Kenneth_Barber

PI Security Suggestion Compilation

Blog Post created by Kenneth_Barber Champion on Jun 23, 2020

Part of a PI administrator's job is to make sure that the PI system is as reasonably secure as possible. However, sometimes, it is PI itself that must be made more secure. This post compiles many of the security-related suggestions from OSIsoft's feedback website. If you don't like getting hacked or if you don't want users accidentally changing stuff, please consider voting for some of these suggestions!

 

Some of the products listed on the feedback website have a Security category. The links below will take you to all Security suggestions for their corresponding product:

 

However, not every security-related suggestion is in the Security category, hence the table below. This could be because the product does not have a Security category or because a different, but still appropriate, category was chosen instead.

 

Some general notes about the suggestions that were included:

  • The suggestions do not appear in the Security category.
  • The suggestions are hand-picked. I might have missed some, and the list is up-to-date only as of the time of this post.
  • Generally, a suggestion is included if and only if its fulfillment will increase security, will add more options for configuring security, or will help promote secure practices or cybersecurity awareness.
  • Suggestions for deprecated or superseded products are generally not included unless the product is still heavily used.
  • Some root words of search terms that I used: secure, authorize, authenticate, impersonate, permit, restrict, access, certificate, HTTPS, TLS

 

ProductSuggestion
Edge Data StoreEnable TLS Configuration
myOSIsoftGeneric access to Customer Portal until user added to a site
myOSIsoftAdd a view-only user type restricting option to raise support cases
myOSIsoftI need to see security bulletins pushed to my immediate attention
myOSIsoftAdd a visual indicator for permissions denied due to the user's profile
myOSIsoftSegment access to PI Client software downloads
myOSIsoftMake it easy to find updated security patches to OSISoft Products
myOSIsoftPermit users to have different access levels at different sites
myOSIsoftDrop support for TLS 1.1 and weak cipher suites on customers.osisoft.com
myOSIsoftChange the default text of links from "http://" to "https://"
myOSIsoftSubmit myosisoft.com for HSTS preloading
myOSIsoftImprove myOSIsoft's Security Headers score
OSIsoft GitHubSupport security baselining
OSIsoft GitHubSupport Claims Based Authentication in Vision
OSIsoft LearningWalkthrough of Configuring DCOM for OPC Interfaces
OSIsoft LearningRedirect HTTP traffic to HTTPS on cdn.osisoft.com
OSIsoft LearningEnable HSTS on learning.osisoft.com
OSIsoft Message FormatSupport TLS 1.3 and enable HSTS on omf-docs.osisoft.com
PI Cloud ConnectSubmit picloudservices.com for HSTS preloading
PI Cloud ConnectImprove PI Cloud Connect's Security Headers score
PI Cloud ConnectAdd support for TLS 1.3 on picloudservices.com
PI Connector For UFLWindows Authentication to the Rest Endpoint should be supported with PI UFL Connector. Currently only Basic is supported
PI Connector For UFLAllow overriding of point and data security newly created points
PI Connector For IEC 61850IEC61850 encryption
PI Connector For HART-IPPI Connector for HART-IP / Support SECURE data transfer
PI OPC DA & HDA ServersWindows authentication of clients
PI Web APISupport Bearer Authentication with Channels in the Web API
PI SQL ClientAdd data reference impersonation for value retrievals
PI Integrator For Esri ArcGISAllow binding of a custom SSL certificate after installation of PI Integrator for Esri ArcGIS
PI Integrator For Esri ArcGISSupport OAuth2 authentication
PI Integrator For Esri ArcGISSupport SAML authentication
PI Integrator For Esri ArcGISSupport Kerberos Authentication to the PI Integrator
PI Integrator For Esri ArcGISValidate any link entered in the endpoint section (Vision, Portal, GeoEvent)
PI Integrator For Business AnalyticsAdd support for OAuth2 authentication for the Hadoop target
PI Integrator For Business AnalyticsSupport authentication to Apache Hive via Kerberos
PI Integrator For Business AnalyticsAllow publishing to S3 with Roles instead of key / secret key
PI Integrator For Business AnalyticsGrant permissions only to configure targets
PI InterfacesSupport data collection across data diodes or similar technology
PI Data ArchiveProvide more granular configuration for default ACLs
PI Data Archive2-factor authentication
PI Asset FrameworkCreate/Update YouTube video about AF Security
PI Asset FrameworkLonger passwords PI AF Table Connector
PI Asset FrameworkIdentities Starting pack
PI Asset FrameworkAdd read permission to the Event Frame Template
PI Asset FrameworkAllow the creator of an analysis to limit who can make changes to it
PI Asset FrameworkTool for SQL Security and Consistency Check for the PI AF Server
PI Analysis ServiceRestrict the event frame templates that can be selected when creating an event frame generation analysis
PI NotificationsEnable headers for SOAP and REST Web Service Notifications
PI NotificationsSOAP Header for authentication
PI Serverchoose PI API Version during installation
PI AF SDKAF SDK vs claim authentication
PI Manual LoggerSupport for Integrated Windows Security In PI Manual Logger PC
PI ProcessBookHave Digital Signatures fro PI ProcessBook VBA
PI VisionPI Vision on Public Internet
PI VisionEvent Frame Acknowledgement Security
PI VisionAs an administrator, I would like to impersonate users so that I can easily see what they see while troubleshooting issues
RtReportsUse AD group membership for RtReports
OSIsoft UserVoiceUse the HTTPS version of the documentation link on the feedback website
OSIsoft UserVoiceDrop support for TLS 1.1 and weak cipher suites on feedback.osisoft.com
FTP websiteDrop support for TLS 1.0 and TLS 1.1 on ftp.osisoft.com
WebsiteAdd support for two-step verification
WebsiteSubmit osisoft.com for HSTS preloading

 

Anti-security suggestions

 

This compilation would not be complete without also mentioning the suggestions that, if implemented, would promote or prolong poor security practices as a side effect of wanting extended or better support for legacy technology to delay/avoid the cost and effort of migrating to the latest technology. Don't vote for these.

 

Some search terms that I used: IE, Internet Explorer, (PI) Trust, HTTP

 

Outcomes