PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft



Similar documents
The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

FactoryTalk Historian Site Edition Architectures and Design Considerations

Operating System Security

Employee Active Directory Self-Service Quick Setup Guide

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Industrial Security for Process Automation

Managing and Maintaining Windows Server 2008 Servers

NERC CIP Version 5 and the PI System

Implementing Security Update Management

Innovative Defense Strategies for Securing SCADA & Control Systems

RSA SecurID Ready Implementation Guide

The Security Development Lifecycle

KASPERSKY LAB. Kaspersky Administration Kit version 6.0. Administrator s manual

SCADA Cyber Security

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Designing a security policy to protect your automation solution

SANS Top 20 Critical Controls for Effective Cyber Defense

Architecture and Best Practices: Recommendations for PI Systems

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support

SolarWinds Log & Event Manager

Goals. Understanding security testing

How to Scale out SharePoint Server 2007 from a single server farm to a 3 server farm with Microsoft Network Load Balancing on the Web servers.

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Best Practices for DanPac Express Cyber Security

How To Secure Your System From Cyber Attacks

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Software Development: The Next Security Frontier

Symphony Plus Cyber security for the power and water industries

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Securing the Service Desk in the Cloud

Locking down a Hitachi ID Suite server

PI Cloud Connect. Customer Onboarding Checklist

Revision History Revision Date Changes Initial version published to

UPGRADE AND MIGRATION GUIDE

Developing Network Security Strategies

Industrial Security Solutions

vrealize Air Compliance OVA Installation and Deployment Guide

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

13 Ways Through A Firewall

Network Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July Network Security 08

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

PI Cloud Services --- PI Cloud Connect. Customer Onboarding Checklist

The Risks that Pen Tests don t Find. OWASP 13 April The OWASP Foundation

XIA Configuration Server

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Medical Device Security Health Group Digital Output

IT HEALTHCHECK TOP TIPS WHITEPAPER

System Security Plan University of Texas Health Science Center School of Public Health

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

Basics of Internet Security

APIS CARM NG Quick Start Guide for MS Windows

A Guide to New Features in Propalms OneGate 4.0

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

QUICK START GUIDE FOR CORE AND SELECT SECURITY CENTER 10 ENDPOINT SECURITY 10

New Era in Cyber Security. Technology Development

Protecting productivity with Plant Security Services

Testing Control Systems

Security Best Practice

SCADA SYSTEMS AND SECURITY WHITEPAPER

Pearl Echo Installation Checklist

Network Architecture & Active Directory Considerations for the PI System. Bryan Owen - OSIsoft Joel Langill - SCADAhacker

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

13 Ways Through A Firewall What you don t know will hurt you

ABB s approach concerning IS Security for Automation Systems

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

HIGHLY SECURE HMI/SCADA AND AUTOMATION SYSTEMS

Total Defense Endpoint Premium r12


Cedric Rajendran VMware, Inc. Security Hardening vsphere 5.5

Remote Services. Managing Open Systems with Remote Services

OVERVIEW. DIGIPASS Authentication for Office 365

MCN Health Monitor. The finger on the pulse of your critical systems. David Tayler Service Engineer, OSISoft

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Table of Contents. Introduction. Audience. At Course Completion

Getting Started Guide: Getting the most out of your Windows Intune cloud

Cisco Security Agent (CSA) Network Admission Control (NAC)

Quick Start Guide for VMware and Windows 7

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Lumension Endpoint Management and Security Suite Patch and Remediation 7.0 Service Pack 1 Migration Guide

It should be noted that the installer will delete any existing partitions on your disk in order to install the software required to use BLËSK.

Avaya TM G700 Media Gateway Security. White Paper

Decrease your HMI/SCADA risk

Avaya G700 Media Gateway Security - Issue 1.0

FUTURE DATA Yes, it s finally coming to the PI System!

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

GRAVITYZONE HERE. Deployment Guide VLE Environment

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Hardware/Software Deployment Strategies. Introduction to Information System Components. Chapter 1 Part 4 of 4 CA M S Mehta, FCA

Configuration Guide. BES12 Cloud

Windows Phone 8 Device Management

Transcription:

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

Agenda Security Development Lifecycle Initiative Using PI to Protect Critical Infrastructure Hardening Advice for the PI System Tools: Security Configuration Wizard Security Work In Progress 2

What is the Security Development Lifecycle? A Process for Developing Demonstrably More Secure Software Project Inception Security Kick Off Security Training Security Design Best Practices Attack Surface Threat Modeling Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Requirements Design Implementation Verification Release Support & Servicing Microsoft Press Best Practice Series: The Security Development Lifecycle by Michael Howard and Steve Lipner 3

The C.I.A. Security Model for PI l It s really about Quality! Availability l Core Platform Aspect...not an after thought. Confidentiality Integrity 4 Copyright 2007 OSIsoft, Inc. All rights reserved.

