PI and the Killer Robots, Inc. CTF environment, Part 0x01

Blog Post created by hpaul Employee on Dec 7, 2016


If you are a PI System administrator, System Integrator or an otherwise security focused professional, you may be interested in the PI System environment at Killer Robots, Inc., the misanthropic company competitors will attempt to compromise at the S4x17 ICS Security Conference Capture the Flag (CTF) competition in a battle for the survival of mankind.  Aside from aiding in the struggle to liberate humanity from the merciless machines, this 3 day event is also a unique training opportunity, as it allows competitors to learn about PI security by going on the offensive on a live PI System environment submitted by OSIsoft alongside other vendors.


The OSIsoft team sought to create a PI System environment that highlights common mistakes, misconfigurations and misuse in a way that is both informative, and hopefully jarring. Inspiration was drawn from case studies, security engineering, 3rd party reports and our own experiences with vulnerability disclosure, so the exercises are grounded in practical application.


What does the CTF offer for a PI System administrator?

  • Exercise your skills in a simulated environment:  Not everyone has a development system or sandbox environment, so this is your opportunity to get a hands on experience exploring a PI System.
  • Cross-train with both IT and OT technologies: The CTF flags include targets against client applications such as the PI Coresight web application in the corporate zone, all the way back to output points associated with a PI OPC Interface in the plant network.
  • See some of the latest security features in action: Features such as transport security will be on display as well as the impacts when they are not.
  • Explore PI System internals: There are some gems hidden in the environment for the most avid PI geeks, such as some exploration into the SQL back end of PI Coresight.
  • Interact with developer technologies: Some exercises will require leveraging developer technologies such as the PI Web API.
  • Work on your OPSEC: Since many attendees are well versed in the art, you may even pick up some social engineering tricks to improve your OPSEC skills.


Throughout the month of December, we will discuss the philosophy, methodology and motivation behind the creation of the Killer Robots, Inc. PI System environment.  To a clever reader, these posts could provide a valuable primer for the competition, but to a clever competitor, the event should provide a better understanding of the PI System security.  The PI System challenges in the CTF will require a breadth of skills and knowledge from the competitors related to basic network packet and memory dump analysis, RESTful web services, PowerShell scripting, arcane ciphers, and most prominently, PI System administration. 


Tune into next week’s post for a survey of reference architecture, security engineering and best practices (or lack thereof) that informed the deployment of our target virtual PI System.  In the meantime, if this post has piqued your interest, check out the S4x17 Conference Site for more information or to register for the event.