Transcript Document
PI System Security
Taking it to the Next Level, and Beyond!
Bryan S Owen PE
OSIsoft, Inc
Cyber Security Manager
OCEANIA
OCEANIA
OCEANIA
TECHNOLOGY
TECHNOLOGY
TECHNOLOGY
SEMINAR
SEMINAR
SEMINAR
2008
20082008
© 2008
© 2008
OSIsoft,
OSIsoft,
Inc. |Inc.
Company
| Company
Confidential
Confidential
1
Agenda
•
•
•
•
•
Security Theme
Architecture Examples
Application Defenses
Network Layer
Host Features
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
2
Trust is Essential, Trust is Earned.
• Everyday Web of Trust
–
–
–
–
–
–
–
Food & Beverage
Finance
Life Sciences
Power & Utilities
Telecommunication
Transportation
Water
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
3
Cyber Security, Why Care so much?
• Vulnerability due to “Bugs”
– Impossible to prove absent
• Stakeholder Duty
– Perils are shared by all
• “Line of Fire”
– Cascading faults
– Direct attack vector
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
4
Safety and Security
• Prevention is Best Approach
– Risk includes Human Factors
• Monitoring is Essential
– Technology can help
• Effectiveness
– Weakest Link Issue
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
5
Defense in Depth
Common Challenges:
– Legacy Products
– Loss of Perimeter
– Implementation Practices
– Operating Procedures
– Visibility
Physical
Network
Host
Application
SCADA
Data
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
6
Architecture – Interface Node
•Trust boundary
•History recovery
•Simple data capture path
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
7
Interface Node – PI Trust
• Trust PI User is “Owner” of Points and Data
– Change owner of root module for interface
configuration
• Set Trust Entries with at Least 2 Credentials
a) Masked
IP Address
b) FQDN for Network Path
c) Application Name
• Specific syntax rules for PI-API applications
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
8
Architecture – Attack Surface
Smart
Clients
`
Portal
User
PI
Archive
Data
Access
PI Interface
Services
Notification
Services
Data Source
OCEANIA TECHNOLOGY SEMINAR 2008
Subscribers
© 2008 OSIsoft, Inc. | Company Confidential
9
Surface Area Metric
• Anonymous Access Path Count
• Mitigations:
–
–
–
–
Block the Default PI User
No Null Passwords
Disallow unknown FQDN
Policy for Insecure Endpoints
• Multi-zone Architecture
• Data Access Servers
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
10
Architecture: High Availability
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
11
Architecture: Wifi / Mobile Asset
•PItoPI over VPN Tunnel to Extranet
•Ping metric to HQ + extra keepalive
•SNMP monitoring on EVDO router
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
12
Architecture: PI Data Directory
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
13
Authentication
• Default User
• PI Login
• PI Trusts
– Changes in PI 3.4.375
• Windows SSPI
– Changes coming in PI 3.4.380
– Kerberos & NTLM
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
14
Authentication
Windows
Authentication
Active
Directory
PI Server
Identity Mapping
PI Identities
PI
Secure
Objects
Authorization
Security
Principals
Access Control
Lists
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
15
PI Identities
• What are PI Identities?
– Individual user or group
…or a combination of users and groups
– All PIUsers and PIGroups become PIIdentities
• Piadmin group renamed to “piadministrators”
• Purpose
– Link Windows principals with PI Server object
• Pre-defined defaults:
– PIWorld, PIEngineers, PIOperators,
PISupervisors
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
16
SMT: PIIdentity Creation
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
17
SMT: PIIdentity Mapping
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
18
PI Secure Objects
• Main objects: Points and Modules
• Ownership Assignments
– Objects are “co-owned” by PI identities
(not just 1 PIUser and 1 PIGroup)
• Access Control Lists
– “Security” setting replaces owner, group, and
access
– Multiple Identities
• Each has its own set of access rights
– OCEANIA
ACLs
with 3 identities are back compatible with
TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
19
PI Security Configuration
• Server <= 3.4.375
Server >= 3.4.380
• Attributes
• Owner, Creator,
Changer are PIUsers
• Group is PIGroup
• Access as String
Attributes
•
•
•
New Security attribute as ACL
Creator and Changer are PIIdentities or
Principals (Windows users)
Incompatible case:
– Owner = PIUserIncompatible
– Group = PIGroupIncompatible
– Access = “o: g: w: ”
ACL Syntax
“ID1: A(r,w) | ID2: A(r,w) | ID3: A(r) | …”
ACL Syntax
OCEANIA TECHNOLOGY SEMINAR 2008
IDn = PIIdentity
© 2008 OSIsoft, Inc. | Company Confidential
20
Scenarios
•
A. SDK 1.3.6, Server <= 3.4.375
– No changes to authentication, security configuration, or access check
behavior
•
B. SDK <= 1.3.5, Server 3.4.380
– More control over authentication methods
– Trusts map to PI Identities
– New attribute specifying ACL
• Points: PtSecurity, DataSecurity
• Modules/DBsecurity: Security
– Old attributes (Owner/Group/Access) supported unless ACLs become
incompatible
•
C. SDK 1.3.6, Server 3.4.380
– All of the above, plus:
• Default authentication: Windows SSPI
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
21
Layered Permissions
• Client Layer
– Sharepoint/RtWebPart Security
– Document Library
• Abstraction/Context Security
– Data Dictionary (AF Windows ACL)
– Module Database (PI ACL)
• Database Security Table
– Role Access Permission
• PI Secure Objects
– Data Access
– Point Access
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
22
Network Layer Security
• Chronic Loss of Perimeter
– Driven by Mobility (Wireless/Laptops)
• Access Controls
• 802.1x (NAC/NAP)
• Health Check Policy
• Distributed Firewalls
– Bump in Wire
– Host Intrusion Detection & Prevention
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
23
Server Domain Isolation
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
24
Rule
• Enable IPSEC between two servers
Ex: netsh advfirewall consec add rule
name="PIHArule“
mode=transport type=static
action=requireinrequireout
endpoint1=192.168.1.4
endpoint2=192.168.129.128
OCEANIA TECHNOLOGY SEMINAR 2008
auth1=computerpsk
auth1psk=“Mag1kR1de”
© 2008 OSIsoft, Inc. | Company Confidential
25
Network Security
• Indicators:
– Quality of Services
• Latency (Ping/TCP Response)
• NIC Loading (SNMP/Perfmon)
– Attack Pre-Cursors
• IP address MAC check (SNMP)
• Unexpected Traffic (IPFlow)
• Security Events (Syslog)
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
26
PI Monitoring
• Indicators:
– Quality of Services
• PI Server Counters (Perfmon)
• Uniint Health Points (PI)
• Consistency Verification (ACE)
– Attack Pre-Cursors
• PI Message Log (PI-OLEDB)
• Security Events (EventLog)
• Message Integrity (mPI)
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
27
More Security Enhancements…
• Hardened O/S Support
– Windows 2008 Server Core
• Configuration Audit Tools
• ACE Modules for Monitoring
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
28
Collaboration is the key to Security
Associations
Research
OCEANIA TECHNOLOGY SEMINAR 2008
Government
Commercial
© 2008 OSIsoft, Inc. | Company Confidential
29
PI Security Infrastructure
•
•
•
•
•
Trusted Partner
Trusted Network
Trusted Operating System
Trusted Application
Trusted Data
Physical
Network
Host
Application
SCADA
Data
OCEANIA TECHNOLOGY SEMINAR 2008
© 2008 OSIsoft, Inc. | Company Confidential
30