What s New in PI Security?

Similar documents
Cyber Security Bryan Owen PE Principal Cyber Security Manager October 11, 2016

What s new in PI System Security?

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

Hardcore PI System Hardening

Are Mobile Technologies Safe Enough for Industrie 4.0?

What s new in PI System Security?

How to Pick the Right PI Developer Technology for your Project

Connectivity from A to Z Roadmap for PI Connectors and PI Interfaces

New to PI SDK and AF SDK 2010

2009 OSIsoft, LLC. OSIsoft vcampus Live! where PI geeks meet OSIsoft, LLC. OSIsoft vcampus Live! 2009 where PI geeks meet

Connectivity from A to Z Roadmap for PI Connectors and PI Interfaces

Connectivity from A to Z Roadmap for PI Connectors and PI Interfaces

How to Pick the Right PI Developer Technology for your Project

OSIsoft Technologies for the Industrial IoT and Industry 4.0

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Security+ SY0-501 Study Guide Table of Contents

The Power of Connection

Critical Hygiene for Preventing Major Breaches

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Securing ArcGIS Services

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Data Diode Cybersecurity Implementation Protects SCADA Network and Facilitates Transfer of Operations Information to Business Users

K12 Cybersecurity Roadmap

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

OSIsoft Release Notes

Solutions Business Manager Web Application Security Assessment

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

ANATOMY OF AN ATTACK!

OPSWAT Metadefender. Superior Malware Threat Prevention and Analysis

Server Tailgating A Chosen- Plaintext Attack on RDP. - Eyal Karni - Yaron Zinar - Roman Blachman

Cyber Threats: What Should I Do to Harden my PI System?

Building Resilience in a Digital Enterprise

PI System Pervasive Data Collection

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

USERS CONFERENCE Copyright 2016 OSIsoft, LLC

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

T22 - Industrial Control System Security

Aguascalientes Local Chapter. Kickoff

Security in the Privileged Remote Access Appliance

HikCentral V.1.1.x for Windows Hardening Guide

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

ICALEPCS 2013 San Francisco

Expanding Your System past just a PI Historian A 2016 Update

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Integrated Access Management Solutions. Access Televentures

Achieving End-to-End Security in the Internet of Things (IoT)

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

PI Connector for Ping 1.0. User Guide

Security in Bomgar Remote Support

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Introduction. The Safe-T Solution

Why Most IoT Projects Fail And how to ensure success with OSIsoft and Cisco Kinetic

CS 356 Operating System Security. Fall 2013

Online Intensive Ethical Hacking Training

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Securing ArcGIS Server Services An Introduction

Addressing Cyber Threats in Power Generation and Distribution

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Managing Microsoft 365 Identity and Access

What's New with PI Data Access 2010

Security Solutions. Overview. Business Needs

File Routing & Collaboration. I.T. & Client Configuration Guide. Version 7.0

SentinelOne Technical Brief

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

How Breaches Really Happen

Microlab 2005 Summer Internship. Subha Gollakota High School Junior Harker High San Jose, CA

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Challenge: Harden the PI System against cyber threats. Copyr i ght 2014 O SIs oft, LLC.

HikCentral V1.3 for Windows Hardening Guide

Web Security. Outline

the SWIFT Customer Security

New Technologies for Cyber Security

Modern Realities of Securing Active Directory & the Need for AI

Juniper Vendor Security Requirements

C1: Define Security Requirements

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Unified Security Platform. Security Center 5.4 Hardening Guide Version: 1.0. Innovative Solutions

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

Web Application Security. Philippe Bogaerts

Modicon M580 PAC. CSPN Security Target. Version

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

Locking down a Hitachi ID Suite server

PI OPC DA Server User Guide

Copyri g h t 2012 OSIso f t, LLC. 1

How to Put Your AF Server into a Container

Introduction With the move to the digital enterprise, all organizations regulated or not, are required to provide customers and anonymous users alike


COMPUTER NETWORK SECURITY

Details withheld at reviewer request. Process Design and Automation (Pty)Ltd Phone: +27 (0)

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Firewalls (IDS and IPS) MIS 5214 Week 6

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Vidder PrecisionAccess

Test Harness for Web Application Attacks

Data encryption & security. An overview

Transcription:

What s New in PI Security? Presented by Bryan Owen PE Felicia Mohan

Agenda Overview What s new Demo What s coming next Call to Action 3

Cyber Security is more of a Marathon than a Sprint Release Cadence Quicker response time More agile and predictable Most, not all products Ethical Disclosure Policy Transparency Do no harm https://techsupport.osisoft.com/troubleshooting/ethical-disclosure-policy 4

