Alert
AL00333 - Meltdown and Spectre: What PI System users need to know about these vulnerabilities
2018-01-08

Summary

This alert addresses common questions and concerns regarding the Windows operating system updates to mitigate the Spectre and Meltdown vulnerabilities. 

Frequently Asked Questions

Q1. How do I protect my system?

A1. For information about these vulnerabilities and how to protect your system, please see the Microsoft security advisory ADV180002 and support article Windows Server guidance to protect against speculative execution side-channel vulnerabilities which contains an associated FAQ. A2. There are multiple variables that affect the performance of these mitigations, ranging from the CPU version to the running workloads. In some systems, the performance impact will be negligible, and in others it will be considerable. Microsoft released the blog post Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems which provides rough estimates on performance for different Windows operating systems and classes of CPU. OSIsoft staged representative workloads in our Customer Solutions Lab to assess whether a performance impact can be expected with the updates defined in 4072698. Tests were performed on a PowerEdge R730XD server with 2 Xeon E5-2667 v3 processors (Haswell). Tests were conducted with both intensive and moderate workloads.
 
 Test Case Before Update After Update After
Firmware
Mitigations
Disabled
Mitigations Enabled
Total CPU % 73.9 74.1 77.4 70.0 76.0
Archived EPS 31707 30921 31852 31102 31109
Archive Events Read/sec 5087170 4938119 5050570 4989879 4918343
Snapshot EPS 166851 162205 167775 163247 163285
Update Mgr New Events /sec 728112 716921 727846 723674 719339
Figure 1: Performance data for an intensive workload in a Windows Server 2016 environment.
 
 Test Case Before Update After Update After Firmware Mitigations Disabled Mitigations Enabled
Total CPU % 20.0 21.0 24.1 18.5 25.1
Archived EPS 81982 82086 81924 82007 82073
Archive Events Read/sec 39863 41469 40959 42840 40299
Snapshot EPS 247869 247294 247681 247706 247644
Update Mgr New Events /sec 3097 3052 3050 3076 3086
Figure 2: Performance data for a moderate workload in a Windows Server 2012 R2 environment

Q3. What should I do if my PI System is running in a third-party hosted environment or cloud? 

A3. For OSIsoft customers using Hosted PI, Microsoft Azure is the platform for hosting.  The Microsoft Azure Security Blog has posted Securing Azure customers from CPU vulnerability describing the measures taken to protect hosts from this class of issues. If your PI System is hosted through another party, you will have to contact that service provider to make sure that the machines hosting the PI System components are protected.

Q4. Are OSIsoft products exposed to the known issue with CoInitializeSecurity as described in MS KB4056890?

A4. The following PI products could be affected by this issue until addressed by a future Windows Update:
  • PI Interface for Environmental Systems Corp StackVision in all configurations.
  • PI Interface for OPC DA with explicit configuration parameters /DA=NONE /DI=ANONYMOUS.
  • Diagnostic programs and tools delivered with the PI Interface for OPC Alarms &Events, PI Interface for OPC DA, and PI Interface for OPC HDA.
  • PI Batch interface configurations that may be exposed to this issue are still being inspected and will be addressed in the next revision of this bulletin.

Q5. Is FactoryTalk Historian affected by these updates?

A5. Rockwell has published Microsoft Windows Security Updates for Meltdown/Spectre Vulnerabilities Impact describing the impact of these updates on FactoryTalk based products.

Q6. Is Microsoft SQL Server affected by these updates?

A6. Yes, Microsoft has published “SQL Server guidance to protect against speculative execution side-channel vulnerabilities”. 

Revision History:

2018-01-08 – Initial posting.
2018-01-11 – Added preliminary performance impact results, Microsoft known issue impact, and FactoryTalk bulletin.
2018-01-15 – Added final performance impact results, PI Interface configuration options to avoid, and reference to MS SQL guidance.
2018-01-18 – Next planned revision.