Introduction
Description
October 1st, 2015 - Version 1.0
On August 13th 2015, the Rockwell Automation Security Taskforce became aware of an advisory published by ICS-CERT (ICSA-15-225-01), which stated that OSIsoft disclosed and resolved 56 security vulnerabilities in their PI Server 2015 release. In addition to PI Server 2015, OSIsoft has also released PI Server 2012 SP1, which includes a subset of the vulnerabilities fixed in the 2015 version. OSIsoft is strongly recommending that users upgrade to the PI Server 2015 release.
FactoryTalk Historian SE includes the OSI PI Server 2012 product, including the PI Data Archive component, in the standard product image. As part of this process, Rockwell Automation has investigated the reported vulnerabilities, and has concluded that FT Historian SE customers are likely vulnerable to these same set of vulnerabilities as the PI Server product. At the time of publication, no known public exploits exist at this time for these vulnerabilities.
Details relating to these vulnerabilities, the known affected platforms and recommended mitigations are contained herein.
AFFECTED PRODUCTS
- FactoryTalk Historian SE (9518-HSEx), Versions 2.00.00, 2.10.00, 2.20.00, 3.01.00 and 4.00.00
Rockwell Automation is continuing to investigate these vulnerabilities and is actively determining future plans to address them, including incorporating the updated OSI PI Server into FactoryTalk Historian Server. This advisory will be updated when these plans are determined, as well as when updated software is available for customers to upgrade their systems. We recommend that customers apply the mitigations detailed below and subscribe to this article to receive the abovementioned notifications when updated.
VULNERABILITY DETAILS
According to both the ICS-CERT and OSIsoft disclosures, a portion of highest-severity vulnerabilities may allow a remote code injection by an attacker who sends a specially crafted sequence of packets to the PI Server contained in FT Historian SE.
To be successful, the attacker must have network connectivity to reach the server running FT Historian SE and be able to access port 5450 on that system. A successful exploit would allow an attacker to gain full privileges on the Windows system. With this level of access, an attacker could tamper with the system or product binaries, read and write arbitrary data, and/or tamper with user accounts on the system.
According to these disclosures, these vulnerabilities can also be used to create a Denial-of-Service (DoS) condition on the target server, rendering the FT Historian SE server unavailable to the automation system, and potentially cause either loss or corruption of the PI Server data.
RISK MITIGATIONS
- Limit access to PI Server Port 5450, which reduces exposure to the highest-rated vulnerabilities.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.
ADDITIONAL LINKS
- OSIsoft Releases Multiple Security Updates for the PI System (OSIsoft)
- PI System Firewall Port Requirements (OSIsoft, Registration Required)
- Rockwell Automation Security Advisory Index, Knowledgebase article KB:54102