Best Practices are Advancing Engineering Bow-Tie Model ICS Security Bow-Tie Evaluating Cyber Risk in Engineering Environments: A Proposed Framework and Methodology https://www.sans.org/reading-room/whitepapers/ics/evaluating-cyber-risk-engineering-environments-proposedframework-methodology-37017

Attack & Defend Reduce Impact Attack & Defend Reduce Impact Attack & Defend Reduce Impact Classic PI System Kill Chain Many opportunities to defend Attacks are complex Successful attacks require high skill levels 1 The Internet WEB Page Drive By 2 3 4 Processbook Client Admin OS Access Unauthenticated access PI Data Archive Unauthorized access to data Administrative access to operating system Interface Node Control system pwned 5 Control System Social Engineering Web Browser Compromise User OS Access Administrative access to operating system PI Data Archive Compromise Missing or tainted data sent to users or downstream services Exploit vulnerable product or service to inject malware on interface node Interface Node Compromise Control system slow or unresponsive Phishing Email Network Node Access Authenticated PI data access Service delays or unresponsive Use interface output points for sending data to control systems Loss of control including anomalous actuator operation Exploit vulnerable service on PI Server Manipulation of configuration Use interfaces to overload control system Loss of view including fake sensor data Overload PI Server Pivot to other servers (PI Server as client to another server or unauthorized call home) Use PI data as part of a covert command and control channel Spread malware to client connections https://pisquare.osisoft.com/groups/security/blog/2016/08/02/bow-tie-for-cyber-security-0x01-how-to-tie-a-cyber-bow-tie 6

Deep Dive into Security Changes 7

Classic PI Client Desktop Processbook 2015 R2 Memory corruption defenses (VS2013) Removes.NET Framework 3.5 dependency Improves support for EMET PI SDK 2016 Memory corruption defenses (VS2015) MS Runtime Updates Transport Security (Data Integrity and Privacy) KB01289 - How To Enhance Security in PI ProcessBook Using EMET 8

Attack & Defend Reduce Impact Attack & Defend Reduce Impact Attack & Defend Reduce Impact Attack & Defend Reduce Impact Modern PI System Kill Chain Newer more secure development technologies Attack complexity Increased by additional layer Successful attacks require high skill levels 1 The Internet WEB Page Drive By 2 3 4 5 Coresight Client in Web Browser Admin OS Access Unauthenticated access Coresight Server Unauthorized access to data Unauthenticated access PI Server Unauthorized access to data Administrative access to operating system Connector Control system pwned 6 Control System Social Engineering Web Browser Compromise User OS Access Authenticated Access Coresight Server Compromise Manipulation of configuration Administrative access to operating system PI Server Compromise Missing or tainted data sent to users or downstream services Exploit vulnerable product or service to inject malware on interface node Connector Compromise Control system slow or unresponsive Phishing Email Network Node Access Exploit vulnerable product or service Missing or tainted data sent to users or downstream services Authenticated PI data access Service delays or unresponsive Use interface output points for sending data to control systems Loss of control including anomalous actuator operation Admin Access to OS/ SQL Server Service delays or unresponsive Exploit vulnerable service on PI Server Manipulation of configuration Use interfaces to overload control system Loss of view including fake sensor data Overload Server (DoS) Spread malware to client connections Overload PI Server Pivot to other servers (PI Server as client to another server or unauthorized call home) Use PI data as part of a covert command and control channel Coresight acts as client to another resource Spread malware to client connections PI Square: Hardcore PI Coresight Hardening 9

Advanced Security in PI Coresight 2016 R2 Login using an external Identity Provider No need to expose corporate AD credentials PI Coresight OpenID Connect Claims ID Provider Active Directory PI Server PI3, WCF Business Network Business Partner/Cloud/Mobile Network 10

Security Changes for PI Server 11

PI AF Recent Security Changes 2015 Identity Mappings Service Hardening AF Client to Data Archive Transport Security 2016 File Type IsManualDataEntry MS Office Annotate Permission Text File Attachment Checks Image ProcessBook Allowed Extensions csv, docx, pdf, xlsx rtf, txt gif, jpeg, jpg, png, svg, tiff pdi PI System Explorer 2016 User Guide: Security for Annotations 12

PI Data Archive Recent Security Changes 2015 Compiler Defenses Code Safety Transport Security 2016 Auto Recovery Archive Reprocessing 13

