Submitting your feedback...
Knowledge Base Article
KB01092 - PI System and Data Encryption
Product: PI AF / PI Data Archive
Version(s): any

(December 2016) This article mentions PI trusts, now superseded by more secure forms of authentication. AL00309 discusses the move from PI trusts to Windows Integrated Security (WIS) for PI API.  

Issue

What encryption features are available with the PI System?

Solution

While encryption can be enabled to enhance PI System security, you should firstly use network infrastructure to protect the PI System from the internet or other high-risk scenarios. Although encryption provides privacy and integrity, it does not guarantee security. Isolating the PI System from less trusted connections is the best approach to security.

For example, the best practice to secure the PI System data services (the PI Server, PI AF Server, and SQL server) is to locate them in a DMZ where all network traffic from the business network and the process control network terminates. The use of application servers such as PI Vision will also help to isolate the PI Server from clients on the less trusted business network. Once the network architecture for the PI system is isolated, encryption can be enabled to enhance network privacy.

Note: encryption of PI data over the wire and of data on disk involves multiple transports and multiple data stores. Examples of transports used between PI clients and PI systems include PI API, PI SDK, and PI AF SDK. Examples of PI System data stores are archive files, server configuration files, and MS SQL databases.

Encrypting client connections to the PI Data Archive and PI AF Server

With supported software component versions, use of Windows Integrated Security enables transport security on communications with the PI Server.  Supported versions are PI Data Archive 2015 or later with the connecting client using:
  • PI Buffer Subsystem 4.4 or later
  • PI AF SDK 2015 or later
  • PI SDK 2016 or later
  • PI API 2016 for Windows Integrated Security
Transport security uses Windows SSPI for encryption to provide confidentiality and signing of messages for integrity.  Windows based transport security uses symmetric key encryption and hash based message authentication codes. The cipher algorithm is negotiated during logon. AES256-CTS-HMAC-SHA1-96 is typical for a Windows 7 Client with Active Directory. RC4-HMAC is expected with workgroup endpoints.  Please see KB01457 for guidance on configuring PI applications deployed in untrusted domains or workgroups to use Windows Integrated Security. 

For earlier versions, the PI System does not provide its own network and data encryption.  For these cases encryption is an area where OSIsoft recommends relying on Microsoft's tools and industry best practices. 
  • The data communication between PI Server and PI Clients/Interfaces uses TCP/IP. To encrypt this communication, we recommend using IPSec. IPSec is available in Windows and can be easily configured. For more information on IPSec and how to enable it, please see IPsec on TechNet.
  • The authentication of Windows credentials between PI SDK 1.3.6 or later and PI Server 3.4.380 or later is encrypted via Windows Integrated Security (WIS). Note that PI trust and explicit login authentication is not encrypted by WIS.
  • PI API authentication prior to PI API 2016 for Windows Integrated Security is not natively encrypted.
Communication between PI Data Archive Collective members is secured with a different mechanism than the aforementioned transport security for client connections. Connections between collective members use certificates for authentication and Transport Layer Security (TLS), implemented in PI Data Archive 2017 and later.

Encrypting PI System data at rest

The PI System is compatible with whole disk encryption solutions such as BitLocker, Windows EFS, or as provided by SAN storage mechanisms.

Encrypting client connections to web applications

OSIsoft recommends securing web applications with TLS/HTTPS.  PI Vision and PI Web API endpoints are configured with HTTPS by default.  Use of a certificate from a trusted 3rd party for HTTPS bindings is strongly recommended.  

Encrypting Connections to MS SQL Server and Web Services

Microsoft SQL Server can use TLS to encrypt data that is transmitted across a network between an instance of SQL Server and a client application. This affects connections between the SQL server and PI AF and linked PI servers via PI OLEDB. For more information on encrypting connections to SQL server, please see Encrypting Connections to SQL Server on TechNet.

For PI WebParts, communication with web service data sources can be protected using a secure transport, such as TLS or HTTPS.  PI Web Services also supports SSL and HTTPS. See the PI Web Services user guide for more details.

For more information on configuring TLS and HTTPS for Windows, please see Configuring HTTP and HTTPS on MSDN
Article ID: KB01092 Created: 2014-09-05
Article Type: Informational Last Updated: 2018-04-05