Slide 1

Download Report

Transcript Slide 1 

PI System Security
Bryan S. Owen PE
© 2008 OSIsoft, Inc. | Company Confidential
Web of Trust
 Classic Examples
–
–
–
–
–
Bulk Electric System
Pipelines
Transportation
Supply Chains
Finance
 Cyber Examples
–
–
–
–
Internet Service Providers
Name and Time Services
Certificate Authorities
eBay Ratings
© 2008 OSIsoft, Inc. | Company Confidential
2
OSIsoft Cyber Security Web of Trust
Associations
Research
Government
Commercial
© 2008 OSIsoft, Inc. | Company Confidential
3
© 2008 OSIsoft, Inc. | Company Confidential
4
Safety and Security
Prevention is Best Approach
– Risk includes Human Factors
Technology Can Help
– Auditing, Monitoring and Protection
Actively Caring is the Key
– Effects all stakeholders
© 2008 OSIsoft, Inc. | Company Confidential
5
Mutual Distrust Posture – FERC 706
The term “mutual distrust” is used to
denote how “outside world” systems
are treated by those inside the control
system
A mutual distrust posture requires each
responsible entity … to protect itself
and not trust any communication
crossing an electronic security
perimeter, regardless of where that
communication originates.
© 2008 OSIsoft, Inc. | Company Confidential
6
Secure Coding Issues
There are only
two types of security issues:
Input trust issues
Everything else!
Source: Security Development Lifecycle – Microsoft Press, Michael Howard
© 2008 OSIsoft, Inc. | Company Confidential
7
What Now?
Not allowed to Trust “Outside” Systems…
Shouldn’t Trust any Input…
–Secure Boundaries
–Build-in Security
© 2008 OSIsoft, Inc. | Company Confidential
8
PI System Security Boundaries
Smart
Clients
`
Portal
User
PI
Archive
Data
Access
Smart Connector
Services
Notification
Services
Data Source
Subscribers
© 2008 OSIsoft, Inc. | Company Confidential
9
Defense-in-Depth Challenges
Legacy Technology
Loss of Perimeter
Implementation Practices
Manual Procedures
Lack of Visibility
Infrastructure Lifecycles
Physical
Network
Host
Application
Data
© 2008 OSIsoft, Inc. | Company Confidential
10
PI Security Boundary Features
Isolated Application Stack
– Protect Critical Systems
Data Only “Conduit”
Health Monitoring & Visibility
Quick Disconnect
– No Data Loss Recovery
Physical
Network
Host
Application
Control
Systems
Data
© 2008 OSIsoft, Inc. | Company Confidential
11
Architecture – Interface Node
•Simple
•Resilient
•Highly Instrumented
© 2008 OSIsoft, Inc. | Company Confidential
12
Architecture: High Availability
© 2008 OSIsoft, Inc. | Company Confidential
13
Integrating Windows Security into PI
 RtWebParts
– Microsoft Office Sharepoint Services
 PI AF
– .Net Framework and MS SQL Server
 PI Server
– Windows 2008 Logo Certification
(including Server Core)
– Modern Hardware Support
(Memory Protection, TPM, x64)
– Integrated Authentication and
Authorization
© 2008 OSIsoft, Inc. | Company Confidential
14
Authentication and Authorization
Customer SIG Requests and Objectives:
1. Leverage Windows for account administration
2. Single sign-on (no PI Server login required)
3. Secure authentication methods
4. Extended access control
…more than Owner, Group, World
…e.g. Groups of Groups
© 2008 OSIsoft, Inc. | Company Confidential
15
Architectural Overview
 Our Current Security Model
–
–
–
–
Choice of access rights: read, write
A single owner (per object)
A single group association
And then everyone else . . . “world”
 The New Model
– Support for Active Directory and Windows Local
Users/Groups
– Mapping of authenticated Windows principals to “PI
Identities”
– Access Control Lists for points, etc.
© 2008 OSIsoft, Inc. | Company Confidential
16
WIS in a Nutshell
Windows
Authentication
