What s new in PI System Security? Presented by Brian Bostwick Kevin Geneva
The Seven Most Dangerous New Attack Techniques SANS: Alan Paller, Ed Skoudis, Michael Assante, Johannes Ullrich 1. Ransomware 2. IoT Attack Platforms 3. Ransomware + IoT 4. Control System Attacks 5. Weak cryptography 6. Ad-hoc Web Services 7. Threats on NoSQL DB osisoft @ 2
OSIsoft Security Mindset Security champions in all facets of OSIsoft Ethical disclosure for software vulnerabilities Incident response readiness Independent ratings and verification
OSIsoft Security Mindset Security champions in all facets of OSIsoft Ethical disclosure for software vulnerabilities Incident response readiness Independent ratings and verification
Baseline PI System Security Use the PI Security Audit Tool to assess and improve PI System defenses. ID Server Validation Result Severity Message Category Area AU10001 CP-VM1 Domain Membership Check Fail Severe Machine is not a member of an AD Domain. Machine Domain AU10002 CP-VM1 Operating System SKU Fail Severe The following product is used: Server Standard Machine Operating System AU20002 CP-VM1 PI Admin Trusts Disabled Fail Severe The piadmin user can be assigned to a trust. PI System PI Data Archive AU20004 CP-VM1 Edit Days Fail Severe EditDays not specified, using non-compliant default of 0. PI System PI Data Archive AU10004 CP-VM1 AppLocker Enabled Fail Moderate AppLocker is not configured to enforce. Machine Policy AU20001 CP-VM1 PI Data Archive Table Security Fail Moderate The following databases present weaknesses: PIBatch; PIBATCHLEGACY; PICampaign; PIDBSEC; PIDS; PIHeadingSets; PIModules; PITransferRecords; PIUSER. PI System PI Data Archive AU20009 CP-VM1 PI Data Archive SPN Check Fail Moderate The Service Principal Name does NOT exist or is NOT assigned to the correct Service Account. PI System PI Data Archive AU10005 CP-VM1 UAC Enabled Fail Low Recommended UAC feature ValidateAdminCodeSignatures disabled. Machine Policy AU10003 CP-VM1 Firewall Enabled Pass N/A Firewall enabled. Machine Policy PI Data Archive SubSystem AU20003 CP-VM1 Versions Pass N/A Version is compliant PI System PI Data Archive AU20005 CP-VM1 Auto Trust Configuration Pass N/A Tuning parameter compliant: Create the trust entry for the loopback IP address 127.0.0.1 PI System PI Data Archive AU20006 CP-VM1 Expensive Query Protection Pass N/A Using the compliant default of 260. PI System PI Data Archive AU20007 CP-VM1 Explicit login disabled Pass N/A Using compliant policy: All authentication options enabled. PI System PI Data Archive AU20008 CP-VM1 piadmin is not used Pass N/A No Trust(s) or Mapping(s) identified as weaknesses. PI System PI Data Archive
Top Three DHS ICS-CERT Weaknesses 1. Boundary Protection: Architecture issues including ICS discoverable on the internet 2. Least Functionality: Unnecessary open ports 3. Authenticator Management: Simple passwords and lack of encryption
Boundary Protection with the PI System Transmission & Distribution SCADA Critical Systems Limits direct access to critical systems while expanding the value use of information. Plant DCS PLCs Infrastructure Environmental Systems Other critical operations systems Security Perimeter Reduce the risks on critical systems
Undesirable Topology a) PI Connector Servers Node x b) PI Connector/ Connector PI Interface Node x PI Servers PI Servers Control Network DMZ Enterprise Network 8
Today s Workaround PI Connector/ Connector PI Interface Node PI Server PI to PI Interface PI Servers PI Servers PI Server Security Control Network DMZ PI Server Security Enterprise Network 9
PI Connector Relay PI Connector Relay Node PI Servers PI Servers Control Network Certificates DMZ PI Server Security Enterprise Network 10
PI System Connector Deployment Source PI System PI System Connector PI Connector Relay Destination PI System (1 or More) Site1 PI 3 Security PI Points Real-time Data Site2 Site3 PI 3 Security PI 3 Security Certificates/ Encryption PI 3 Security Elements Templates Plant DMZ Corporate 11
