Skip navigation
All Places > PI Developers Club > Blog > 2010 > January
2010

Blogs, newsrooms, and even congress are sizzling over the Google breach and Operation Aurora. Remarkably, Microsoft's out of band IE patch has already been pushed but I doubt this will be the end of the story.

 

In a nutshell, Advanced Persistent Threat (APT) is real.  Like process industries, APT operates 24x7. Highly skilled teams develop and execute targeted attacks - persistent is a characteristic of the mission not just presence on the target. Cited examples are most often military and defense contractor oriented targets. Of course, industrial espionage and theft of private information are also very real concerns (but before now there wasn't much evidence of APT in these arenas).

 

Kris Harms of Mandiant delivered a timely keynote address on APT at last week's S4 conference (full disclosure: OSIsoft is a Digital Bond S4 sponsor; the DoE "Portaledge" project by Digital Bond uses PI as a security event monitor for SCADA systems). Kris's message about APT focused on incident response and forensic details. This was a big hit with many CERT organizations in attendance. It was also interesting Google's response team used Mandiant.

 

Unfortunately there have been way more APT incidents than I was aware of. Kris provided many examples showing why you don't want to challenge APT with respect to technical competency. If you had any lingering hope for security by obscurity - forget it! Perhaps even more interesting is how APT often uses crypto technology to keep security savvy operators in the dark.  In fact, most targets are unaware of successful breaches involving APT until reported by a 3rd party (eg. perhaps a disgruntled low bidder for black market intellectual property).

 

I don't plan to re-ignite the "encrypt or not to encrypt" dilemma here but simply offer that for many industrial use cases data confidentiality is not the most important security objective.  Perhaps CIP 101 but still relevant to APT, communication across the electronic security perimeter must be tightly monitored and controlled.

 

A relevant use of crypto in defense of APT is digitally signing all executables.  Mandiant highly recommends this approach as signed executables dramatically reduce surface area for persistence. Kris cited examples where APT actors exploited a lone exception using an unsigned Windows SENS service. (The approach was advanced... SENS functions were optimized to create space for the APT code).

 

Many of you are probably aware of Microsoft's Windows Logo Certification program and that the PI Server is certified. In light of APT, signing all executables is indeed a well founded requirement.  Operationally for administrators, signing also eases configuration of Windows Software Restriction Policies (now called AppLocker).

 

The rigors of certification help prevent digital signature errata but may not be for everyone. Regardless, signing is a good security practice and should be included in your security development lifecycle. Please be sure your ISV applications deliver only signed executables and verify any bundled software in your supply chain is also signed.

 

While signing is a simple step in the right direction for a software developer, it's likely few in our industry are generally ready for APT. Headlines from Operation Aurora may trigger increased attention on critical infrastructure protection. In closing, Kris offered the following strategic advice:

  • 1. Raise the cost of compromise - be patched, make APT use a zero day vulnerability
  • 2. Evolve incident response capability - target 1 hour
  • 3. Inject intelligence - into custom applications
  • 4. Embrace out of the box thinking - turn remediation into opportunity
andreas

PDI Preview Handler

Posted by andreas Employee Jan 14, 2010

Preview Handler

Why?

The Preview Handlers have been introduced with Microsoft Windows Vista and with Microsoft Office 2007.
However, if you try to preview an attached PDI in Microsoft Outlook, you will see something similar to that:

 

NoPreviewHandler.jpg

 

When getting Windows 7 on my Notebook recently, Steve gave me a head's up to try and write a preview handler for PDI's.

How?

A good start are this article of Stephen Toub, Managed Preview Handlers for Vista and Office in Daniel Moth's blog, More Preview Handlers from the same Blog and especially the screencast by Daniel Moth on channel9.

Requirements

So what do you need (beside taking a look at the above resources)?

  1. Microsoft Windows Vista or Microsoft Windows 7
  2. Microsoft Visual Studio 2008
  3. The Managed Preview Handler Framework from here.
  4. OSIsoft PI ProcessBook 3.x or newer
  5. Microsoft Outlook 2007

The Code

And here is my Hello PI preview handler ;-)

  1. Download the msdn magazine preview handler framework from the first link.
  2. To build MsdnMagPreviewHandlers.dll, you might have as well to install the Microsoft Visual J# Redistributable Package
  3. As in Daniel Moth's example, create a new class library.
  4. Reference the MsdnMagPreviewHandlers.dll.
  5. Add a reference to System.Windows.Forms.
  6. Sign the assembly with a strong name key file.
  7. To render a PDI file we will need an ActiveX control. Hence we are here in .NET we need to create a managed wrapper for the PI ProcessBook Display Control. So we are going to create that wrapper with AxImp.exe:

  8. AxImp.exe

     

       /keyfile:.\OSIsoftvCampusPreviewHandler\OSIsoftvCampusPreviewHandler.snk

     

       c:\PIPC\Procbook\pbdctrl.ocx


  9. We will have to add a reference to our AxPBDCtrl.dll.
  10. The code for the preview handler is below:

  11. using System;

     

    using System.Collections.Generic;

     

    using System.Linq;

     

    using System.Text;

     

    using MsdnMag;

     

    using System.Runtime.InteropServices;

     

    using System.IO;

     

    using System.Windows.Forms;

     

     

     

    namespace OSIsoftvCampusPreviewHandler

     

    {

     

        [PreviewHandler("OSIsoft vCampus Preview handler",

     

                        ".pdi",

     

                        "{1A68DC08-3E1F-4f6a-B5B0-CF7C8D6FC5CB}")]

     

        [ProgId("OSIsoft.OSIsoftvCampusPDIPreviewHandler")]

