340 likes | 751 Views
PI System Security. Taking it to the Next Level, and Beyond! Bryan S Owen PE OSIsoft, Inc Cyber Security Manager. OCEANIA TECHNOLOGY SEMINAR 2008. © 2008 OSIsoft, Inc. | Company Confidential. Agenda. Security Theme Architecture Examples Application Defenses Network Layer
E N D
PI System Security Taking it to the Next Level, and Beyond! Bryan S Owen PE OSIsoft, Inc Cyber Security Manager OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential
Agenda • Security Theme • Architecture Examples • Application Defenses • Network Layer • Host Features
Trust is Essential, Trust is Earned. • Everyday Web of Trust • Food & Beverage • Finance • Life Sciences • Power & Utilities • Telecommunication • Transportation • Water
Cyber Security, Why Care so much? • Vulnerability due to “Bugs” • Impossible to prove absent • Stakeholder Duty • Perils are shared by all • “Line of Fire” • Cascading faults • Direct attack vector
Safety and Security • Prevention is Best Approach • Risk includes Human Factors • Monitoring is Essential • Technology can help • Effectiveness • Weakest Link Issue
Defense in Depth Common Challenges: • Legacy Products • Loss of Perimeter • Implementation Practices • Operating Procedures • Visibility Physical Network Host Application SCADA Data
Architecture – Interface Node • Trust boundary • History recovery • Simple data capture path
Interface Node – PI Trust • Trust PI User is “Owner” of Points and Data • Change owner of root module for interface configuration • Set Trust Entries with at Least 2 Credentials • Masked IP Address • FQDN for Network Path • Application Name • Specific syntax rules for PI-API applications
Architecture – Attack Surface Smart Clients Portal User Services PI Archive Data Access Notification Services PI Interface Data Source Subscribers
Surface Area Metric • Anonymous Access Path Count • Mitigations: • Block the Default PI User • No Null Passwords • Disallow unknown FQDN • Policy for Insecure Endpoints • Multi-zone Architecture • Data Access Servers
Architecture: Wifi / Mobile Asset • PItoPI over VPN Tunnel to Extranet • Ping metric to HQ + extra keepalive • SNMP monitoring on EVDO router
Authentication • Default User • PI Login • PI Trusts • Changes in PI 3.4.375 • Windows SSPI • Changes coming in PI 3.4.380 • Kerberos & NTLM
Authentication Windows PI Server Authentication Identity Mapping PI Secure Objects PI Identities Active Directory Authorization Security Principals Access Control Lists
PI Identities • What are PI Identities? • Individual user or group …or a combination of users and groups • All PIUsers and PIGroups become PIIdentities • Piadmin group renamed to “piadministrators” • Purpose • Link Windows principals with PI Server object • Pre-defined defaults: • PIWorld, PIEngineers, PIOperators, PISupervisors
PI Secure Objects • Main objects: Points and Modules • Ownership Assignments • Objects are “co-owned” by PI identities (not just 1 PIUser and 1 PIGroup) • Access Control Lists • “Security” setting replaces owner, group, and access • Multiple Identities • Each has its own set of access rights • ACLs with 3 identities are back compatible with GUI • 1 PIUser, 1PIGroup, and PIWorld (any order)
Server <= 3.4.375 Attributes Owner, Creator, Changer are PIUsers Group is PIGroup Access as String ACL Syntax “o:rw g:rw w:r” PI Security Configuration Server >= 3.4.380 Attributes • New Security attribute as ACL • Creator and Changer are PIIdentities or Principals (Windows users) • Incompatible case: • Owner = PIUserIncompatible • Group = PIGroupIncompatible • Access = “o: g: w: ” ACL Syntax “ID1: A(r,w) | ID2: A(r,w) | ID3: A(r) | …” IDn = PIIdentity
Scenarios • A. SDK 1.3.6, Server <= 3.4.375 • No changes to authentication, security configuration, or access check behavior • B. SDK <= 1.3.5, Server 3.4.380 • More control over authentication methods • Trusts map to PI Identities • New attribute specifying ACL • Points: PtSecurity, DataSecurity • Modules/DBsecurity: Security • Old attributes (Owner/Group/Access) supported unless ACLs become incompatible • C. SDK 1.3.6, Server 3.4.380 • All of the above, plus: • Default authentication: Windows SSPI
Layered Permissions • Client Layer • Sharepoint/RtWebPart Security • Document Library • Abstraction/Context Security • Data Dictionary (AF Windows ACL) • Module Database (PI ACL) • Database Security Table • Role Access Permission • PI Secure Objects • Data Access • Point Access
Network Layer Security • Chronic Loss of Perimeter • Driven by Mobility (Wireless/Laptops) • Access Controls • 802.1x (NAC/NAP) • Health Check Policy • Distributed Firewalls • Bump in Wire • Host Intrusion Detection & Prevention
Host Firewall Connection Security Rule • Enable IPSEC between two servers Ex: netsh advfirewall consec add rule name="PIHArule“ mode=transport type=static action=requireinrequireout endpoint1=192.168.1.4 endpoint2=192.168.129.128 auth1=computerpsk auth1psk=“Mag1kR1de” • Built in to Server 2008 / Vista
Network Security • Indicators: • Quality of Services • Latency (Ping/TCP Response) • NIC Loading (SNMP/Perfmon) • Attack Pre-Cursors • IP address MAC check (SNMP) • Unexpected Traffic (IPFlow) • Security Events (Syslog)
PI Monitoring • Indicators: • Quality of Services • PI Server Counters (Perfmon) • Uniint Health Points (PI) • Consistency Verification (ACE) • Attack Pre-Cursors • PI Message Log (PI-OLEDB) • Security Events (EventLog) • Message Integrity (mPI)
More Security Enhancements… • Hardened O/S Support • Windows 2008 Server Core • Configuration Audit Tools • ACE Modules for Monitoring
Associations Government Research Commercial Collaboration is the key to Security
PI Security Infrastructure • Trusted Partner • Trusted Network • Trusted Operating System • Trusted Application • Trusted Data Physical Network Host Application SCADA Data