Capula Response to OSISoft® Security Advisory Alert
June 2020 Security alert for the PI System™ software
Earlier this year OSIsoft® issued a security alert for their PI System™ software. This alert listed several vulnerabilities, some rated High (7.8) using the Common Vulnerability Scoring System. Because some of the vulnerabilities are in the middleware components used for communication in the PI System™ (AF Client, PI SDK, and PI-API), a wide range of OSIsoft® products that makes use of these components is included in the alert. Some products also have their own specific security issues.
The practice of publicly disclosing internally discovered vulnerabilities is consistent with the Common Industrial Control System Vulnerability Disclosure Framework developed by the Industrial Control Systems Joint Working Group (see Links). Despite the increased risk posed by greater transparency, OSIsoft® is making this information public to help you make an informed decision about when to upgrade, to ensure your PI System™ has the best available protection.
How could this affect me?
The vulnerabilities are stated as being in the most recent version of each product (prior to the advisory) and all previous versions. For most customers, Capula anticipate that nearly all the OSIsoft® products that they use (client and server) will be affected.
OSIsoft® recommended mitigation strategy is to upgrade to the latest release of each product, issued specifically to include security updates to fix the vulnerabilities. Patches for older versions of software are not available. OSIsoft® have made available for download new installation kits for most products affected, and there are temporary workarounds for products that do not yet have new kits.
An additional requirement is to uninstall “AF Client .NET 3.5” from all machines that have it. (Note: this is an OSIsoft® product – it does not refer to the Microsoft .NET Framework 3.5 itself). This uninstall must not be done unless all affected OSIsoft products on the machine have been upgraded.
Another OSIsoft® recommendation is to limit access to servers, via console or remote desktop, to authorized administrators, and to apply a number of other defensive measures, some of which could be high impact for system administrators and users.
Customers should read the OSIsoft® alert statement and assess the risk to their own systems and data from these vulnerabilities when deciding what action, if any, to take. For full details, please see the link below:
Capula believe that if the following three conditions are met, the required upgrades should be reasonably straightforward and could be carried out by the customer.
There is an up to date inventory of all OSIsoft products, with versions, on all machines on the customer network.
All installed OSIsoft product versions and Windows platforms are fairly recent (installed or updated within the last 4-5 years).
A trained PI System manager is available with experience in installing and upgrading all kinds of PI Software.
Where clients are installed using automated techniques (standard system images, packaged deployment tools such as Microsoft Endpoint Configuration Manager (formerly SMS), or through a virtual desktop manager such as Citrix), the IT function that controls this must be involved. This is likely to be a less painful operation than if there are many local clients installs which must be tracked down, individually assessed and upgraded.
However, where older OSIsoft® products, and/or Windows versions (prior to Windows 2012 for example) are in use, the process of upgrading could become quite complex – perhaps even requiring complete migration to a new system or virtual machine. Many of the most recent OSIsoft® server products will not install on Windows 2008 or older systems, and clients require at least Windows 8.1. Any older clients (for example, in control rooms) that were accidentally missed would be likely to stop working. Such problematic upgrades must be identified, and a detailed upgrade plan put in place.
Capula can provide the following services to aid customers in successfully implementing their security update