What s new in PI System Security?

Transcription

1 What s new in PI System Security? Presented by Brian Bostwick Kevin Geneva

2 The Seven Most Dangerous New Attack Techniques SANS: Alan Paller, Ed Skoudis, Michael Assante, Johannes Ullrich 1. Ransomware 2. IoT Attack Platforms 3. Ransomware + IoT 4. Control System Attacks 5. Weak cryptography 6. Ad-hoc Web Services 7. Threats on NoSQL DB 2

3 OSIsoft Security Mindset Security champions in all facets of OSIsoft Ethical disclosure for software vulnerabilities Incident response readiness Independent ratings and verification

4 OSIsoft Security Mindset Security champions in all facets of OSIsoft Ethical disclosure for software vulnerabilities Incident response readiness Independent ratings and verification

5 Baseline PI System Security Use the PI Security Audit Tool to assess and improve PI System defenses. ID Server Validation Result Severity Message Category Area AU10001 CP-VM1 Domain Membership Check Fail Severe Machine is not a member of an AD Domain. Machine Domain AU10002 CP-VM1 Operating System SKU Fail Severe The following product is used: Server Standard Machine Operating System AU20002 CP-VM1 PI Admin Trusts Disabled Fail Severe The piadmin user can be assigned to a trust. PI System PI Data Archive AU20004 CP-VM1 Edit Days Fail Severe EditDays not specified, using non-compliant default of 0. PI System PI Data Archive AU10004 CP-VM1 AppLocker Enabled Fail Moderate AppLocker is not configured to enforce. Machine Policy AU20001 CP-VM1 PI Data Archive Table Security Fail Moderate The following databases present weaknesses: PIBatch; PIBATCHLEGACY; PICampaign; PIDBSEC; PIDS; PIHeadingSets; PIModules; PITransferRecords; PIUSER. PI System PI Data Archive AU20009 CP-VM1 PI Data Archive SPN Check Fail Moderate The Service Principal Name does NOT exist or is NOT assigned to the correct Service Account. PI System PI Data Archive AU10005 CP-VM1 UAC Enabled Fail Low Recommended UAC feature ValidateAdminCodeSignatures disabled. Machine Policy AU10003 CP-VM1 Firewall Enabled Pass N/A Firewall enabled. Machine Policy PI Data Archive SubSystem AU20003 CP-VM1 Versions Pass N/A Version is compliant PI System PI Data Archive AU20005 CP-VM1 Auto Trust Configuration Pass N/A Tuning parameter compliant: Create the trust entry for the loopback IP address PI System PI Data Archive AU20006 CP-VM1 Expensive Query Protection Pass N/A Using the compliant default of 260. PI System PI Data Archive AU20007 CP-VM1 Explicit login disabled Pass N/A Using compliant policy: All authentication options enabled. PI System PI Data Archive AU20008 CP-VM1 piadmin is not used Pass N/A No Trust(s) or Mapping(s) identified as weaknesses. PI System PI Data Archive

6 Top Three DHS ICS-CERT Weaknesses 1. Boundary Protection: Architecture issues including ICS discoverable on the internet 2. Least Functionality: Unnecessary open ports 3. Authenticator Management: Simple passwords and lack of encryption

7 Boundary Protection with the PI System Transmission & Distribution SCADA Critical Systems Limits direct access to critical systems while expanding the value use of information. Plant DCS PLCs Infrastructure Environmental Systems Other critical operations systems Security Perimeter Reduce the risks on critical systems

8 Undesirable Topology a) PI Connector Servers Node x b) PI Connector/ Connector PI Interface Node x PI Servers PI Servers Control Network DMZ Enterprise Network 8

9 Today s Workaround PI Connector/ Connector PI Interface Node PI Server PI to PI Interface PI Servers PI Servers PI Server Security Control Network DMZ PI Server Security Enterprise Network 9

10 PI Connector Relay PI Connector Relay Node PI Servers PI Servers Control Network Certificates DMZ PI Server Security Enterprise Network 10

