Document
advertisement
PI System Security Taking it to the Next Level, and Beyond! Bryan S Owen PE OSIsoft, Inc Cyber Security Manager OCEANIA OCEANIA OCEANIA TECHNOLOGY TECHNOLOGY TECHNOLOGY SEMINAR SEMINAR SEMINAR 2008 20082008 © 2008 © 2008 OSIsoft, OSIsoft, Inc. |Inc. Company | Company Confidential Confidential 1 Agenda • • • • • Security Theme Architecture Examples Application Defenses Network Layer Host Features OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 2 Trust is Essential, Trust is Earned. • Everyday Web of Trust – – – – – – – Food & Beverage Finance Life Sciences Power & Utilities Telecommunication Transportation Water OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 3 Cyber Security, Why Care so much? • Vulnerability due to “Bugs” – Impossible to prove absent • Stakeholder Duty – Perils are shared by all • “Line of Fire” – Cascading faults – Direct attack vector OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 4 Safety and Security • Prevention is Best Approach – Risk includes Human Factors • Monitoring is Essential – Technology can help • Effectiveness – Weakest Link Issue OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 5 Defense in Depth Common Challenges: – Legacy Products – Loss of Perimeter – Implementation Practices – Operating Procedures – Visibility Physical Network Host Application SCADA Data OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 6 Architecture – Interface Node •Trust boundary •History recovery •Simple data capture path OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 7 Interface Node – PI Trust • Trust PI User is “Owner” of Points and Data – Change owner of root module for interface configuration • Set Trust Entries with at Least 2 Credentials a) Masked IP Address b) FQDN for Network Path c) Application Name • Specific syntax rules for PI-API applications OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 8 Architecture – Attack Surface Smart Clients ` Portal User PI Archive Data Access PI Interface Services Notification Services Data Source OCEANIA TECHNOLOGY SEMINAR 2008 Subscribers © 2008 OSIsoft, Inc. | Company Confidential 9 Surface Area Metric • Anonymous Access Path Count • Mitigations: – – – – Block the Default PI User No Null Passwords Disallow unknown FQDN Policy for Insecure Endpoints • Multi-zone Architecture • Data Access Servers OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 10 Architecture: High Availability OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 11 Architecture: Wifi / Mobile Asset •PItoPI over VPN Tunnel to Extranet •Ping metric to HQ + extra keepalive •SNMP monitoring on EVDO router OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 12 Architecture: PI Data Directory OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 13 Authentication • Default User • PI Login • PI Trusts – Changes in PI 3.4.375 • Windows SSPI – Changes coming in PI 3.4.380 – Kerberos & NTLM OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 14 Authentication Windows Authentication Active Directory PI Server Identity Mapping PI Identities PI Secure Objects Authorization Security Principals Access Control Lists OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 15 PI Identities • What are PI Identities? – Individual user or group …or a combination of users and groups – All PIUsers and PIGroups become PIIdentities • Piadmin group renamed to “piadministrators” • Purpose – Link Windows principals with PI Server object • Pre-defined defaults: – PIWorld, PIEngineers, PIOperators, PISupervisors OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 16 SMT: PIIdentity Creation OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 17 SMT: PIIdentity Mapping OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 18 PI Secure Objects • Main objects: Points and Modules • Ownership Assignments – Objects are “co-owned” by PI identities (not just 1 PIUser and 1 PIGroup) • Access Control Lists – “Security” setting replaces owner, group, and access – Multiple Identities • Each has its own set of access rights – OCEANIA ACLs with 3 identities are back compatible with TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 19 PI Security Configuration • Server <= 3.4.375 Server >= 3.4.380 • Attributes • Owner, Creator, Changer are PIUsers • Group is PIGroup • Access as String Attributes • • • New Security attribute as ACL Creator and Changer are PIIdentities or Principals (Windows users) Incompatible case: – Owner = PIUserIncompatible – Group = PIGroupIncompatible – Access = “o: g: w: ” ACL Syntax “ID1: A(r,w) | ID2: A(r,w) | ID3: A(r) | …” ACL Syntax OCEANIA TECHNOLOGY SEMINAR 2008 IDn = PIIdentity © 2008 OSIsoft, Inc. | Company Confidential 20 Scenarios • A. SDK 1.3.6, Server <= 3.4.375 – No changes to authentication, security configuration, or access check behavior • B. SDK <= 1.3.5, Server 3.4.380 – More control over authentication methods – Trusts map to PI Identities – New attribute specifying ACL • Points: PtSecurity, DataSecurity • Modules/DBsecurity: Security – Old attributes (Owner/Group/Access) supported unless ACLs become incompatible • C. SDK 1.3.6, Server 3.4.380 – All of the above, plus: • Default authentication: Windows SSPI OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 21 Layered Permissions • Client Layer – Sharepoint/RtWebPart Security – Document Library • Abstraction/Context Security – Data Dictionary (AF Windows ACL) – Module Database (PI ACL) • Database Security Table – Role Access Permission • PI Secure Objects – Data Access – Point Access OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 22 Network Layer Security • Chronic Loss of Perimeter – Driven by Mobility (Wireless/Laptops) • Access Controls • 802.1x (NAC/NAP) • Health Check Policy • Distributed Firewalls – Bump in Wire – Host Intrusion Detection & Prevention OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 23 Server Domain Isolation OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 24 Rule • Enable IPSEC between two servers Ex: netsh advfirewall consec add rule name="PIHArule“ mode=transport type=static action=requireinrequireout endpoint1=192.168.1.4 endpoint2=192.168.129.128 OCEANIA TECHNOLOGY SEMINAR 2008 auth1=computerpsk auth1psk=“Mag1kR1de” © 2008 OSIsoft, Inc. | Company Confidential 25 Network Security • Indicators: – Quality of Services • Latency (Ping/TCP Response) • NIC Loading (SNMP/Perfmon) – Attack Pre-Cursors • IP address MAC check (SNMP) • Unexpected Traffic (IPFlow) • Security Events (Syslog) OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 26 PI Monitoring • Indicators: – Quality of Services • PI Server Counters (Perfmon) • Uniint Health Points (PI) • Consistency Verification (ACE) – Attack Pre-Cursors • PI Message Log (PI-OLEDB) • Security Events (EventLog) • Message Integrity (mPI) OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 27 More Security Enhancements… • Hardened O/S Support – Windows 2008 Server Core • Configuration Audit Tools • ACE Modules for Monitoring OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 28 Collaboration is the key to Security Associations Research OCEANIA TECHNOLOGY SEMINAR 2008 Government Commercial © 2008 OSIsoft, Inc. | Company Confidential 29 PI Security Infrastructure • • • • • Trusted Partner Trusted Network Trusted Operating System Trusted Application Trusted Data Physical Network Host Application SCADA Data OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential 30
