What s new in PI System Security?

Similar documents
What s new in PI System Security?

Cyber Security Bryan Owen PE Principal Cyber Security Manager October 11, 2016

What s New in PI Security?

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

Hardcore PI System Hardening

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

OSIsoft Technologies for the Industrial IoT and Industry 4.0

Connectivity from A to Z Roadmap for PI Connectors and PI Interfaces

Connectivity from A to Z Roadmap for PI Connectors and PI Interfaces

2009 OSIsoft, LLC. OSIsoft vcampus Live! where PI geeks meet OSIsoft, LLC. OSIsoft vcampus Live! 2009 where PI geeks meet

Connectivity from A to Z Roadmap for PI Connectors and PI Interfaces

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

PI System Pervasive Data Collection

Ensuring Your Plant is Secure Tim Johnson, Cyber Security Consultant

Data Diode Cybersecurity Implementation Protects SCADA Network and Facilitates Transfer of Operations Information to Business Users

Industrial Defender ASM. for Automation Systems Management

About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

I Want to Be Secure: Best Practices for Securing Your PI System

IIoT Data Collection with the PI System

How to Pick the Right PI Developer Technology for your Project

New Technologies for Cyber Security

Are Mobile Technologies Safe Enough for Industrie 4.0?

How to Pick the Right PI Developer Technology for your Project

The Power of Connection

CS 356 Operating System Security. Fall 2013

OSIsoft Technologies for the Industrial IoT and Industry 4.0 Chris Felts, Sr. Product Manager Houston Regional Seminar, October 4, 2017

Cyber Threats: What Should I Do to Harden my PI System?

IPM Secure Hardening Guidelines

Cloud Customer Architecture for Securing Workloads on Cloud Services

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Windows Integrated Security what it is, why you should use it

Why Most IoT Projects Fail And how to ensure success with OSIsoft and Cisco Kinetic

Security+ SY0-501 Study Guide Table of Contents

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

NERC-CIP CAN-0024: Securing Critical Cyber Assets with Data Diodes

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

OSIsoft IIoT Overview Chicago Regional Seminar 2016

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

MINIMUM SECURITY CONTROLS SUMMARY

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Implementing Security in Windows 2003 Network (70-299)

IC32E - Pre-Instructional Survey

Building a Secure PI Web API Environment

W H IT E P A P E R. Salesforce Security for the IT Executive

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Going Without CPU Patches on Oracle E-Business Suite 11i?

Vulnerability analysis of 2013 SCADA issues. Amol Sarwate Director of Vulnerability Labs, Qualys Inc.

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

How to Put Your AF Server into a Container

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Achieving End-to-End Security in the Internet of Things (IoT)

PI Connector for Ping 1.0. User Guide

hidden vulnerabilities

Secure & Unified Identity

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Connectivity 101 for Remote Monitoring Systems

Mobility Windows 10 Bootcamp

Challenge: Harden the PI System against cyber threats. Copyr i ght 2014 O SIs oft, LLC.

Cyber Security for Process Control Systems ABB's view

New to PI SDK and AF SDK 2010

Cyber security for digital substations. IEC Europe Conference 2017

Vishal Shirodkar Technology Specialist Microsoft India Session Code:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

GE CIMPLICITY HMI/SCADA SECURE DEPLOYMENT GUIDE

B-Scada and Security

Critical Hygiene for Preventing Major Breaches

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

HikCentral V.1.1.x for Windows Hardening Guide

OSIsoft Release Notes

HikCentral V1.3 for Windows Hardening Guide

RasGas Use Case: Owl DualDiode Solution

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Ransomware. How to protect yourself?

IE156: ICS410: ICS/SCADA Security Essentials

Managing Microsoft 365 Identity and Access

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Practical Network Defense Labs

Expanding Your System past just a PI Historian A 2016 Update

10 FOCUS AREAS FOR BREACH PREVENTION

IIoT Data Collection with the PI System

Security in the Privileged Remote Access Appliance

PI Developer Technologies Roadmap Presented by: Frank Garriel, David Hearn, & Bodo Bachmann

PI Developer Technologies Roadmap. #OSIsoftUC #PIWorld 2018 OSIsoft, LLC

Introduction to ICS Security

Legacy-Compliant Data Authentication for Industrial Control System Traffic

Cyber security tips and self-assessment for business

White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Data Collection at the Edge with OSIsoft Message Format

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Microsoft Architecting Microsoft Azure Solutions.

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Securing Industrial Control Systems

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Securing ArcGIS Services

CompTIA Cybersecurity Analyst+

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

Transcription:

What s new in PI System Security? Presented by Brian Bostwick Kevin Geneva

The Seven Most Dangerous New Attack Techniques SANS: Alan Paller, Ed Skoudis, Michael Assante, Johannes Ullrich 1. Ransomware 2. IoT Attack Platforms 3. Ransomware + IoT 4. Control System Attacks 5. Weak cryptography 6. Ad-hoc Web Services 7. Threats on NoSQL DB osisoft @ 2

OSIsoft Security Mindset Security champions in all facets of OSIsoft Ethical disclosure for software vulnerabilities Incident response readiness Independent ratings and verification

OSIsoft Security Mindset Security champions in all facets of OSIsoft Ethical disclosure for software vulnerabilities Incident response readiness Independent ratings and verification

Baseline PI System Security Use the PI Security Audit Tool to assess and improve PI System defenses. ID Server Validation Result Severity Message Category Area AU10001 CP-VM1 Domain Membership Check Fail Severe Machine is not a member of an AD Domain. Machine Domain AU10002 CP-VM1 Operating System SKU Fail Severe The following product is used: Server Standard Machine Operating System AU20002 CP-VM1 PI Admin Trusts Disabled Fail Severe The piadmin user can be assigned to a trust. PI System PI Data Archive AU20004 CP-VM1 Edit Days Fail Severe EditDays not specified, using non-compliant default of 0. PI System PI Data Archive AU10004 CP-VM1 AppLocker Enabled Fail Moderate AppLocker is not configured to enforce. Machine Policy AU20001 CP-VM1 PI Data Archive Table Security Fail Moderate The following databases present weaknesses: PIBatch; PIBATCHLEGACY; PICampaign; PIDBSEC; PIDS; PIHeadingSets; PIModules; PITransferRecords; PIUSER. PI System PI Data Archive AU20009 CP-VM1 PI Data Archive SPN Check Fail Moderate The Service Principal Name does NOT exist or is NOT assigned to the correct Service Account. PI System PI Data Archive AU10005 CP-VM1 UAC Enabled Fail Low Recommended UAC feature ValidateAdminCodeSignatures disabled. Machine Policy AU10003 CP-VM1 Firewall Enabled Pass N/A Firewall enabled. Machine Policy PI Data Archive SubSystem AU20003 CP-VM1 Versions Pass N/A Version is compliant PI System PI Data Archive AU20005 CP-VM1 Auto Trust Configuration Pass N/A Tuning parameter compliant: Create the trust entry for the loopback IP address 127.0.0.1 PI System PI Data Archive AU20006 CP-VM1 Expensive Query Protection Pass N/A Using the compliant default of 260. PI System PI Data Archive AU20007 CP-VM1 Explicit login disabled Pass N/A Using compliant policy: All authentication options enabled. PI System PI Data Archive AU20008 CP-VM1 piadmin is not used Pass N/A No Trust(s) or Mapping(s) identified as weaknesses. PI System PI Data Archive

Top Three DHS ICS-CERT Weaknesses 1. Boundary Protection: Architecture issues including ICS discoverable on the internet 2. Least Functionality: Unnecessary open ports 3. Authenticator Management: Simple passwords and lack of encryption

Boundary Protection with the PI System Transmission & Distribution SCADA Critical Systems Limits direct access to critical systems while expanding the value use of information. Plant DCS PLCs Infrastructure Environmental Systems Other critical operations systems Security Perimeter Reduce the risks on critical systems

Undesirable Topology a) PI Connector Servers Node x b) PI Connector/ Connector PI Interface Node x PI Servers PI Servers Control Network DMZ Enterprise Network 8

Today s Workaround PI Connector/ Connector PI Interface Node PI Server PI to PI Interface PI Servers PI Servers PI Server Security Control Network DMZ PI Server Security Enterprise Network 9

PI Connector Relay PI Connector Relay Node PI Servers PI Servers Control Network Certificates DMZ PI Server Security Enterprise Network 10

