An ICS-Cert advisory was issued last week by OSIsoft, a leading operational software vendor.
In the advisory, OSIsoft reported a vulnerability that affects their PI System, a data management platform that accesses a broad range of core OT network assets in its sites.
PI System runs and manages many of the world's most critical infrastructures. Installed in over 19,000 industrial sites in 107 countries worldwide, the system is used by 15 of 16 sectors of US critical infrastructure as defined by a United States Presidential Policy Directive.
The PI System collects, stores, and organizes data from all plant data sources and is accessed by company operators, engineers, managers, and other plant personnel. They retrieve data from it via various human-machine interfaces (HMIs) and client side applications, some of them utilizing the PI Web API.
This vulnerability, which could have had massive implications if exploited, was discovered by the OTORIO Incident Response (IR) team.
The incident was given a score of 7.7 on the Common Vulnerability Scoring System (CVSS), a software vulnerability metric which runs from 0 to 10. A score of 7 or more denotes a high severity risk to company assets and indicates a high priority for immediate mitigation. OSIsoft suggested that their users upgrade to PI Web API 2019 SP1.
Step-by-Step, Real Life Attack Scenario
The discovered vulnerability, if exploited, could enable attackers to run client-side code on client browsers and deceive users into providing their credentials to attackers. The exploit is implemented when a user passes the cursor over an infected field in the PI System.
OTORIO created a short video illustrating the vulnerability which you can view below.
How would this vulnerability be played out in a real life scenario?
Why Should You Care?
At this point, an attacker with the user’s credentials at hand can wreak havoc on the PI System at any location running their software.
Here are some ways exploiting the vulnerability can cause damage:
After an attacker gains access to production floor machinery, OT professionals have to immediately assess and isolate the vulnerability. As part of their assessment, they need to know:
OSIsoft's Immediate Response
The vulnerability affects the PI System’s PI Web API 2019 version 18.104.22.16846, and all previous versions. OSIsoft immediately issued a knowledge base article and an update for customers.
This vulnerability was found and mitigated before it was exploited. Other critical infrastructure systems may have undiscovered vulnerabilities which might threaten their systems. For additional information about securing your industrial operation, email us at [email protected].