pi system security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
PI System Security PowerPoint Presentation
Download Presentation
PI System Security

Loading in 2 Seconds...

play fullscreen
1 / 30

PI System Security - PowerPoint PPT Presentation


  • 243 Views
  • Uploaded on

PI System Security. Taking it to the Next Level, and Beyond! Bryan S Owen PE OSIsoft, Inc Cyber Security Manager. OCEANIA TECHNOLOGY SEMINAR 2008. © 2008 OSIsoft, Inc. | Company Confidential. Agenda. Security Theme Architecture Examples Application Defenses Network Layer

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'PI System Security' - todd


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
pi system security

PI System Security

Taking it to the Next Level, and Beyond!

Bryan S Owen PE

OSIsoft, Inc

Cyber Security Manager

OCEANIA TECHNOLOGY SEMINAR 2008

© 2008 OSIsoft, Inc. | Company Confidential

agenda
Agenda
  • Security Theme
  • Architecture Examples
  • Application Defenses
  • Network Layer
  • Host Features
trust is essential trust is earned
Trust is Essential, Trust is Earned.
  • Everyday Web of Trust
    • Food & Beverage
    • Finance
    • Life Sciences
    • Power & Utilities
    • Telecommunication
    • Transportation
    • Water
cyber security why care so much
Cyber Security, Why Care so much?
  • Vulnerability due to “Bugs”
    • Impossible to prove absent
  • Stakeholder Duty
    • Perils are shared by all
  • “Line of Fire”
    • Cascading faults
    • Direct attack vector
safety and security
Safety and Security
  • Prevention is Best Approach
    • Risk includes Human Factors
  • Monitoring is Essential
    • Technology can help
  • Effectiveness
    • Weakest Link Issue
defense in depth
Defense in Depth

Common Challenges:

  • Legacy Products
  • Loss of Perimeter
  • Implementation Practices
  • Operating Procedures
  • Visibility

Physical

Network

Host

Application

SCADA

Data

architecture interface node
Architecture – Interface Node
  • Trust boundary
  • History recovery
  • Simple data capture path
interface node pi trust
Interface Node – PI Trust
  • Trust PI User is “Owner” of Points and Data
    • Change owner of root module for interface configuration
  • Set Trust Entries with at Least 2 Credentials
    • Masked IP Address
    • FQDN for Network Path
    • Application Name
      • Specific syntax rules for PI-API applications
architecture attack surface
Architecture – Attack Surface

Smart

Clients

Portal

User

Services

PI

Archive

Data

Access

Notification

Services

PI Interface

Data Source

Subscribers

surface area metric
Surface Area Metric
  • Anonymous Access Path Count
  • Mitigations:
    • Block the Default PI User
    • No Null Passwords
    • Disallow unknown FQDN
    • Policy for Insecure Endpoints
      • Multi-zone Architecture
      • Data Access Servers
architecture wifi mobile asset
Architecture: Wifi / Mobile Asset
  • PItoPI over VPN Tunnel to Extranet
  • Ping metric to HQ + extra keepalive
  • SNMP monitoring on EVDO router
authentication
Authentication
  • Default User
  • PI Login
  • PI Trusts
    • Changes in PI 3.4.375
  • Windows SSPI
    • Changes coming in PI 3.4.380
    • Kerberos & NTLM
authentication1
Authentication

Windows

PI Server

Authentication

Identity Mapping

PI

Secure

Objects

PI Identities

Active

Directory

Authorization

Security

Principals

Access Control Lists

pi identities
PI Identities
  • What are PI Identities?
    • Individual user or group

…or a combination of users and groups

    • All PIUsers and PIGroups become PIIdentities
      • Piadmin group renamed to “piadministrators”
  • Purpose
    • Link Windows principals with PI Server object
  • Pre-defined defaults:
    • PIWorld, PIEngineers, PIOperators, PISupervisors
pi secure objects
PI Secure Objects
  • Main objects: Points and Modules
  • Ownership Assignments
    • Objects are “co-owned” by PI identities

(not just 1 PIUser and 1 PIGroup)

  • Access Control Lists
    • “Security” setting replaces owner, group, and access
    • Multiple Identities
      • Each has its own set of access rights
    • ACLs with 3 identities are back compatible with GUI
      • 1 PIUser, 1PIGroup, and PIWorld (any order)
pi security configuration
Server <= 3.4.375

Attributes

Owner, Creator, Changer are PIUsers

Group is PIGroup

Access as String

ACL Syntax

“o:rw g:rw w:r”

PI Security Configuration

Server >= 3.4.380

Attributes

  • New Security attribute as ACL
  • Creator and Changer are PIIdentities or Principals (Windows users)
  • Incompatible case:
    • Owner = PIUserIncompatible
    • Group = PIGroupIncompatible
    • Access = “o: g: w: ”

ACL Syntax

“ID1: A(r,w) | ID2: A(r,w) | ID3: A(r) | …”

IDn = PIIdentity

scenarios
Scenarios
  • A. SDK 1.3.6, Server <= 3.4.375
    • No changes to authentication, security configuration, or access check behavior
  • B. SDK <= 1.3.5, Server 3.4.380
    • More control over authentication methods
    • Trusts map to PI Identities
    • New attribute specifying ACL
      • Points: PtSecurity, DataSecurity
      • Modules/DBsecurity: Security
    • Old attributes (Owner/Group/Access) supported unless ACLs become incompatible
  • C. SDK 1.3.6, Server 3.4.380
    • All of the above, plus:
      • Default authentication: Windows SSPI
layered permissions
Layered Permissions
  • Client Layer
    • Sharepoint/RtWebPart Security
    • Document Library
  • Abstraction/Context Security
    • Data Dictionary (AF Windows ACL)
    • Module Database (PI ACL)
  • Database Security Table
    • Role Access Permission
  • PI Secure Objects
    • Data Access
    • Point Access
network layer security
Network Layer Security
  • Chronic Loss of Perimeter
    • Driven by Mobility (Wireless/Laptops)
  • Access Controls
      • 802.1x (NAC/NAP)
      • Health Check Policy
  • Distributed Firewalls
    • Bump in Wire
    • Host Intrusion Detection & Prevention
host firewall connection security rule
Host Firewall Connection Security Rule
  • Enable IPSEC between two servers

Ex: netsh advfirewall consec add rule name="PIHArule“

mode=transport type=static action=requireinrequireout

endpoint1=192.168.1.4 endpoint2=192.168.129.128

auth1=computerpsk auth1psk=“Mag1kR1de”

    • Built in to Server 2008 / Vista
network security
Network Security
  • Indicators:
    • Quality of Services
      • Latency (Ping/TCP Response)
      • NIC Loading (SNMP/Perfmon)
    • Attack Pre-Cursors
      • IP address MAC check (SNMP)
      • Unexpected Traffic (IPFlow)
      • Security Events (Syslog)
pi monitoring
PI Monitoring
  • Indicators:
    • Quality of Services
      • PI Server Counters (Perfmon)
      • Uniint Health Points (PI)
      • Consistency Verification (ACE)
    • Attack Pre-Cursors
      • PI Message Log (PI-OLEDB)
      • Security Events (EventLog)
      • Message Integrity (mPI)
more security enhancements
More Security Enhancements…
  • Hardened O/S Support
    • Windows 2008 Server Core
  • Configuration Audit Tools
  • ACE Modules for Monitoring
pi security infrastructure
PI Security Infrastructure
  • Trusted Partner
  • Trusted Network
  • Trusted Operating System
  • Trusted Application
  • Trusted Data

Physical

Network

Host

Application

SCADA

Data