Using PI for Critical Infrastructure Protection PI Industrial Data Center DCS HMI PLC SCADA 5

PI Industrial Data Center Defense in Depth Reduce Surface Area Network DMZ Concept ALL Terminations in DMZ Boundary Security Allow PI Data from Control Network IT Monitoring and Notification Aligns with Industry Standards Enterprise Domain Critical Infrastructure 6

How to Protect PI...Same Principles! Adopt Mid Tier Secure Service Layer Authentication by Infrastructure Provider Minimize Connections to PI Server Distribute PI Roles for Optimum Security Interface and IT Monitoring per Zone Consider PI Server per Zone (Use HA Collective) User Services/Data Access Avoid IIS on PI Server 7

PI System Security Boundaries Smart Connector Smart Clients PI Archive Data Portal Access User Services Notification Services Data Source Subscribers 8

PI Server Security Best Practices White Paper Update System Lifecycle Policies Recent Security Changes in PI Trusted Connections Network Service Roles Security Hardened Configuration 9

Infrastructure Lifecycle Server Platform Minimum Security Baseline Windows 2003 SP1 with Firewall Enabled Hardware NX Support PR1 Server 3.4.375.x Applications & Interfaces: SDK 1.3.5 / API 1.6 Security for W2K / NT4? Move Direct Client Access to Mid Tier Services External Firewall 10

Patch Management Windows Update PI Software Update Service Anti Virus Signatures Potential Issue: Automatic Hot Patching High Availability Solution Recommended! 11

Quality of Service Monitoring Managed PI Subsystem PI Server Check Utility Windows Perfmon Templates PI Server Exchange, IIS, SQL, SNMP Agent Templates Network Devices Unix O/S Support 12

Recent Security Changes in PI DBSecurity Roles PI Trust Attributes Host name Application name PI Module Permission Inheritance Interfaces New Buffer Subsystem Disconnected Startup 13

Use Case: Interface Trust Trust PI User is Owner of Points and Data Change owner of root module for interface configuration Set Trust Entries with at Least 2 Credentials a) Masked IP Address b) FQDN for Network Path c) Application Name Specific syntax rules for PI API applications 14

PI Trusts for Windows Users To Trust or Not to Trust? Extra password challenge is desirable in some cases Special purpose domain, Network access control Use Windows Run As or PI SDK Connect As Domain User Trust Guidelines Map user trusts to least privilege PI accounts Consider User + Application Name + Subnet Reserve piadmin trust for console use 15

PI Network Service Roles PI Network Manager Advanced Computing Engine 2.x (Web Services) AF 1.x and AF 2.x Analysis and Notification OPC HDA/DA Server Process Template Monitor 16

Security Configuration Wizard Part of Windows 2003 SP1 and greater Register PI SCW Extension Set Roles and Optional Features Disable Unused Services Apply Best Practice Security Policy Templates Demo Verify Baseline MBSA Functional Testing 17

Security Configuration Wizard 18

Security Configuration Wizard 19

Security Configuration Wizard 20

Security Configuration Wizard 21

Security Configuration Wizard 22

Security Configuration Wizard 23

Security Configuration Wizard 24

Security Configuration Wizard 25

Security Configuration Wizard 26

Security Configuration Wizard 27

Security Configuration Wizard 28

Windows MBSA 29

Security Related Work In Progress SDL Baseline Engineering Practices Require Latest Compiler and Built In Defenses Security Scrub of Legacy Code and Documentation Threat Models and Countermeasures Least Required Privilege Product Highlights Windows Integrated Security User Service / Access Layer PI Software Update Service 30

Security Summary It s really all about Quality! Starts in Design and Secure Coding Practices Secure Infrastructure and Deployment Architecture Good Advice and Configuration Tools Quality of Service Monitoring and Support Call to Action Get: PI Security Best Practices Whitepaper Visit: Data Center Monitoring Demo Pod 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information