© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE

© 2008 OSIsoft, Inc. | Company Confidential

PI System Security

Bryan S. Owen PE

2© 2008 OSIsoft, Inc. | Company Confidential

Web of TrustWeb of Trust

Classic Examples– Bulk Electric System– Pipelines– Transportation– Supply Chains– Finance

Cyber Examples– Internet Service Providers– Name and Time Services– Certificate Authorities– eBay Ratings


OSIsoft Cyber Security Web of TrustOSIsoft Cyber Security Web of Trust

AssociationsAssociationsAssociationsAssociations

ResearchResearchResearchResearch CommercialCommercialCommercialCommercial

GovernmentGovernmentGovernmentGovernment



Safety and SecuritySafety and Security

Prevention is Best Approach – Risk includes Human Factors

Technology Can Help – Auditing, Monitoring and Protection

Actively Caring is the Key– Effects all stakeholders


Mutual Distrust Posture – FERC 706Mutual Distrust Posture – FERC 706

The term “mutual distrust” is used to denote how “outside world” systems are treated by those inside the control system

A mutual distrust posture requires each responsible entity … to protect itself and not trust any communication crossing an electronic security perimeter, regardless of where that communication originates.


There are only two types of security issues:There are only two types of security issues:

Input trust issuesInput trust issues

Everything else!Everything else!

Secure Coding IssuesSecure Coding Issues

Source: Security Development Lifecycle – Microsoft Press, Michael Howard


What Now?What Now?

Not allowed to Trust “Outside” Systems…Shouldn’t Trust any Input…

–Secure Boundaries–Build-in Security


Smart Connector

PI

Archive

User

ServicesData

Access

Portal

Notification

Services

`Smart

Clients

Data Source Subscribers

PI System Security BoundariesPI System Security Boundaries


Defense-in-Depth ChallengesDefense-in-Depth Challenges

Legacy TechnologyLoss of PerimeterImplementation PracticesManual ProceduresLack of VisibilityInfrastructure Lifecycles

PhysicalPhysical

NetworkNetwork

HostHost

ApplicationApplication

DataData


PI Security Boundary FeaturesPI Security Boundary Features

Isolated Application Stack– Protect Critical Systems

Data Only “Conduit” Health Monitoring & VisibilityQuick Disconnect

– No Data Loss Recovery

PhysicalPhysical

NetworkNetwork

HostHost


DataData

ControlSystemsControl

Systems


Architecture – Interface NodeArchitecture – Interface Node

•Simple•Resilient•Highly Instrumented


Architecture: High AvailabilityArchitecture: High Availability


Integrating Windows Security into PIIntegrating Windows Security into PI

RtWebParts– Microsoft Office Sharepoint Services

PI AF– .Net Framework and MS SQL Server

PI Server – Windows 2008 Logo Certification

(including Server Core)– Modern Hardware Support

(Memory Protection, TPM, x64)

– Integrated Authentication and Authorization


Authentication and AuthorizationAuthentication and Authorization

Customer SIG Requests and Objectives:

1. Leverage Windows for account administration

2. Single sign-on (no PI Server login required)

3. Secure authentication methods

4. Extended access control

…more than Owner, Group, World

…e.g. Groups of Groups


Architectural OverviewArchitectural Overview

Our Current Security Model– Choice of access rights: read, write– A single owner (per object)– A single group association– And then everyone else . . . “world”

The New Model– Support for Active Directory and Windows Local

Users/Groups– Mapping of authenticated Windows principals to “PI

Identities”– Access Control Lists for points, etc.


WIS in a NutshellWIS in a Nutshell

Windows PI Server

ActiveDirectory

Security

Principals

Authentication Identity Mapping

PI Identities

Access Control Lists

Authorization

PISecureObjects


User AuthenticationUser Authentication

Until Now– Explicit Login: validation against internal user database– Trust Login: validation of user’s Security Identifier (SID)

PI Server “380” Release– Strong Authentication using SSPI – “Negotiate”

(Microsoft Security Support Provider Interface)– Principals from Active Directory– Principals from Local Server– Backward Compatible Authentication (Configurable)


Demo: Protocol SelectionDemo: Protocol Selection


PI IdentitiesPI Identities

Custom Labels for PI Security Authorization– Replace and Extend “Owner”, “Group” and “World”

New Default PI Identities:– PIWorld, PIEngineers, PIOperators, PISupervisors– Legacy PI users and groups also become identities

Change as needed for Role and Category– Add / Rename / Disable using PI-SMT


PI Identity MappingPI Identity Mapping

Links a Windows group (or user) to a PI Identity

– Example: Server\AuthenticatedUsers to PIWorld

Multiple mappings allowed per PI Identity

– Suggestion: Manage complex mapping through nested membership in Windows Groups

Legacy PI Trusts map to a single Identity only


Demo: Configuring a PI IdentityDemo: Configuring a PI Identity


PI Secure Objects: AuthorizationPI Secure Objects: Authorization

Main objects: Points and Modules– New “Security” attribute supersedes legacy settings

• PtSecurity instead of PtAccess, PtGroup, PtOwner

Access Control Lists– New Syntax for “Security” ACL string:

“ID1: A(r,w) | ID2: A(r,w) | ID3: A(r,w) | …”

Compatibility Mode– Configure 3 identities:

• PIUser, 1PIGroup, and PIWorld (any order)– Existing behavior preserved in “o: g: r:” attributes


Demo: Comparing ACLs – Old v. NewDemo: Comparing ACLs – Old v. New

1. Using Tag Configurator, show existing security attributes (dataowner, datagroup, dataaccess) alongside new attribute (datasecurity).

2. In datasecurity, change piworld: A(r,w) to piworld: A(). Export and import. Point out that change is reflected in dataaccess.

3. In datasecurity, delete “| piworld: A()”. Export and import. Point out “incompatible” state of dataaccess, datagroup, and dataowner

4. Explain why data* attributes are in the “incompatible” state and why it matters.

5. Optional: Restore “| piworld: A(r,w)” to datasecurity, export, and import. Point out that data* attributes are once again compatible.


Making the TransitionMaking the Transition

Existing security still supported– On upgrade: no loss of configuration, no migration– Downgrade only by restoring from backup

Existing SDK applications– Preserve existing behavior

• Can still connect via explicit logins or trusts– Single sign-on after SDK and server upgrade

• No configuration or code changes to client applications!


SummarySummary

Windows Integrated Security is the next milestone for the PI Server– Flexible Configuration– Less Maintenance– Investment Preserved

Security Development Lifecycle is Ongoing– Features that are Secure– Security Enhancing Features– Good Practice Advice and Security Tools– Actively Caring about Security


Security is about Trust Security is about Trust

Trusted PartnerTrusted NetworkTrusted Operating SystemTrusted ApplicationTrusted Data

PhysicalPhysical

NetworkNetwork

HostHost


DataData

ControlSystemControlSystem

Documents

© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE