OSIsoft PI Data Archive

Monitor7.5ICS-CERT ICSA-18-072-02Mar 13, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OSIsoft PI Data Archive versions 2017 and earlier contain an input validation flaw (CWE-20) that allows remote attackers to trigger a denial of service condition. The service does not properly validate incoming requests, enabling an unauthenticated attacker on the network to craft a malicious request that causes the historian to stop responding. This affects data collection, storage, and availability of historical process data. No patch has been released; PI Data Archive 2017 and earlier are considered end-of-life products.

What this means

What could happen

An attacker can remotely cause the PI Data Archive to become unavailable or stop responding, disrupting historian services that record and store critical process data from your ICS devices.

Who's at risk

Water authorities and electric utilities using OSIsoft PI Data Archive for process historian functionality should prioritize this. The PI Data Archive is a critical data collection point for most distributed control systems (DCS), PLCs, and SCADA networks that feed operational data to the historian for trending, alarming, and diagnostics.

How it could be exploited

An attacker on the network can send a specially crafted request to the PI Data Archive on its network port. The service does not properly validate the input, leading to a denial of service condition that makes the historian unresponsive to legitimate data collection and queries.

Prerequisites

Network access to PI Data Archive service port (typically port 5450)
No authentication required
PI Data Archive version 2017 or earlier

remotely exploitableno authentication requiredlow complexityno patch availableaffects historian/monitoring systems

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (1)

ProductAffected VersionsFix Status

PI Data Archive:≤ 2017No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate PI Data Archive and control system networks behind firewalls from the business network and Internet

WORKAROUNDRestrict network access to PI Data Archive to only authorized engineering workstations and data collection nodes using host-based or network firewalls

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access is required, enforce use of VPN with current patches and restrict VPN client access to necessary users and systems only

HOTFIXPlan upgrade to PI Data Archive version 2018 or later during scheduled maintenance window

CVEs (3)

CVE-2018-7529 CVE-2018-7533 CVE-2018-7531

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e29a0058-455c-4230-85bc-8b5502daa948