Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next."— Presentation transcript:

1 1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next Level, and Beyond! Bryan S Owen PE OSIsoft, Inc Cyber Security Manager © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008

2 2 © 2008 OSIsoft, Inc. | Company Confidential Agenda Security Theme Architecture Examples Application Defenses Network Layer Host Features

3 3 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Trust is Essential, Trust is Earned. Everyday Web of Trust – Food & Beverage – Finance – Life Sciences – Power & Utilities – Telecommunication – Transportation – Water

4 4 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Cyber Security, Why Care so much? Vulnerability due to “Bugs” – Impossible to prove absent Stakeholder Duty – Perils are shared by all “Line of Fire” – Cascading faults – Direct attack vector

5 5 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Safety and Security Prevention is Best Approach –Risk includes Human Factors Monitoring is Essential –Technology can help Effectiveness –Weakest Link Issue

6 6 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Defense in Depth Common Challenges: –Legacy Products –Loss of Perimeter –Implementation Practices –Operating Procedures –Visibility Physical Network Host Application Data SCADA

7 7 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Architecture – Interface Node Trust boundary History recovery Simple data capture path

8 8 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Interface Node – PI Trust Trust PI User is “Owner” of Points and Data –Change owner of root module for interface configuration Set Trust Entries with at Least 2 Credentials a) Masked IP Address b) FQDN for Network Path c) Application Name Specific syntax rules for PI-API applications

9 9 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Architecture – Attack Surface PI Interface PI Archive User Services Data Access Portal Notification Services Smart Clients Data SourceSubscribers

10 10 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Surface Area Metric Anonymous Access Path Count Mitigations: – Block the Default PI User – No Null Passwords – Disallow unknown FQDN – Policy for Insecure Endpoints Multi-zone Architecture Data Access Servers

11 11 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Architecture: High Availability

12 12 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Architecture: Wifi / Mobile Asset PItoPI over VPN Tunnel to Extranet Ping metric to HQ + extra keepalive SNMP monitoring on EVDO router

13 13 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Architecture: PI Data Directory

14 14 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Authentication Default User PI Login PI Trusts –Changes in PI 3.4.375 Windows SSPI –Changes coming in PI 3.4.380 –Kerberos & NTLM

15 15 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Authentication Windows PI Server Active Directory Active Directory Security Principals Security Principals Authentication Identity Mapping PI Identities Access Control Lists Authorization PI Secure Objects PI Secure Objects

16 16 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential PI Identities What are PI Identities? –Individual user or group …or a combination of users and groups –All PIUsers and PIGroups become PIIdentities Piadmin group renamed to “piadministrators” Purpose –Link Windows principals with PI Server object Pre-defined defaults: –PIWorld, PIEngineers, PIOperators, PISupervisors

17 17 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential SMT: PIIdentity Creation

18 18 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential SMT: PIIdentity Mapping

19 19 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential PI Secure Objects Main objects: Points and Modules Ownership Assignments –Objects are “co-owned” by PI identities (not just 1 PIUser and 1 PIGroup) Access Control Lists –“Security” setting replaces owner, group, and access –Multiple Identities Each has its own set of access rights –ACLs with 3 identities are back compatible with GUI 1 PIUser, 1PIGroup, and PIWorld (any order)

20 20 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential PI Security Configuration Server <= 3.4.375 Attributes Owner, Creator, Changer are PIUsers Group is PIGroup Access as String ACL Syntax “o:rw g:rw w:r” Server >= 3.4.380 Attributes New Security attribute as ACL Creator and Changer are PIIdentities or Principals (Windows users) Incompatible case: –Owner = PIUserIncompatible –Group = PIGroupIncompatible –Access = “o: g: w: ” ACL Syntax “ID1: A(r,w) | ID2: A(r,w) | ID3: A(r) | …” IDn = PIIdentity

21 21 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Scenarios A.SDK 1.3.6, Server <= 3.4.375 –No changes to authentication, security configuration, or access check behavior B.SDK <= 1.3.5, Server 3.4.380 –More control over authentication methods –Trusts map to PI Identities –New attribute specifying ACL Points: PtSecurity, DataSecurity Modules/DBsecurity: Security –Old attributes (Owner/Group/Access) supported unless ACLs become incompatible C. SDK 1.3.6, Server 3.4.380 –All of the above, plus: Default authentication: Windows SSPI

22 22 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Layered Permissions Client Layer –Sharepoint/RtWebPart Security –Document Library Abstraction/Context Security –Data Dictionary (AF Windows ACL) –Module Database (PI ACL) Database Security Table –Role Access Permission PI Secure Objects –Data Access –Point Access

23 23 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Network Layer Security Chronic Loss of Perimeter – Driven by Mobility (Wireless/Laptops) Access Controls 802.1x (NAC/NAP) Health Check Policy Distributed Firewalls – Bump in Wire – Host Intrusion Detection & Prevention

24 24 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Server Domain Isolation

25 25 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Host Firewall Connection Security Rule Enable IPSEC between two servers Ex: netsh advfirewall consec add rule name="PIHArule“ mode=transport type=static action=requireinrequireout endpoint1=192.168.1.4 endpoint2=192.168.129.128 auth1=computerpsk auth1psk=“Mag1kR1de” –Built in to Server 2008 / Vista

26 26 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Network Security Indicators: – Quality of Services Latency (Ping/TCP Response) NIC Loading (SNMP/Perfmon) – Attack Pre-Cursors IP address MAC check (SNMP) Unexpected Traffic (IPFlow) Security Events (Syslog)

27 27 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential PI Monitoring Indicators: – Quality of Services PI Server Counters (Perfmon) Uniint Health Points (PI) Consistency Verification (ACE) – Attack Pre-Cursors PI Message Log (PI-OLEDB) Security Events (EventLog) Message Integrity (mPI)

28 28 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential More Security Enhancements… Hardened O/S Support –Windows 2008 Server Core Configuration Audit Tools ACE Modules for Monitoring

29 29 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential Collaboration is the key to Security AssociationsAssociations ResearchResearchCommercialCommercial GovernmentGovernment

30 30 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential PI Security Infrastructure Trusted Partner Trusted Network Trusted Operating System Trusted Application Trusted Data Physical Network Host Application Data SCADA

Download ppt "1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next."

Similar presentations

Planning and Administering Windows Server® 2008 Servers

Planning and Administering Windows Server® 2008 Servers
Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc.

Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc.
PI Server Security Bryan S. Owen Omar A. Shafie.

PI Server Security Bryan S. Owen Omar A. Shafie.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE.

© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Development Roadmap Jon Peterson.

1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Development Roadmap Jon Peterson.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla.

© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Similar presentations

Ads by Google