Skip navigation
All Places > Security > Blog > 2017 > January
2017

An updated version of the PI Security Audit Tools is available for download from the tech support site here.  For a list of the changes/improvements in this version, check out the release announcement.

 

There is also an exciting opportunity to learn more about PI System security and baselining with the PI Security Audit Tools from Anna Perry at the upcoming UC 2017 lab, Extending the PI Security Audit Tools to Meet the Needs of Your Environment at 2:15 pm on the day 3 agenda.  I've included the description below.  If this topic interests you, please sign up when you register for UC 2017!

 

"How do you baseline the security of your PI Systems? How do you evaluate which defenses should be prioritized? These are questions every PI System administrator faces. The PI Security Audit Tools are a framework for security configuration auditing of PI System components in the form of a PowerShell module. In the first half of this lab, participants will learn how to use the existing tools to evaluate their PI System deployments and use the output to plan and prioritize improvements to their defenses. The second half of the lab will focus on the tools' extensibility. Participants will learn how to extend the PI Security Audit Tools existing libraries to include validation checks specific to their organization's needs and how to implement their own libraries with the tool."

The New Year is here already and with it marks the 10th annual Digital Bond S4 conference on industrial control system security.  Experts shared a mostly optimistic mood for OT security in 2017.  A summary of main stage highlights are below.  We’ll comment on technical deep dives and our capture the flag contest in subsequent posts (spoiler alert: clean shirts for us, ‘pie in the face’ flag still stands!).

 

Optimism stems from market leaders releasing new generations of security hardened solutions. Security development lifecycle (SDL) investments are bearing fruit and ushering in a welcome shift in technology.  At last, critical infrastructure providers can plot a course of upgrades and sunset their fragile, ‘insecure by design’ systems.

OSIsoft and the modern PI Server have contributed to this wide spread optimism with major releases in 2015 and PI API 2016 for Windows Integrated Security.  SDL hardened application code on Windows Server core along with reference architecture using high availability and web application services for PI visualization is a very effective defensive strategy for the PI System.

Some of the S4 presentations documented the high cost of ‘digital carelessness’ with case studies on ransomware affecting industrial control systems to the ongoing targeted attacks on Ukrainian critical infrastructure. It appears no amount of bolt-on security solutions can keep pace with threats.

The US Department of Justice National Security Division and global law enforcement have ramped up activities following breaches in central banking (Bangladesh) and the SWIFT global financial network. Banking was once considered sacrosanct. Domestically, we observe the Federal Trade Commission filing a complaint against DLINK for failure to take reasonable steps to secure routers and Internet-protocol cameras. This is perhaps a ‘shot over the bow’ that all IoT solution providers will be watching.

Richard Clarke (former National Coordinator for Security, Infrastructure Protection and Counter-terrorism) called for regulators to impose a deadline for addressing critical infrastructure protection. While conceding an unfavorable political climate to force such a mandate, Clarke cited Y2K as model for accelerating massive updates.

Whether you believe Y2K was a preemptive success or over blown farce, the example has an interesting parallel with SDL because remediation was also code centric. A key distinction however is identification of potential issues. Testing for Y2K was straight forward, however this isn’t the case for cyber security.

Methods for assessing software reliability and security are potentially endless. Our objectives this year include metrics to monitor SDL processes.  We are also studying ways to catalog and publish industry benchmark reports such as Microsoft binskim, Cyber-ITL.org, and Mozilla Observatory. 

Adoption rate of hardened software versions in the field is still an elusive metric. In the meantime we have initiatives designed to provide you with improved visibility over your PI System infrastructure and health. You can learn more and provide ideas in just a few months during UC 2017 in San Francisco!