11 PI System Connector Deployment Source PI System PI System Connector PI Connector Relay Destination PI System (1 or More) Site1 PI 3 Security PI Points Real-time Data Site2 Site3 PI 3 Security PI 3 Security Certificates/ Encryption PI 3 Security Elements Templates Plant DMZ Corporate 11

12 Claims Authentication protects Active Directory Advanced Security in PI Coresight 2016 R2 and PI WebAPI 2017 Login using an external Identity Provider No need to expose corporate AD credentials PI Coresight OpenID Connect Claims ID Provider Active Directory PI Server PI3, WCF Business Network Business Partner/Cloud/Mobile Network 12

13 Least Functionality Server Core PI Server Recommended on Windows Server Core Less installed, less running, No GUI applications Fewer open ports Less patching Less Maintenance Lower TCO. More Secure Microsoft Mechanics. "Exploring Nano Server for Windows Server 2016 with Jeffrey Snover." Online video clip. YouTube, 10 Feb. 2016

14 Least Functionality Architecture Browser Based Thin Client with PI Vision Server Less installed, less running Less patching Less Maintenance Lower TCO. More Secure

15 PI Interfaces New options for securing Data Source Read PI Interface Input Write Output Operating System 15

16 PI Interfaces New options for securing Data Source Read PI Interface Input Write X X Output White list Operating System New Features: 1. Least privileges 2. Read-only and read-write 3. White list output points 16

17 PI Interfaces: Hardened and Read Only Hardened PI Interface for ESCA HABConnect Alarms and Events PI Interface for Cisco Phone PI Interface for ESCA HABConnect PI to PI Interface PI Interface for CA ISO ADS Web Service PI Interface for IEEE C PI Interface for Performance Monitor PI Interface for Siemens Spectrum Power TG PI Interface for Relational Database (RDBMS via ODBC) PI Interface for Universal File and Stream Loading (UFL) Hardened + Read-Only Available PI Interface for Foxboro I/A 70 Series PI Interface for Metso maxdna PI Interface for Citect PI Interface for SNMP Trap PI Interface for Modbus Ethernet PLC PI Interface for OPC HDA PI Interface for GE FANUC Cimplicity HMI PI Interface for ACPLT/KS PI Interface for OPC DA 17

18 Authentication Management Use Windows Integrated Security (WIS)

19 HA Collectives: Enhanced Security Added support for Transport Security Now available in Data Archive, between HA Collective Nodes, PI SDK, AF SDK, and API 2016 for WIS All Collective members must be upgraded Implemented via Certificates You can use your own, or the one we generate for you 19

20 PI API 2016 for Windows Integrated Security Connection to PI uses Windows security only Login is over PI network port TCP 5450 Active Directory is recommended but not required 20

21 Goal: Encrypted Data with WIS PI Interface PI Server Workgroup Buffer runs as.\student01 s OPC Interface runs as.\opc Domain Buffer has mapping OPC Interface uses trust 21

22 Goal: Encrypted Data with WIS PI Trust PI Mapping IP Addr + App Name PI Identity Windows Account = PI Identity 22

23 Goal: Encrypted Data with WIS PI Interface PI Server Install PI API 2016 Follow KB 1457 s Windows Credential Manager 23

24 DEMO 24

25 Key PI System Security Resources

26 Infrastructure Hardened PI System Global. Trusted. osisoft 26

27 What is Infrastructure Hardened? Extremely Reliable Well Tested Proven Capability Trusted Security Development Lifecycle Process Training Requirements Design Implementation Verification Release Response 27

28 Actions with your Security Mindset Protect your boundaries Use strong authentication and least privileges Baseline and prioritize 28

29 Contact Information Brian Bostwick Cyber Security Market Principal OSIsoft, LLC Kevin Geneva Systems Engineer OSIsoft, LLC 29

30 Questions Please wait for the microphone before asking your questions Please remember to Complete the Online Survey for this session State your name & company osisoft 30

31 Thank You