Active
Directory
PI Server
Identity Mapping
PI Identities
PI
Secure
Objects
Authorization
Security
Principals
Access Control Lists
© 2008 OSIsoft, Inc. | Company Confidential
17
User Authentication
 Until Now
– Explicit Login: validation against internal user database
– Trust Login: validation of user’s Security Identifier (SID)
 PI Server “380” Release
– Strong Authentication using SSPI – “Negotiate”
(Microsoft Security Support Provider Interface)
– Principals from Active Directory
– Principals from Local Server
– Backward Compatible Authentication (Configurable)
© 2008 OSIsoft, Inc. | Company Confidential
18
Demo: Protocol Selection
© 2008 OSIsoft, Inc. | Company Confidential
19
PI Identities
 Custom Labels for PI Security Authorization
– Replace and Extend “Owner”, “Group” and “World”
 New Default PI Identities:
– PIWorld, PIEngineers, PIOperators, PISupervisors
– Legacy PI users and groups also become identities
 Change as needed for Role and Category
– Add / Rename / Disable using PI-SMT
© 2008 OSIsoft, Inc. | Company Confidential
20
PI Identity Mapping
 Links a Windows group (or user) to a PI Identity
– Example: Server\AuthenticatedUsers to PIWorld
 Multiple mappings allowed per PI Identity
– Suggestion: Manage complex mapping through nested
membership in Windows Groups
 Legacy PI Trusts map to a single Identity only
© 2008 OSIsoft, Inc. | Company Confidential
21
Demo: Configuring a PI Identity
© 2008 OSIsoft, Inc. | Company Confidential
22
PI Secure Objects: Authorization
 Main objects: Points and Modules
– New “Security” attribute supersedes legacy settings
• PtSecurity instead of PtAccess, PtGroup, PtOwner
 Access Control Lists
– New Syntax for “Security” ACL string:
“ID1: A(r,w) | ID2: A(r,w) | ID3: A(r,w) | …”
 Compatibility Mode
– Configure 3 identities:
• PIUser, 1PIGroup, and PIWorld (any order)
– Existing behavior preserved in “o: g: r:” attributes
© 2008 OSIsoft, Inc. | Company Confidential
23
Demo: Comparing ACLs – Old v. New
1. Using Tag Configurator, show existing
security attributes (dataowner, datagroup,
dataaccess) alongside new attribute
(datasecurity).
2. In datasecurity, change piworld: A(r,w) to
piworld: A(). Export and import. Point
out that change is reflected in
dataaccess.
3. In datasecurity, delete “| piworld: A()”.
Export and import. Point out
“incompatible” state of dataaccess,
datagroup, and dataowner
4. Explain why data* attributes are in the
“incompatible” state and why it matters.
5. Optional: Restore “| piworld: A(r,w)” to
datasecurity, export, and import. Point
out that data* attributes are once again
compatible.
© 2008 OSIsoft, Inc. | Company Confidential
25
Making the Transition
 Existing security still supported
– On upgrade: no loss of configuration, no migration
– Downgrade only by restoring from backup
 Existing SDK applications
– Preserve existing behavior
• Can still connect via explicit logins or trusts
– Single sign-on after SDK and server upgrade
• No configuration or code changes to client
applications!
© 2008 OSIsoft, Inc. | Company Confidential
26
Summary
 Windows Integrated Security is the next
milestone for the PI Server
– Flexible Configuration
– Less Maintenance
– Investment Preserved
 Security Development Lifecycle is Ongoing
–
–
–
–
Features that are Secure
Security Enhancing Features
Good Practice Advice and Security Tools
Actively Caring about Security
© 2008 OSIsoft, Inc. | Company Confidential
27
Security is about Trust
Trusted Partner
Trusted Network
Trusted Operating System
Trusted Application
Trusted Data
Physical
Network
Host
Application
Control
System
Data
© 2008 OSIsoft, Inc. | Company Confidential
28