OSIsoft PI System (Update A)

Plan PatchCVSS 7.8ICS-CERT ICSA-20-133-02May 12, 2020

SiemensOSIsoftEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

OSIsoft PI System contains multiple local privilege escalation and code execution vulnerabilities across core components including PI Data Archive, PI connectors (BACnet, UFL, Siemens PCS 7, CygNet, HART-IP, Ethernet/IP, OPC-UA, IEC 60870-5-104), PI API, PI Asset Framework Client, PI Vision, PI ProcessBook, PI DataLink, PI Manual Logger, PI Data Collection Manager, PI Buffer Subsystem, and applications built on the PI SDK. The vulnerabilities stem from unsafe deserialization, insecure library loading, improper access controls, and unvalidated input handling. An attacker with local access to affected systems could execute arbitrary code and access sensitive process data.

What this means

What could happen

An attacker with local access to a PI System server or workstation could execute arbitrary code with local privileges, potentially modifying or deleting process data, altering historian configurations, or disrupting data collection and monitoring across your facility's operational networks.

Who's at risk

Water and electric utilities using OSIsoft PI System for data collection, historian functions, and process monitoring. This affects PI Data Archive servers, interface nodes running connectors (BACnet, Siemens PCS 7, Ethernet/IP, OPC-UA, HART-IP, etc.), PI Vision dashboards, PI ProcessBook, and any engineering workstations running PI SDK applications or PI Asset Framework clients.

How it could be exploited

An attacker with local logon access (or remote desktop/console access if enabled) to a PI System server, interface node, or engineering workstation could exploit privilege escalation, insecure deserialization, or unsafe library loading vulnerabilities to run arbitrary code with the privileges of the logged-in user or the service account running PI components.

Prerequisites

Local logon access to a PI System server, interface node, or workstation
Remote desktop or console access if enabled on unattended servers
User-level or service account privileges (no admin rights required for some vulnerabilities)
Vulnerable PI System component installed (Data Archive, Connector, SDK application, or PI Vision)

no patch availablemultiple privilege escalation vectorsaffects historian and data collection infrastructureaffects engineering workstations and serverslow complexity exploitation

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (28)

1 with fix27 EOL

ProductAffected VersionsFix Status

PI Connector for BACnet:≤ 1.2.0.6No fix (EOL)

PI API for Windows Integrated Security:≤ 2.0.2.5No fix (EOL)

Applications using PI Software Development Kit (SDK):≤ PI SDK 2018 SP1 Version 1.4.7.602No fix (EOL)

PI Data Archive: 2018 and 2018 SP2 only2018 | 2018 SP2No fix (EOL)

PI Connector for UFL:≤ 1.3.1.135No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict console and remote desktop logon access to PI System servers and interface nodes to authorized administrators only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply individual security updates for core PI System components as released by OSIsoft

HARDENINGRemove PI Asset Framework (AF) Client .NET 3.5 after upgrading PI System desktop applications (PI ProcessBook, PI DataLink, etc.) to 2015 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: PI Connector for BACnet:, PI API for Windows Integrated Security:, Applications using PI Software Development Kit (SDK):, PI Data Archive: 2018 and 2018 SP2 only, PI Connector for UFL:, PI Connector for Siemens Simatic PCS 7:, PI Connector for CygNet:, PI Connector for DC Systems RTscada:, PI to OCS:, PI Connector for Ping:, PI Data Collection Manager:, PI Data Archive:, PI Integrator for Business Analytics:, PI Manual Logger: 2017 R2 Patch 1 and prior, PI Connector for Ethernet/IP:, PI Connector for Wonderware Historian:, PI Vision 2019: and prior, RtReports:, PI Connector for OPC-UA:, PI Connector Relay:, PI Connector for IEC 60870-5-104 versions: prior to and including 1.2.2.79, PI Buffer Subsystem:, PI Interface Configuration Utility (ICU):, PI Connector for HART-IP:, PI API:, PI Vision: 2019 and prior versions, PI Data Archive: 2018 SP2 and prior versions. Apply the following compensating controls:

HARDENINGSegment PI System servers and interface nodes from general network access using firewall rules and network isolation

CVEs (10)

CVE-2020-10610 CVE-2020-10608 CVE-2020-10606 CVE-2020-10604 CVE-2020-10602 CVE-2020-10600 CVE-2019-10768 CVE-2020-10643 CVE-2020-10614 CVE-2019-18244

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/83ef0165-8073-4b93-994d-be9219f16f5b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.