Download
pi system security n.
Skip this Video
Loading SlideShow in 5 Seconds..
PI System Security PowerPoint Presentation
Download Presentation
PI System Security

PI System Security

280 Views Download Presentation
Download Presentation

PI System Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. PI System Security Taking it to the Next Level, and Beyond! Bryan S Owen PE OSIsoft, Inc Cyber Security Manager OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential

  2. Agenda • Security Theme • Architecture Examples • Application Defenses • Network Layer • Host Features

  3. Trust is Essential, Trust is Earned. • Everyday Web of Trust • Food & Beverage • Finance • Life Sciences • Power & Utilities • Telecommunication • Transportation • Water

  4. Cyber Security, Why Care so much? • Vulnerability due to “Bugs” • Impossible to prove absent • Stakeholder Duty • Perils are shared by all • “Line of Fire” • Cascading faults • Direct attack vector

  5. Safety and Security • Prevention is Best Approach • Risk includes Human Factors • Monitoring is Essential • Technology can help • Effectiveness • Weakest Link Issue

  6. Defense in Depth Common Challenges: • Legacy Products • Loss of Perimeter • Implementation Practices • Operating Procedures • Visibility Physical Network Host Application SCADA Data

  7. Architecture – Interface Node • Trust boundary • History recovery • Simple data capture path

  8. Interface Node – PI Trust • Trust PI User is “Owner” of Points and Data • Change owner of root module for interface configuration • Set Trust Entries with at Least 2 Credentials • Masked IP Address • FQDN for Network Path • Application Name • Specific syntax rules for PI-API applications

  9. Architecture – Attack Surface Smart Clients Portal User Services PI Archive Data Access Notification Services PI Interface Data Source Subscribers

  10. Surface Area Metric • Anonymous Access Path Count • Mitigations: • Block the Default PI User • No Null Passwords • Disallow unknown FQDN • Policy for Insecure Endpoints • Multi-zone Architecture • Data Access Servers

  11. Architecture: High Availability

  12. Architecture: Wifi / Mobile Asset • PItoPI over VPN Tunnel to Extranet • Ping metric to HQ + extra keepalive • SNMP monitoring on EVDO router

  13. Architecture: PI Data Directory

  14. Authentication • Default User • PI Login • PI Trusts • Changes in PI 3.4.375 • Windows SSPI • Changes coming in PI 3.4.380 • Kerberos & NTLM

  15. Authentication Windows PI Server Authentication Identity Mapping PI Secure Objects PI Identities Active Directory Authorization Security Principals Access Control Lists

  16. PI Identities • What are PI Identities? • Individual user or group …or a combination of users and groups • All PIUsers and PIGroups become PIIdentities • Piadmin group renamed to “piadministrators” • Purpose • Link Windows principals with PI Server object • Pre-defined defaults: • PIWorld, PIEngineers, PIOperators, PISupervisors

  17. SMT: PIIdentity Creation

  18. SMT: PIIdentity Mapping

  19. PI Secure Objects • Main objects: Points and Modules • Ownership Assignments • Objects are “co-owned” by PI identities (not just 1 PIUser and 1 PIGroup) • Access Control Lists • “Security” setting replaces owner, group, and access • Multiple Identities • Each has its own set of access rights • ACLs with 3 identities are back compatible with GUI • 1 PIUser, 1PIGroup, and PIWorld (any order)

  20. Server <= 3.4.375 Attributes Owner, Creator, Changer are PIUsers Group is PIGroup Access as String ACL Syntax “o:rw g:rw w:r” PI Security Configuration Server >= 3.4.380 Attributes • New Security attribute as ACL • Creator and Changer are PIIdentities or Principals (Windows users) • Incompatible case: • Owner = PIUserIncompatible • Group = PIGroupIncompatible • Access = “o: g: w: ” ACL Syntax “ID1: A(r,w) | ID2: A(r,w) | ID3: A(r) | …” IDn = PIIdentity

  21. Scenarios • A. SDK 1.3.6, Server <= 3.4.375 • No changes to authentication, security configuration, or access check behavior • B. SDK <= 1.3.5, Server 3.4.380 • More control over authentication methods • Trusts map to PI Identities • New attribute specifying ACL • Points: PtSecurity, DataSecurity • Modules/DBsecurity: Security • Old attributes (Owner/Group/Access) supported unless ACLs become incompatible • C. SDK 1.3.6, Server 3.4.380 • All of the above, plus: • Default authentication: Windows SSPI

  22. Layered Permissions • Client Layer • Sharepoint/RtWebPart Security • Document Library • Abstraction/Context Security • Data Dictionary (AF Windows ACL) • Module Database (PI ACL) • Database Security Table • Role Access Permission • PI Secure Objects • Data Access • Point Access

  23. Network Layer Security • Chronic Loss of Perimeter • Driven by Mobility (Wireless/Laptops) • Access Controls • 802.1x (NAC/NAP) • Health Check Policy • Distributed Firewalls • Bump in Wire • Host Intrusion Detection & Prevention

  24. Server Domain Isolation

  25. Host Firewall Connection Security Rule • Enable IPSEC between two servers Ex: netsh advfirewall consec add rule name="PIHArule“ mode=transport type=static action=requireinrequireout endpoint1=192.168.1.4 endpoint2=192.168.129.128 auth1=computerpsk auth1psk=“Mag1kR1de” • Built in to Server 2008 / Vista

  26. Network Security • Indicators: • Quality of Services • Latency (Ping/TCP Response) • NIC Loading (SNMP/Perfmon) • Attack Pre-Cursors • IP address MAC check (SNMP) • Unexpected Traffic (IPFlow) • Security Events (Syslog)

  27. PI Monitoring • Indicators: • Quality of Services • PI Server Counters (Perfmon) • Uniint Health Points (PI) • Consistency Verification (ACE) • Attack Pre-Cursors • PI Message Log (PI-OLEDB) • Security Events (EventLog) • Message Integrity (mPI)

  28. More Security Enhancements… • Hardened O/S Support • Windows 2008 Server Core • Configuration Audit Tools • ACE Modules for Monitoring

  29. Associations Government Research Commercial Collaboration is the key to Security

  30. PI Security Infrastructure • Trusted Partner • Trusted Network • Trusted Operating System • Trusted Application • Trusted Data Physical Network Host Application SCADA Data