     

        [Guid("22D50838-F245-4e3a-8371-75FF1D2B590D")]

     

        [ClassInterface(ClassInterfaceType.None)]

     

        [ComVisible(true)]

     

        publicsealedclassOSIsoftvCampusPDIPreviewHandler : FileBasedPreviewHandler

     

        {

     

            protectedoverridePreviewHandlerControl CreatePreviewHandlerControl()

     

            {

     

                returnnewOSIsoftvCampusPDIPreviewHandlerControl();

     

            }

     

     

     

            privatesealedclassOSIsoftvCampusPDIPreviewHandlerControl :

     

                                 FileBasedPreviewHandlerControl

     

            {

     

                publicoverridevoid Load(FileInfo file)

     

                {

     

                    AxHost _pbDisplay = new AxPBDCtrl.AxPbd();

     

                    Controls.Add(_pbDisplay);

     

                    IntPtr forceCreation = _pbDisplay.Handle;

     

                    _pbDisplay.Dock = DockStyle.Fill;

     

     

     

                    AxPBDCtrl.AxPbd _AxPbd = (AxPBDCtrl.AxPbd)_pbDisplay;

     

                    _AxPbd.DisplayURL = file.ToString();

     

                }

     

            }

     

        }

     

    }


  12. After building the dll, we have to move it to the Global Assembly Cache (GAC) and register it:

  13. GACUTIL.EXE -i MsdnMagPreviewHandlers.dll

     

    GACUTIL.EXE -i OSIsoftvCampusPreviewHandler.dll

     

    GACUTIL.EXE -i AxPBDCtrl.dll

     

    GACUTIL.EXE -i PBDCtrl.dll

     

    REGASM.EXE /codebase MsdnMagPreviewHandlers.dll

     

    REGASM.EXE /codebase OSIsoftvCampusPreviewHandler.dll

     

    REGASM.EXE /codebase AxPBDCtrl.dll

     

    REGASM.EXE /codebase PBDCtrl.dll


The result is a PI ProcessBook Display preview handler that allows you to preview a PDI in Outlook

 

WithPreviewHandler.jpg

 

or Windows Explorer

 

WithPreviewHandlerExplorer.jpg

 
Notes:
  1. In this example we are using PI ProcessBook. However, all of this is possible with PI ActiveView as well (Note that PI ActiveView is not part of the OSIsoft vCampus PI Products Kit).
    PI ActiveView provides a means to view and interact with PI ProcessBook displays outside of PI ProcessBook. By embedding the PI ActiveView ActiveX control in other applications, such as Internet Explorer, and installing the local executable, users can view PI ProcessBook PDI display files without modification.
  2. This PreviewHandler uses the PI ProcessBook Display control to preview a PDI. Therefore it has the same requirements as PI ProcessBook: you need to have a PI SDK connection to the PI Server and the necessary access rights to view the data.
  3. The two batch files to register and unregister as well as the source code above can be downloaded here.

Call for Help

The community is explicitly invited to improve/extend my code. As an example - a known limitation is that the preview handler does not scale the display according to the visible area in the preview.

One of the exciting announcements made at the OSIsoft vCampus Live! 2009 event was the "OSIsoft vCampus All-Star" Program - similar to Microsoft MVP, that recognizes the highest contributors to the community.

 

As a community it is important to get dedicated members involved with driving the direction of the community.  A handful of members were contributing at the level of our OSIsoft vCampus Team Staff, so we thought why not give them the same community position.  Make them Honorary Team Members, with the same privileges (don't worry they won't get the extra work parts).  The elected nominees will be announced at OSIsoft vCampus Live! 2010 and will benefit from the following:

  • Personal blog
  • Forum moderator privileges
  • Free admission to the OSIsoft Users Conference and OSIsoft vCampus Live! events in the next year.
  • Option to take part in the OSIsoft vCampus Team weekly meetings
  • Free 1-year subscription or renewal to OSIsoft vCampus
  • vCampus All-Star Gift Pack (surprise)

So how does someone become an All-Star?  Start by becoming an active member and use the community  to help you add more value to your PI System, then give some of that knowledge back to the community.  If others get value from your input they will nominate you as a OSIsioft vCampus All-Star.  In July 2010 we'll open a community-wide nomination to select the All-Stars.  The All-Stars will be announced at next year's vCampus Live! and spotlighted at both Users Conference OSIsoft vCampus Live! events (April 26th-28th and September 13th-15th, respectively).

  • OSIsoft vCampus Members nominate All-Stars based on their overall contribution to the community
  • Contribution is based on the number and quality of posts into the community
  • A selection committee comprised of OSIsoft vCampus Team Members, Product Managers and All-Stars will select All-Stars for the following year from those nominated

So, we invite all of you to actively participate in the community. Share your knowledge and give your feedback.  Like all communities if everyone adds a little bit, the whole community becomes enriched.

If you attended OSIsoft vCampus Live!, you know we've been at work revising the PI WS interface.  What you don't know, unless you tried to access the old CTP recently, is that the new interface is running on the CTP site in place of the old CTP.  First, go to the vCampus Library and look over the documentation for the revised interface.  If you follow the link, look for the vCampus PI Products Kit>Data Access Products path.  The document you want is "PI Web Services -- Revised Interface".

 

Fired up and ready to test the service?  The WSDL is found at http://74.217.101.211/PIWebServiceDemo/PITimeSeries.wsdl (remember, the host requires the explicit IP address, so the WSDL is static) and will point you to the actual endpoint PITimeSeries.svc.  Go try it out and let us know what you think about the interface!

Filter Blog

By date: By tag: