Cyber Security Best Practices for the AVEVA PI System
With the rise in cyber threats, it’s vital to implement strong cyber security measures to protect your data and ensure your systems run smoothly.
In this article, James Lewis, Principal Systems Engineer at ITI Group, offers essential strategies and best practices to bolster the cybersecurity of your AVEVA PI System.
1. Ensure Platform Security
Without adequate platform security in place, any other software security measure may be redundant.
- Upgrade servers to the latest Windows OS and ensure they are updated with patches.
- Use Windows Server Core to reduce the attack surface as less services are required to run.
- Whitelist only trusted application using tools such as Windows Defender Application Control (WDAC) to prevent malicious applications from running.
- Run antivirus software to detect known viruses and suspicious activity.
2. Regular Software Updates and Patches
Regularly updating software is one of the most effective methods to safeguard against vulnerabilities. Make sure all components of your AVEVA PI System are consistently updated with the latest patches and security updates. AVEVA digitally sign all installation packages so be sure to verify the digital signature on download. By subscribing to ITI Group’s PI System Newsletter, we will keep you updated on the latest software updates, patches and vulnerabilities.
3. Application Hardening
Applications can be configured in numerous ways, some more secure than others. Ensure that each component of your AVEVA PI System is hardened to minimise the attack surface. For instance, run services as virtual or domain accounts and give them minimum permissions to the Operating System and all applications. Secure web servers such as IIS for PI Vision to limit Denial of Service and configure HTTP headers to remove server information and add layers of defence (e.g. Content Security Policy, XSS Protection, Referrer Policy).
4. Implement Robust Access Controls
Our PI System Audits often turn up a range of authentication and permission vulnerabilities. How can you get a head-start on mitigating these risks in your organisation?
- Limit access to your AVEVA PI System strictly to those who require it and give least privilege permissions (e.g. do not use piadmin, use read only roles, control write access).
- Use Windows authentication (WIS) or OpenID Connect (OIDC) to authenticate to the PI System.
- Use Kerberos delegation to pass user credentials to from PI Vision to PI AF and Data Archive to ensure they are given appropriate access.
- Use Windows Credentials Manager for authenticating PI Interfaces in a non-domain environment to a PI Data Archive, or switch to PI Connectors or PI Adapters.
- Regularly review and update access permissions to ensure that only authorized personnel have access.
Look out for our future PI System newsletter ‘Getting PI Security Right’ for more details or get in touch if you would like to consider a PI System Audit to assess your system’s security and performance.
5. Network Segmentation
Divide your network to isolate critical systems from less secure areas using models such as the Purdue Model:
The AVEVA PI System consists of components that can span multiple network levels and the latest technologies such as PI Adapters in combination with PI Web API ensure that the data protocol changes across each segment and the direction of connection is from most secure to least secure network. This approach helps contain potential breaches and prevents them from spreading throughout your entire network. Employ firewalls and other network security measures such as data diodes to establish barriers between different segments. Only allow the required connections and ensure these are reviewed regularly.
6. Utilise Secure Communication Protocols
Make sure all data transmitted between the various components of the AVEVA PI System is encrypted using secure communication protocols. This measure helps protect sensitive information from being intercepted by unauthorized parties:
- PI Vision and PI Web API should be configured to use HTTPS.
- Connections to PI Data Archive should use Windows authentication or OIDC to ensure the connection is encrypted.
- Disable deprecated transport layer security protocols such as SSL 3.0, TLS 1.0 and TLS 1.1.
- Avoid use of PI Trusts without OIDC, as the older protocol does not apply encryption.
7. Use the Latest Technologies
Occasionally, software products are replaced with newer products/technologies that are typically inherently more secure. As mentioned above, PI Adapters are the latest technology from AVEVA for data collection and their multi-layer design with PI Web API enabled effective network segmentation. AVEVA CONNECT Data Services can replace PI to PI connections over VPN for sharing data with external organisations without joining your networks over VPN and allows access to be controlled via AVEVA CONNECT per external organisation rather than on a tag-by-tag basis.
8. Regular Backups
Consistently back up all AVEVA PI System components and data to ensure swift recovery in the event of a cyber-attack:
- PI Data Archive has a built-in local backup mechanism which can be backed up off-site by a third-party solution. PI AF and Vision SQL databases should be backed up.
- All other components such as PI Connectors/Adapters will require server backups or have the configuration documented and backed up.
- Store these backups in a secure, off-site location and periodically test them to confirm successful restoration.
9. Incident Response Plan
Create and maintain an incident response plan to swiftly address any security breaches. This plan should outline steps for identifying, containing, and mitigating the impact of an attack, as well as procedures for communicating with stakeholders and restoring normal operations. Mitigation steps should include severing certain network segments as detailed above.
By adhering to these best practices, you can greatly improve the cybersecurity of your AVEVA PI System and safeguard your valuable data from cyber threats. Stay alert and proactive in your cybersecurity measures to guarantee the continued success and protection of your operations.
Learn more about ITI Group’s AVEVA PI System services and solutions here.