1 / 30

PI System Security

PI System Security. Taking it to the Next Level, and Beyond! Bryan S Owen PE OSIsoft, Inc Cyber Security Manager. OCEANIA TECHNOLOGY SEMINAR 2008. © 2008 OSIsoft, Inc. | Company Confidential. Agenda. Security Theme Architecture Examples Application Defenses Network Layer

todd
Download Presentation

PI System Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PI System Security Taking it to the Next Level, and Beyond! Bryan S Owen PE OSIsoft, Inc Cyber Security Manager OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential

  2. Agenda • Security Theme • Architecture Examples • Application Defenses • Network Layer • Host Features

  3. Trust is Essential, Trust is Earned. • Everyday Web of Trust • Food & Beverage • Finance • Life Sciences • Power & Utilities • Telecommunication • Transportation • Water

  4. Cyber Security, Why Care so much? • Vulnerability due to “Bugs” • Impossible to prove absent • Stakeholder Duty • Perils are shared by all • “Line of Fire” • Cascading faults • Direct attack vector

  5. Safety and Security • Prevention is Best Approach • Risk includes Human Factors • Monitoring is Essential • Technology can help • Effectiveness • Weakest Link Issue

  6. Defense in Depth Common Challenges: • Legacy Products • Loss of Perimeter • Implementation Practices • Operating Procedures • Visibility Physical Network Host Application SCADA Data

  7. Architecture – Interface Node • Trust boundary • History recovery • Simple data capture path

  8. Interface Node – PI Trust • Trust PI User is “Owner” of Points and Data • Change owner of root module for interface configuration • Set Trust Entries with at Least 2 Credentials • Masked IP Address • FQDN for Network Path • Application Name • Specific syntax rules for PI-API applications

  9. Architecture – Attack Surface Smart Clients Portal User Services PI Archive Data Access Notification Services PI Interface Data Source Subscribers

  10. Surface Area Metric • Anonymous Access Path Count • Mitigations: • Block the Default PI User • No Null Passwords • Disallow unknown FQDN • Policy for Insecure Endpoints • Multi-zone Architecture • Data Access Servers

  11. Architecture: High Availability

  12. Architecture: Wifi / Mobile Asset • PItoPI over VPN Tunnel to Extranet • Ping metric to HQ + extra keepalive • SNMP monitoring on EVDO router

  13. Architecture: PI Data Directory

  14. Authentication • Default User • PI Login • PI Trusts • Changes in PI 3.4.375 • Windows SSPI • Changes coming in PI 3.4.380 • Kerberos & NTLM

  15. Authentication Windows PI Server Authentication Identity Mapping PI Secure Objects PI Identities Active Directory Authorization Security Principals Access Control Lists

  16. PI Identities • What are PI Identities? • Individual user or group …or a combination of users and groups • All PIUsers and PIGroups become PIIdentities • Piadmin group renamed to “piadministrators” • Purpose • Link Windows principals with PI Server object • Pre-defined defaults: • PIWorld, PIEngineers, PIOperators, PISupervisors

  17. SMT: PIIdentity Creation

  18. SMT: PIIdentity Mapping

  19. PI Secure Objects • Main objects: Points and Modules • Ownership Assignments • Objects are “co-owned” by PI identities (not just 1 PIUser and 1 PIGroup) • Access Control Lists • “Security” setting replaces owner, group, and access • Multiple Identities • Each has its own set of access rights • ACLs with 3 identities are back compatible with GUI • 1 PIUser, 1PIGroup, and PIWorld (any order)

  20. Server <= 3.4.375 Attributes Owner, Creator, Changer are PIUsers Group is PIGroup Access as String ACL Syntax “o:rw g:rw w:r” PI Security Configuration Server >= 3.4.380 Attributes • New Security attribute as ACL • Creator and Changer are PIIdentities or Principals (Windows users) • Incompatible case: • Owner = PIUserIncompatible • Group = PIGroupIncompatible • Access = “o: g: w: ” ACL Syntax “ID1: A(r,w) | ID2: A(r,w) | ID3: A(r) | …” IDn = PIIdentity

  21. Scenarios • A. SDK 1.3.6, Server <= 3.4.375 • No changes to authentication, security configuration, or access check behavior • B. SDK <= 1.3.5, Server 3.4.380 • More control over authentication methods • Trusts map to PI Identities • New attribute specifying ACL • Points: PtSecurity, DataSecurity • Modules/DBsecurity: Security • Old attributes (Owner/Group/Access) supported unless ACLs become incompatible • C. SDK 1.3.6, Server 3.4.380 • All of the above, plus: • Default authentication: Windows SSPI

  22. Layered Permissions • Client Layer • Sharepoint/RtWebPart Security • Document Library • Abstraction/Context Security • Data Dictionary (AF Windows ACL) • Module Database (PI ACL) • Database Security Table • Role Access Permission • PI Secure Objects • Data Access • Point Access

  23. Network Layer Security • Chronic Loss of Perimeter • Driven by Mobility (Wireless/Laptops) • Access Controls • 802.1x (NAC/NAP) • Health Check Policy • Distributed Firewalls • Bump in Wire • Host Intrusion Detection & Prevention

  24. Server Domain Isolation

  25. Host Firewall Connection Security Rule • Enable IPSEC between two servers Ex: netsh advfirewall consec add rule name="PIHArule“ mode=transport type=static action=requireinrequireout endpoint1=192.168.1.4 endpoint2=192.168.129.128 auth1=computerpsk auth1psk=“Mag1kR1de” • Built in to Server 2008 / Vista

  26. Network Security • Indicators: • Quality of Services • Latency (Ping/TCP Response) • NIC Loading (SNMP/Perfmon) • Attack Pre-Cursors • IP address MAC check (SNMP) • Unexpected Traffic (IPFlow) • Security Events (Syslog)

  27. PI Monitoring • Indicators: • Quality of Services • PI Server Counters (Perfmon) • Uniint Health Points (PI) • Consistency Verification (ACE) • Attack Pre-Cursors • PI Message Log (PI-OLEDB) • Security Events (EventLog) • Message Integrity (mPI)

  28. More Security Enhancements… • Hardened O/S Support • Windows 2008 Server Core • Configuration Audit Tools • ACE Modules for Monitoring

  29. Associations Government Research Commercial Collaboration is the key to Security

  30. PI Security Infrastructure • Trusted Partner • Trusted Network • Trusted Operating System • Trusted Application • Trusted Data Physical Network Host Application SCADA Data

More Related