR1 3.4.375.

8 Hardened in Development Steel Fe, C, Mn, Ni, Cr, etc Heat treating Software Input validation, Least privilege SDL process Code PI Server Version SDL Defense Pointer Encoding /Analyze PR WIS Future Adhoc Heap corruption detection 100% Safe function migration 80% Linker SEHOP (*) Win Win Win Win /SAFESEH (*) 100% 100% 100% 100% /DYNAMICBASE (ASLR) Win Win Win /NXCOMPAT (*) Win 2003 SP1+ Win 2003 SP1+ Win 2003 SP1+ /GS Compiler /GS V2 /GS V2 /GS V2 /GS V3 Compiler Version VC VC SP1 VC SP1 VC SP1 Windows Server Core Win Win 2008 R2 Win 2008 R2+ Platform Native x64 (*) Supported Supported Supported Supported 8

9 Hardened in Deployment Epoxy coated pipe Connection Tunnels Windows Advanced Firewall PINET Traffic Connection Security Rules TCP 5450 PI Data Archive 9

10 Build Complimentary Knowledge Domains Software Development System Integration Operational Excellence Security Research 10

11 Early days of Cyber Hardening 11

12 Ideas based on physical security Portable Media Floppy disks CDROM WORM Flash (R/W) Mobile Devices (R/W) 12

13 Physical and logical hybrids PLC5 Key Switch Program Run Remote Remote Program Remote Test Remote Run 13

14 Security is Evolving Logical Hybrid Physical 14

15 Software Based Hardening 15

16 Hardening Objectives Maintain a sustainable system Increase difficulty of cyber breach Increase detection capability Reduce consequences 16

17 HD Moore s Law Corollary: Metasploit won t tell you you ve done enough but it just might prove if you haven t. 17

18 Cyber Security (301) - 5 days 18

19 Cyber Attack Simulations 19

Apr. 29, 2014 9:00pm EDT Registration closes Wed. Apr.

20 US Cyber Challenge Infrastructure/Application Security Challenge (April): Date Description Wed. Apr. 2, :00am EDT Registration opens Wed. Apr. 16, :00am EDT Quiz opens Tue. Apr. 29, :00pm EDT Registration closes Wed. Apr. 30, :59pm EDT Quiz closes 20

21 Hardening is hard Technical dependencies Platform and network Application stack System integration Critical information Operational mission Cyber criminal methods Bogus configuration Software vulnerability Post exploitation and pivoting Data exfiltration Command and control 21

Subscription Model* Hardened Virtual Images* NIST +

22 IT Security Baselines Microsoft Products Free Download Multi-Platform + Device Limited Free Download Subscription Model* Hardened Virtual Images* NIST + FISMA Multi-Platform + Device Free and Government Only Download 22

23 Before you start A single mistake can result in total system failure Test on virtual machines Harden before acceptance testing and commissioning Verify hardening in maintenance testing 23

24 Call to Action 24

25 Hardened Image Challenge Series Project Hard Rock PI Internal OSIsoft Challenge Create virtual images in Azure Prizes! Enable security features Operating system PI System 25

26 26

27 ACDC Omar Mohsen Jupiter Marcos Vainer Loeff Black Crowes Derek Endres Metallica Dan Brooks & Ram Kathiresan 27

28 Top 4 and More ACDC Black Crowes Jupiter Metallica Applocker Firewall Input Rules Firewall Output Rules Server Core 28

29 Applocker OSIsoft Publisher Rule 29

30 Windows Firewall 30

31 Server Core GUI is add/remove feature as of Windows Server 2012 Eg. Add the management GUI without full desktop: Install-WindowsFeature -name Server-Gui-Mgmt-Infra 31

32 Least Privilege Data Archive ACDC Black Crowes Jupiter Metallica Authentication Policy Disabled piadmin Audit trail Configuration Changes Buffering & Interface Service Hardening 32

33 Recommended Authentication Policy API trusts can be disabled for servers without classic interfaces. Eg. Receiving all data from PI Cloud Connect 33

34 Extra, Extra ACDC Black Crowes Jupiter Metallica PI Security Audit Baseline Security Analyzer Security Compliance Manager EMET 34

35 Security Compliance Manager Windows 2012 Server Baseline 215 Critical Items! 35

36 EMET 36

37 What about the grand prize? 37

38 Hard Rock PI Omar Mohsen OSIsoft Bahrain 38

39 Summary: Hard Rock PI Increases domain knowledge Transforms learning and advice Strengthens collaboration 39

40 Brought to you by

41 Bryan Cyber Security Manager OSIsoft, LLC 41

Cyber Threats: What Should I Do to Harden my PI System?

Cyber Threats: What Should I Do to Harden my PI System? Presented by Vadim Sizykh Omar Mohsen 2 4: Least Privileges 3 Hmmm How do we get started? 4 Knowledge Base Step by Step 5 Excellent! We are just