Claims Authentication protects Active Directory Advanced Security in PI Coresight 2016 R2 and PI WebAPI 2017 Login using an external Identity Provider No need to expose corporate AD credentials PI Coresight OpenID Connect Claims ID Provider Active Directory PI Server PI3, WCF Business Network Business Partner/Cloud/Mobile Network osisoft @ 12
Least Functionality Server Core PI Server Recommended on Windows Server Core Less installed, less running, No GUI applications Fewer open ports Less patching Less Maintenance Lower TCO. More Secure Microsoft Mechanics. "Exploring Nano Server for Windows Server 2016 with Jeffrey Snover." Online video clip. YouTube, 10 Feb. 2016
Least Functionality Architecture Browser Based Thin Client with PI Vision Server Less installed, less running Less patching Less Maintenance Lower TCO. More Secure
PI Interfaces New options for securing Data Source Read PI Interface Input Write Output Operating System 15
PI Interfaces New options for securing Data Source Read PI Interface Input Write X X Output White list Operating System New Features: 1. Least privileges 2. Read-only and read-write 3. White list output points 16
PI Interfaces: Hardened and Read Only Hardened PI Interface for ESCA HABConnect Alarms and Events PI Interface for Cisco Phone PI Interface for ESCA HABConnect PI to PI Interface PI Interface for CA ISO ADS Web Service PI Interface for IEEE C37.118 PI Interface for Performance Monitor PI Interface for Siemens Spectrum Power TG PI Interface for Relational Database (RDBMS via ODBC) PI Interface for Universal File and Stream Loading (UFL) Hardened + Read-Only Available PI Interface for Foxboro I/A 70 Series PI Interface for Metso maxdna PI Interface for Citect PI Interface for SNMP Trap PI Interface for Modbus Ethernet PLC PI Interface for OPC HDA PI Interface for GE FANUC Cimplicity HMI PI Interface for ACPLT/KS PI Interface for OPC DA 17
Authentication Management Use Windows Integrated Security (WIS)
HA Collectives: Enhanced Security Added support for Transport Security Now available in Data Archive, between HA Collective Nodes, PI SDK, AF SDK, and API 2016 for WIS All Collective members must be upgraded Implemented via Certificates You can use your own, or the one we generate for you 19
PI API 2016 for Windows Integrated Security Connection to PI uses Windows security only Login is over PI network port TCP 5450 Active Directory is recommended but not required 20
Goal: Encrypted Data with WIS PI Interface PI Server Workgroup Buffer runs as.\student01 s OPC Interface runs as.\opc Domain Buffer has mapping OPC Interface uses trust 21
Goal: Encrypted Data with WIS PI Trust PI Mapping IP Addr + App Name PI Identity Windows Account = PI Identity 22
Goal: Encrypted Data with WIS PI Interface PI Server Install PI API 2016 Follow KB 1457 s Windows Credential Manager 23
DEMO 24
Key PI System Security Resources https://techsupport.osisoft.com/troubleshooting/pi-system-cyber-security https://www.youtube.com/user/osisoftlearning/ https://pisquare.osisoft.com/groups/security
Infrastructure Hardened PI System Global. Trusted. Sustainable. @ osisoft 26
What is Infrastructure Hardened? Extremely Reliable Well Tested Proven Capability Trusted Security Development Lifecycle Process Training Requirements Design Implementation Verification Release Response 27
Actions with your Security Mindset Protect your boundaries Use strong authentication and least privileges Baseline and prioritize 28
Contact Information Brian Bostwick Brian@OSIsoft.com Cyber Security Market Principal OSIsoft, LLC Kevin Geneva KGeneva@OSIsoft.com Systems Engineer OSIsoft, LLC 29
Questions Please wait for the microphone before asking your questions Please remember to Complete the Online Survey for this session State your name & company http://bit.ly/uc2017-app @ osisoft 30
Thank You