Alert
AL00333 - Meltdown and Spectre: What PI System users need to know about these vulnerabilities
2018-01-08

Summary

This alert addresses common questions and concerns regarding the Windows operating system updates to mitigate the Spectre and Meltdown vulnerabilities. 

Frequently Asked Questions

Q1. How do I protect my system?

A1. For information about these vulnerabilities and how to protect your system, please see the Microsoft security advisory ADV180002 and support article Windows Server guidance to protect against speculative execution side-channel vulnerabilities which contains an associated FAQ. A2. There are multiple variables that affect the performance of these mitigations, ranging from the CPU version to the running workloads. In some systems, the performance impact will be negligible, and in others it will be considerable. Microsoft released the blog post Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems which provides rough estimates on performance for different Windows operating systems and classes of CPU. OSIsoft staged representative workloads in our Customer Solutions Lab to assess whether a performance impact can be expected with the updates defined in 4072698. Tests were performed on a PowerEdge R730XD server with 2 Xeon E5-2667 v3 processors (Haswell). Tests were conducted with both intensive and moderate workloads.
 
 Test Case Before
Update
After
Update
After
Firmware
January 2018
Mitigations Disabled
January 2018
Mitigations Enabled
February 2018
Mitigations Disabled
February 2018
Mitigations Enabled
Total CPU % 73.9 74.1 77.4 70.0 76.0 73.9 78.7
Archived EPS 31707 30921 31852 31102 31109 32367 32328
Archive Events
Read/sec
5087170 4938119 5050570 4989879 4918343 5066558 5013537
Snapshot EPS 166851 162205 167775 163247 163285 171208 171015
Update Mgr
New Events /sec
728112 716921 727846 723674 719339 739500 735684
Figure 1: Performance data for an intensive workload in a Windows Server 2016 environment.
 
 Test Case Before
Update
After
Update
After
Firmware
January 2018
Mitigations Disabled
January 2018
Mitigations Enabled
February 2018
Mitigations Disabled
February 2018
Mitigations Enabled
Total CPU % 20.0 21.0 24.1 18.5 25.1 19.3 23.2
Archived EPS 81982 82086 81924 82007 82073 82065 80059
Archive Events
Read/sec
39863 41469 40959 42840 40299 43009 41741
Snapshot EPS 247869 247294 247681 247706 247644 247791 242056
Update Mgr
New Events /sec
3097 3052 3050 3076 3086 3083 2990
Figure 2: Performance data for a moderate workload in a Windows Server 2012 R2 environment

Q3. What should I do if my PI System is running in a third-party hosted environment or cloud? 

A3. For OSIsoft customers using Hosted PI, Microsoft Azure is the platform for hosting.  The Microsoft Azure Security Blog has posted Securing Azure customers from CPU vulnerability describing the measures taken to protect hosts from this class of issues. If your PI System is hosted through another party, you will have to contact that service provider to make sure that the machines hosting the PI System components are protected.

Q4. Are OSIsoft products exposed to the known issue with CoInitializeSecurity as described in MS KB4056890?

A4. The following PI products could be affected by this issue until addressed by a future Windows Update:
  • PI Interface for Environmental Systems Corp StackVision in all configurations.
  • PI Interface for OPC DA with explicit configuration parameters /DA=NONE /DI=ANONYMOUS.
  • Diagnostic programs and tools delivered with the PI Interface for OPC Alarms &Events, PI Interface for OPC DA, and PI Interface for OPC HDA.
  • PI Batch interface for Emmerson DeltaV Batch (EMDVB) and Emmerson Syncade (EMDVBCS) configured for OPC AE mode.

Q5. Is FactoryTalk Historian affected by these updates?

A5. Rockwell has published Microsoft Windows Security Updates for Meltdown/Spectre Vulnerabilities Impact describing the impact of these updates on FactoryTalk based products.

Q6. Is Microsoft SQL Server affected by these updates?

A6. Yes, Microsoft has published “SQL Server guidance to protect against speculative execution side-channel vulnerabilities”. 

References

Revision History:

2018-01-08 – Initial posting.
2018-01-11 – Added preliminary performance impact results, Microsoft known issue impact, and FactoryTalk bulletin.
2018-01-15 – Added final performance impact results, PI Interface configuration options to avoid, and reference to MS SQL guidance.
2018-01-18 – Updated the list of affected interfaces. No further revisions planned at this time.
2018-03-23 – Updated performance impact data to include February 2018 mitigations.