OSIsoft PI Coresight and PI Web API (Update A)

Monitor6.1ICS-CERT ICSA-17-010-01AJan 10, 2017

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

OSIsoft PI Coresight and PI Web API versions 2016 R2 and earlier store sensitive information (process data, credentials, configuration) in an insufficiently protected manner. A local user on the Windows server can access this sensitive data without elevated privileges. This affects PI Coresight 2016 R2 and earlier, and PI Web API 2016 R2 when deployed with the PI AF Services 2016 R2 integrated install kit.

What this means

What could happen

An authenticated attacker with local access to a Windows server running PI Coresight or PI Web API could read sensitive data from process historian logs and configuration files. This could expose production setpoints, historical process data, and system credentials that an attacker could use for further attacks on the industrial process.

Who's at risk

Water utilities and electric utilities operating OSIsoft PI systems for process historian and real-time monitoring. This affects facilities using PI Coresight (the web-based dashboarding front-end) or PI Web API (the data access layer) for SCADA, historian, and process control integration, particularly those running older 2016 R2 versions.

How it could be exploited

An attacker with a local user account on the Windows server runs a command-line tool or script to access application memory or log files storing unencrypted sensitive data. No network access required—the attacker must already have local login capability to the server.

Prerequisites

Local user account on the Windows server running PI Coresight or PI Web API
Ability to execute commands or read application directories with standard user privileges
PI Coresight 2016 R2 or earlier, OR PI Web API 2016 R2 deployed with PI AF Services 2016 R2 integrated install kit

Affects sensitive data storage (historian logs and credentials)Requires local access (lower remote risk but high insider risk)Low complexity attackAffects process visibility and control systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

PI Coresight: 2016 R2 and earlier versions< 2016 R22017 or later

PI Web API: 2016 R2 when deployed using the PI AF Services 2016 R2 integrated install kit2016 R2 (when deployed using the PI AF Services 2016 R2 integrated install kit)2017 or later

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict local login access to PI Coresight and PI Web API servers to authorized engineers only; use Windows access controls to limit who can log in

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Coresight to version 2017 or later

HOTFIXUpgrade PI Web API to version 2017 or later

HOTFIXUpgrade PI AF Services integrated install kit to version 2017 SP1 or later

Long-term hardening

0/1

HARDENINGAudit Windows event logs and file access on PI servers to detect unauthorized local access attempts

CVEs (1)

CVE-2017-5153

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9466cc59-b075-4996-a787-cf431ccdde48