Security Changes for PI System Interfaces 14

PI Buffer Subsystem 2015 Code Safety Transport Security with Windows Authentication 2016 Service Accounts Managed Service Account (Domain only) Virtual Service Account API BUFSERV for Windows 1996-2016 15

PI Interfaces New options for securing Data Source Read PI Interface Input Write Output Operating System 16

PI Interfaces New options for securing Data Source Read PI Interface Input Write X X Output White list Operating System New Features: 1. Least privileges 2. Read-only and read-write 3. White list output points 17

Code Hardened PI Interfaces Hardened PI Interface for ESCA HABConnect Alarms and Events PI Interface for Cisco Phone PI Interface for ESCA HABConnect PI to PI Interface PI Interface for CA ISO ADS Web Service PI Interface for IEEE C37.118 PI Interface for Performance Monitor PI Interface for Siemens Spectrum Power TG PI Interface for OPC DA PI Interface for Relational Database (RDBMS via ODBC) PI Interface for Universal File and Stream Loading (UFL) Hardened + Read-Only Available PI Interface for Foxboro I/A 70 Series PI Interface for Metso maxdna PI Interface for Citect PI Interface for SNMP Trap PI Interface for Modbus Ethernet PLC PI Interface for OPC HDA PI Interface for GE FANUC Cimplicity HMI PI Interface for ACPLT/KS 18

Transport Security Everywhere From Connection PI Trust NTLM RC4/MD5 Active Directory (Kerberos) AES256/SHA1* PI Buffer Subsystem PI Connectors PI Datalink PI Processbook PI Interfaces 19

Introducing PI API 2016 for Windows Integrated Security 20

PI API 2016 for Windows Integrated Security Compiler Defenses Code Safety Transport Security Data Integrity and Privacy Backward Compatible No changes to existing PI Interfaces PI Mapping is Required, PI API 2016 does not attempt PI Trust connection! 21

DEMO 22

23

Security Changes in Progress 24

PI Connector Architecture PI Connectors PI Connector Relay Certificates Windows Security Edge DMZ Enterprise 25

Attack & Defend Reduce Impact Attack & Defend Reduce Impact Attack & Defend Reduce Impact Attack & Defend Reduce Impact Attack & Defend Reduce Impact PI System Kill Chain with Relay Enhanced development technologies Attack complexity Increased by additional layer Successful attacks require high skill levels 1 The Internet WEB Page Drive By 2 3 4 5 6 Coresight WEB Client Admin OS Access Unauthenticated access Coresight Server Unauthorized access to data Unauthenticated access PI Archive & AF Servers Unauthorized access to data Administrative access to operating system Connector Relay Control system pwned Administrative access to operating system Connector Control system pwned 7 Control System Social Engineering Web Browser Compromise User OS Access Authenticated Access Coresight Server Compromise Manipulation of configuration Administrative access to operating system PI Archive or AF Compromise Missing or tainted data sent to users or downstream services Exploit vulnerable product or service to inject malware on interface node Connector Relay Compromise Control system slow or unresponsive Exploit vulnerable product or service to inject malware on interface node Connector Compromise Control system slow or unresponsive Phishing Email Network Node Access Exploit vulnerable product or service Missing or tainted data sent to users or downstream services Authenticated PI data access Service delays or unresponsive Use interface output points for sending data to control systems Loss of control including anomalous actuator operation Use interface output points for sending data to control systems Loss of control including anomalous actuator operation Admin Access to OS/ SQL Server Service delays or unresponsive Exploit vulnerable service on PI Server Manipulation of configuration Use interfaces to overload control system Loss of view including fake sensor data Use interfaces to overload control system Loss of view including fake sensor data Overload Server (DoS) Spread malware to client connections Overload PI Server Pivot to other servers (PI Server as client to another server or unauthorized call home) Use PI data as part of a covert command and control channel Use PI data as part of a covert command and control channel Coresight acts as client to another resource Spread malware to client connections 26

PI System Connector Source PI System & PI System Connector PI Connector Relay Destination PI System PI Points Real-time Data Elements Templates Control DMZ Corporate 27

Call to Action Plan roll out for PI SDK 2016 and PI API 2016 Update PI Buffering and PI Interfaces too Get started with PI Connectors Under the NIS Directive, essential service providers must adopt requirements within 21 months of August 2016 or face fines of up to 10m or 2% globally. 28

Contact Information Bryan Owen bryan@osisoft.com Principal Cyber Security Manager Felicia Mohan ftan@osisoft.com Systems Engineer 29

Questions Please wait for the microphone before asking your questions Please remember to Complete the Online Survey for this session State your name & company http://ddut.ch/osisoft 30

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback