Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE.

Published byBernice Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE."— Presentation transcript:

1 © 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE

2 2 © 2008 OSIsoft, Inc. | Company Confidential Web of Trust Classic Examples –Bulk Electric System –Pipelines –Transportation –Supply Chains –Finance Cyber Examples –Internet Service Providers –Name and Time Services –Certificate Authorities –eBay Ratings

3 3 © 2008 OSIsoft, Inc. | Company Confidential OSIsoft Cyber Security Web of Trust AssociationsAssociations ResearchResearchCommercialCommercial GovernmentGovernment

4 4 © 2008 OSIsoft, Inc. | Company Confidential

5 5 Safety and Security Prevention is Best Approach –Risk includes Human Factors Technology Can Help –Auditing, Monitoring and Protection Actively Caring is the Key –Effects all stakeholders

6 6 © 2008 OSIsoft, Inc. | Company Confidential Mutual Distrust Posture – FERC 706 The term “mutual distrust” is used to denote how “outside world” systems are treated by those inside the control system A mutual distrust posture requires each responsible entity … to protect itself and not trust any communication crossing an electronic security perimeter, regardless of where that communication originates.

7 7 © 2008 OSIsoft, Inc. | Company Confidential There are only two types of security issues:  Input trust issues  Everything else! Secure Coding Issues Source: Security Development Lifecycle – Microsoft Press, Michael Howard

8 8 © 2008 OSIsoft, Inc. | Company Confidential What Now? Not allowed to Trust “Outside” Systems… Shouldn’t Trust any Input… –Secure Boundaries –Build-in Security

9 9 © 2008 OSIsoft, Inc. | Company Confidential Smart Connector PI Archive User Services Data Access Portal Notification Services Smart Clients Data SourceSubscribers PI System Security Boundaries

10 10 © 2008 OSIsoft, Inc. | Company Confidential Defense-in-Depth Challenges Legacy Technology Loss of Perimeter Implementation Practices Manual Procedures Lack of Visibility Infrastructure Lifecycles Physical Network Host Application Data

11 11 © 2008 OSIsoft, Inc. | Company Confidential PI Security Boundary Features Isolated Application Stack –Protect Critical Systems Data Only “Conduit” Health Monitoring & Visibility Quick Disconnect –No Data Loss Recovery Physical Network Host Application Data Control Systems Control Systems

12 12 © 2008 OSIsoft, Inc. | Company Confidential Architecture – Interface Node Simple Resilient Highly Instrumented

13 13 © 2008 OSIsoft, Inc. | Company Confidential Architecture: High Availability

14 14 © 2008 OSIsoft, Inc. | Company Confidential Integrating Windows Security into PI RtWebParts –Microsoft Office Sharepoint Services PI AF –.Net Framework and MS SQL Server PI Server –Windows 2008 Logo Certification (including Server Core) –Modern Hardware Support (Memory Protection, TPM, x64) –Integrated Authentication and Authorization

15 15 © 2008 OSIsoft, Inc. | Company Confidential Authentication and Authorization Customer SIG Requests and Objectives: 1.Leverage Windows for account administration 2.Single sign-on (no PI Server login required) 3.Secure authentication methods 4.Extended access control …more than Owner, Group, World …e.g. Groups of Groups

16 16 © 2008 OSIsoft, Inc. | Company Confidential Architectural Overview Our Current Security Model –Choice of access rights: read, write –A single owner (per object) –A single group association –And then everyone else... “world” The New Model –Support for Active Directory and Windows Local Users/Groups –Mapping of authenticated Windows principals to “PI Identities” –Access Control Lists for points, etc.

17 17 © 2008 OSIsoft, Inc. | Company Confidential WIS in a Nutshell Windows PI Server Active Directory Active Directory Security Principals Security Principals Authentication Identity Mapping PI Identities Access Control Lists Authorization PI Secure Objects PI Secure Objects

18 18 © 2008 OSIsoft, Inc. | Company Confidential User Authentication Until Now –Explicit Login: validation against internal user database –Trust Login: validation of user’s Security Identifier (SID) PI Server “380” Release –Strong Authentication using SSPI – “Negotiate” (Microsoft Security Support Provider Interface) –Principals from Active Directory –Principals from Local Server –Backward Compatible Authentication (Configurable)

19 19 © 2008 OSIsoft, Inc. | Company Confidential Demo: Protocol Selection

20 20 © 2008 OSIsoft, Inc. | Company Confidential PI Identities Custom Labels for PI Security Authorization –Replace and Extend “Owner”, “Group” and “World” New Default PI Identities: –PIWorld, PIEngineers, PIOperators, PISupervisors –Legacy PI users and groups also become identities Change as needed for Role and Category –Add / Rename / Disable using PI-SMT

21 21 © 2008 OSIsoft, Inc. | Company Confidential PI Identity Mapping Links a Windows group (or user) to a PI Identity –Example: Server\AuthenticatedUsers to PIWorld Multiple mappings allowed per PI Identity –Suggestion: Manage complex mapping through nested membership in Windows Groups Legacy PI Trusts map to a single Identity only

22 22 © 2008 OSIsoft, Inc. | Company Confidential Demo: Configuring a PI Identity

23 23 © 2008 OSIsoft, Inc. | Company Confidential PI Secure Objects: Authorization Main objects: Points and Modules –New “Security” attribute supersedes legacy settings PtSecurity instead of PtAccess, PtGroup, PtOwner Access Control Lists –New Syntax for “Security” ACL string: “ID1: A(r,w) | ID2: A(r,w) | ID3: A(r,w) | …” Compatibility Mode –Configure 3 identities: PIUser, 1PIGroup, and PIWorld (any order) –Existing behavior preserved in “o: g: r:” attributes

24 24 © 2008 OSIsoft, Inc. | Company Confidential PI Security Configuration Server <= 3.4.375 Attributes Owner, Creator, Changer are PIUsers Group is PIGroup Access as String ACL Syntax “o:rw g:rw w:r” Server >= 3.4.380 Attributes New Security attribute as ACL Creator and Changer are PIIdentities or Principals (Windows users) Incompatible case: –Owner = PIUserIncompatible –Group = PIGroupIncompatible –Access = “o: g: w: ” ACL Syntax “ID1: A(r,w) | ID2: A(r,w) | ID3: A(r) | …” IDn = PIIdentity

25 25 © 2008 OSIsoft, Inc. | Company Confidential Demo: Comparing ACLs – Old v. New 1.Using Tag Configurator, show existing security attributes (dataowner, datagroup, dataaccess) alongside new attribute (datasecurity). 2.In datasecurity, change piworld: A(r,w) to piworld: A(). Export and import. Point out that change is reflected in dataaccess. 3.In datasecurity, delete “| piworld: A()”. Export and import. Point out “incompatible” state of dataaccess, datagroup, and dataowner 4.Explain why data* attributes are in the “incompatible” state and why it matters. 5.Optional: Restore “| piworld: A(r,w)” to datasecurity, export, and import. Point out that data* attributes are once again compatible.

26 26 © 2008 OSIsoft, Inc. | Company Confidential Making the Transition Existing security still supported –On upgrade: no loss of configuration, no migration –Downgrade only by restoring from backup Existing SDK applications –Preserve existing behavior Can still connect via explicit logins or trusts –Single sign-on after SDK and server upgrade No configuration or code changes to client applications!

27 27 © 2008 OSIsoft, Inc. | Company Confidential Summary Windows Integrated Security is the next milestone for the PI Server –Flexible Configuration –Less Maintenance –Investment Preserved Security Development Lifecycle is Ongoing –Features that are Secure –Security Enhancing Features –Good Practice Advice and Security Tools –Actively Caring about Security

28 28 © 2008 OSIsoft, Inc. | Company Confidential Security is about Trust Trusted Partner Trusted Network Trusted Operating System Trusted Application Trusted Data Physical Network Host Application Data Control System Control System

29 29 © 2008 OSIsoft, Inc. | Company Confidential Thank You

Download ppt "© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE."

Similar presentations

OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.

OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
PI Server Security Bryan S. Owen Omar A. Shafie.

PI Server Security Bryan S. Owen Omar A. Shafie.
1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next.

1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Identity and Access Management

Identity and Access Management
1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Development Roadmap Jon Peterson.

1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Development Roadmap Jon Peterson.
Understanding Active Directory

Understanding Active Directory
Chapter 11: Dial-Up Connectivity in Remote Access Designs

Chapter 11: Dial-Up Connectivity in Remote Access Designs
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla.

© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Similar presentations

Ads by Google