Kenneth_Barber

PI Security Suggestion Compilation

Blog Post created by Kenneth_Barber Champion on Jun 23, 2020

Part of a PI administrator's job is to make sure that the PI system is as reasonably secure as possible. However, sometimes, it is PI itself that must be made more secure. This post compiles many of the security-related suggestions from OSIsoft's feedback website. If you don't like getting hacked or if you don't want users accidentally changing stuff, please consider voting for some of these suggestions!

 

Some of the products listed on the feedback website have a Security category. The links below will take you to all Security suggestions for their corresponding product:

 

However, not every security-related suggestion is in the Security category, hence the table below. This could be because the product does not have a Security category or because a different, but still appropriate, category was chosen instead.

 

Some general notes about the suggestions that were included:

  • The suggestions do not appear in the Security category
  • The suggestions are hand-picked
  • Generally, a suggestion is included if and only if its fulfillment will increase security, will add more options for configuring security, or will help promote secure practices or cybersecurity awareness.
  • Suggestions for deprecated or superseded products are generally not included unless the product is still heavily used
  • Some root words of search terms that I used: secure, authorize, authenticate, impersonate, permit, restrict, access, certificate, encrypt, HTTPS, TLS

 

ProductSuggestion
Edge Data StoreEnable TLS Configuration
myOSIsoftGeneric access to Customer Portal until user added to a site
myOSIsoftAdd a view-only user type restricting option to raise support cases
myOSIsoftI need to see security bulletins pushed to my immediate attention
myOSIsoftAdd a visual indicator for permissions denied due to the user's profile
myOSIsoftSegment access to PI Client software downloads
myOSIsoftMake it easy to find updated security patches to OSISoft Products
myOSIsoftPermit users to have different access levels at different sites
myOSIsoftDrop support for TLS 1.1 and weak cipher suites on customers.osisoft.com
myOSIsoftChange the default text of links from "http://" to "https://"
myOSIsoftSubmit myosisoft.com for HSTS preloading
myOSIsoftImprove myOSIsoft's Security Headers score
myOSIsoftReplace insecure HTTP links on my.osisoft.com
myOSIsoftAdd support for TLS 1.3 (Customer Portal)
myOSIsoftAdd support for TLS 1.3 (Partner Portal)
OSIsoft GitHubSupport security baselining
OSIsoft GitHubSupport Claims Based Authentication in Vision
OSIsoft LearningWalkthrough of Configuring DCOM for OPC Interfaces
OSIsoft LearningRedirect HTTP traffic to HTTPS on cdn.osisoft.com
OSIsoft LearningEnable HSTS on learning.osisoft.com
OSIsoft Message FormatSupport TLS 1.3 and enable HSTS on omf-docs.osisoft.com
PI Cloud ConnectSubmit picloudservices.com for HSTS preloading
PI Cloud ConnectImprove PI Cloud Connect's Security Headers score
PI Cloud ConnectAdd support for TLS 1.3 on picloudservices.com
PI Data Collection ManagerAdd support for TLS 1.3 to the PI Data Collection Manager (PI DCM)
PI Connectors (general)Encrypt traffic between interfaces/connectors and the Data Archive
PI Connectors (general)Add support for TLS 1.3 to the 1st-generation PI Connectors
PI Connectors (general)Drop support for TLS 1.0 & TLS 1.1 for the 1st-generation PI Connectors
PI Connector For UFLWindows Authentication to the Rest Endpoint should be supported with PI UFL Connector. Currently only Basic is supported
PI Connector For UFLAllow overriding of point and data security newly created points
PI Connector For IEC 61850IEC61850 encryption
PI Connector For HART-IPPI Connector for HART-IP / Support SECURE data transfer
PI OPC DA & HDA ServersWindows authentication of clients
PI Web APISupport Bearer Authentication with Channels in the Web API
PI SQL ClientAdd data reference impersonation for value retrievals
PI Integrator For Esri ArcGISAllow binding of a custom SSL certificate after installation of PI Integrator for Esri ArcGIS
PI Integrator For Esri ArcGISSupport OAuth2 authentication
PI Integrator For Esri ArcGISSupport SAML authentication
PI Integrator For Esri ArcGISSupport Kerberos Authentication to the PI Integrator
PI Integrator For Esri ArcGISValidate any link entered in the endpoint section (Vision, Portal, GeoEvent)
PI Integrator For Business AnalyticsAdd support for OAuth2 authentication for the Hadoop target
PI Integrator For Business AnalyticsSupport authentication to Apache Hive via Kerberos
PI Integrator For Business AnalyticsAllow publishing to S3 with Roles instead of key / secret key
PI Integrator For Business AnalyticsGrant permissions only to configure targets
PI InterfacesSupport data collection across data diodes or similar technology
PI AMI Itron InterfacePI AMI Itron Interface support for TLS 1.3
PI Data ArchiveProvide more granular configuration for default ACLs
PI Data Archive2-factor authentication
PI Data ArchiveRemove installation kits' dependency on write permission to root C:\
PI Data ArchiveAllow PIWorld and piusers to be deleted
PI Asset FrameworkCreate/Update YouTube video about AF Security
PI Asset FrameworkLonger passwords PI AF Table Connector
PI Asset FrameworkIdentities Starting pack
PI Asset FrameworkAdd read permission to the Event Frame Template
PI Asset FrameworkAllow the creator of an analysis to limit who can make changes to it
PI Asset FrameworkTool for SQL Security and Consistency Check for the PI AF Server
PI Analysis ServiceRestrict the event frame templates that can be selected when creating an event frame generation analysis
PI NotificationsEnable headers for SOAP and REST Web Service Notifications
PI NotificationsSOAP Header for authentication
PI Serverchoose PI API Version during installation
PI AF SDKAF SDK vs claim authentication
PI System TrayReplace the "http://techsupport.osisoft.com/" link in the "About" window of PI System Tray
PI Manual LoggerSupport for Integrated Windows Security In PI Manual Logger PC
PI ProcessBookHave Digital Signatures fro PI ProcessBook VBA
PI VisionPI Vision on Public Internet
PI VisionEvent Frame Acknowledgement Security
PI VisionAs an administrator, I would like to impersonate users so that I can easily see what they see while troubleshooting issues
RtReportsUse AD group membership for RtReports
OSIsoft UserVoiceDrop support for TLS 1.1 and weak cipher suites on feedback.osisoft.com
FTP websiteDrop support for TLS 1.0 and TLS 1.1 on ftp.osisoft.com
WebsiteAdd support for two-step verification
WebsiteSubmit osisoft.com for HSTS preloading
WebsiteSubmit picoresight.com for HSTS preloading

 

Explanation of terms

 

Below is an oversimplified explanation of some of the technical terms used above. If I didn't explain a term, it's because I don't know it.

 

TermExplanation & relation to security
HTTPSHTTP, but encrypted
HSTSRedirecting HTTP to HTTPS on the server is not enough, since the client can still initiate an unencrypted HTTP connection at any time. If a browser connects to a website that uses HSTS, the website will instruct the browser to use only HTTPS (and not HTTP) with that website in the future.
HSTS preloadingNew releases of browsers come preloaded with a list of websites that request HSTS, which avoids the need to visit the website first. This avoids the possibility of the client's first-ever connection to the website being made over insecure HTTP.

Two-factor authentication

Two-step verification

After you enter your user name and password, you provide further proof of your identity before the login is successful. Usually, this is a number on an authenticator app on your phone, a number from a text message to your phone, or the activation of some hardware that only you have.

TLS 1.0

TLS 1.1

Insecure protocols that have been superseded by TLS 1.2 & TLS 1.3.

 

Anti-security suggestions

 

This compilation would not be complete without also mentioning the suggestions that, if implemented, would promote or prolong poor security practices as a side effect of wanting extended or better support for legacy technology to delay/avoid the cost and effort of migrating to the latest technology. Don't vote for these.

 

Some search terms that I used: IE, Internet Explorer, (PI) Trust, HTTP

 

 

Explanation:

  • PI Trusts are superseded by PI Mappings. PI Trusts grant permission partly based on the name of the program. However, nothing stops a malicious program from having the same name as a permitted program.
  • Microsoft dropped Internet Explorer like a hot potato. New vulnerabilities that are discovered in Internet Explorer will not necessarily be patched, which leaves Internet Explorer users vulnerable to them. This reasoning can be generalized to anything that is deprecated/legacy.
  • ActiveX is deprecated and insecure, and so any PI program that uses ActiveX is also insecure.

Outcomes