Speaking at the OSIsoft User Conference in San Francisco last month, OSIsoft cyber security guru Bryan Owen gave a limpid talk on securing process control systems and unveiled the results of the company’s Hard Rock PI cyber security challenge. Owen’s top four mitigation techniques address some 85% of cyber risks. First, whitelist, ‘lock the door and give good guys the key.’ Second, keep apps up to date—newer soft is more secure, ‘we put lot of effort into this.’ Third keep your Windows operating system up to date. The latest editions of Windows Server Core are easier to harden—for instance with only one command you can lose the GUI, ‘you don’t need Solitaire to run PI!’ Fourth, run everything with least privileges, ‘runing as admin is like carrying a loaded gun in your pocket. Get off PI Admin.’
A minimum requirement should be to stand up to the Metasploit online library of known vulnerabilities and, although ‘most audits are not even this strong,’ you need to do more. Owen recommends following the Idaho National Labs free course or developing a program along the lines of Israel Electric’s Cyber Gym. He is also an advocate of Microsoft’s Security Compliance Manager (SCM 3.0). Testing cannot be done on a live process so do it offline, even better do it in the cloud. OSIsoft’s Hard Rock PI challenge was a ‘call to action’ for users to build and test a hardened image of a process, using Microsoft Azure as a safe playground. The challenge ran for a month and saw some 20 virtual machines running. The winner was OSIsoft Bahrain’s Omar Mohsen whose cyber pitch leveraged Applocker, OSIsoft’s publisher rules, and Microsoft’s enhanced mitigation experience, EMET. Owen told Oil IT Journal, ‘The good news came from challengers with fresh innovation and unique approaches. The hardest insights involve gaps that were generally missed. We’ll analyze these areas for potential simplification. The cloud is a safe place to make mistakes. It encourages experimentation and IT/OT collaboration.’
We asked Owen if the cloud would be a good place for real world implementations, with sensors communicating directly into the cloud. Owen said, ‘The short answer is yes, although a one size fits all architecture is unlikely. Most sensors today are unfit for direct connection to the internet so a security gateway to the cloud is a practical necessity. Given the impedance mismatch in lifecycles between software and hardware based components this issue will dominate for quite some time. As such OSIsoft is investing heavily in managed components such as the cloud service gateway and cloud aware PI connectors.’ More from Hard Rock PI and from the OSIsoft UC in next month’s Journal.
© Oil IT Journal - all rights reserved.