PI System Connector Deployment Source PI System PI System Connector PI Connector Relay Destination PI System (1 or More) Site1 PI 3 Security PI Points Real-time Data Site2 Site3 PI 3 Security PI 3 Security Certificates/ Encryption PI 3 Security Elements Templates Plant DMZ Corporate 11

Claims Authentication protects Active Directory Advanced Security in PI Coresight 2016 R2 and PI WebAPI 2017 Login using an external Identity Provider No need to expose corporate AD credentials PI Coresight OpenID Connect Claims ID Provider Active Directory PI Server PI3, WCF Business Network Business Partner/Cloud/Mobile Network osisoft @ 12

Least Functionality Server Core PI Server Recommended on Windows Server Core Less installed, less running, No GUI applications Fewer open ports Less patching Less Maintenance Lower TCO. More Secure Microsoft Mechanics. "Exploring Nano Server for Windows Server 2016 with Jeffrey Snover." Online video clip. YouTube, 10 Feb. 2016

Least Functionality Architecture Browser Based Thin Client with PI Vision Server Less installed, less running Less patching Less Maintenance Lower TCO. More Secure

PI Interfaces New options for securing Data Source Read PI Interface Input Write Output Operating System 15

PI Interfaces New options for securing Data Source Read PI Interface Input Write X X Output White list Operating System New Features: 1. Least privileges 2. Read-only and read-write 3. White list output points 16

PI Interfaces: Hardened and Read Only Hardened PI Interface for ESCA HABConnect Alarms and Events PI Interface for Cisco Phone PI Interface for ESCA HABConnect PI to PI Interface PI Interface for CA ISO ADS Web Service PI Interface for IEEE C37.118 PI Interface for Performance Monitor PI Interface for Siemens Spectrum Power TG PI Interface for Relational Database (RDBMS via ODBC) PI Interface for Universal File and Stream Loading (UFL) Hardened + Read-Only Available PI Interface for Foxboro I/A 70 Series PI Interface for Metso maxdna PI Interface for Citect PI Interface for SNMP Trap PI Interface for Modbus Ethernet PLC PI Interface for OPC HDA PI Interface for GE FANUC Cimplicity HMI PI Interface for ACPLT/KS PI Interface for OPC DA 17

Authentication Management Use Windows Integrated Security (WIS)

HA Collectives: Enhanced Security Added support for Transport Security Now available in Data Archive, between HA Collective Nodes, PI SDK, AF SDK, and API 2016 for WIS All Collective members must be upgraded Implemented via Certificates You can use your own, or the one we generate for you 19

PI API 2016 for Windows Integrated Security Connection to PI uses Windows security only Login is over PI network port TCP 5450 Active Directory is recommended but not required 20

Goal: Encrypted Data with WIS PI Interface PI Server Workgroup Buffer runs as.\student01 s OPC Interface runs as.\opc Domain Buffer has mapping OPC Interface uses trust 21

Goal: Encrypted Data with WIS PI Trust PI Mapping IP Addr + App Name PI Identity Windows Account = PI Identity 22

Goal: Encrypted Data with WIS PI Interface PI Server Install PI API 2016 Follow KB 1457 s Windows Credential Manager 23

DEMO 24

Key PI System Security Resources https://techsupport.osisoft.com/troubleshooting/pi-system-cyber-security https://www.youtube.com/user/osisoftlearning/ https://pisquare.osisoft.com/groups/security

Infrastructure Hardened PI System Global. Trusted. Sustainable. @ osisoft 26

What is Infrastructure Hardened? Extremely Reliable Well Tested Proven Capability Trusted Security Development Lifecycle Process Training Requirements Design Implementation Verification Release Response 27

Actions with your Security Mindset Protect your boundaries Use strong authentication and least privileges Baseline and prioritize 28

Contact Information Brian Bostwick Brian@OSIsoft.com Cyber Security Market Principal OSIsoft, LLC Kevin Geneva KGeneva@OSIsoft.com Systems Engineer OSIsoft, LLC 29

Questions Please wait for the microphone before asking your questions Please remember to Complete the Online Survey for this session State your name & company http://bit.ly/uc2017-app @ osisoft 30

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback