Security best practices for PI Connector for IEC 61850

To mitigate security vulnerabilities, security best practices should be performed to tighten security around your connector, relay, and PI Data Collection Manager.

Note: Configure security settings before starting the connector, relay and PI Data Collection Manager.

OSIsoft recommends the following:

• Ensure the service identities for the connector, relay, and PI Data Collection Manager do not have domain or host administrative privileges.

• Confirm that members of the "PI Trusted Installers" Windows group on the PI Data Collection Manager host do not have domain or host privileges. The purpose of the accounts in this group is to signal the occurrence of an installation of a connector to the PI Data Collection Manager.

• Block access to the connector administration port using a firewall if your usage scenario does not require remote access to the connector administration website. This suggestion does not apply for the PI Connector Relay and PI Data Collection Manager which requires their administration website ports to be available.

  Note: The current version of the connector does not implement IEC 61850 security, which is why it relies on the network to be secured. For more information on security, see ACSE Security in Data source configuration settings for PI Connector for IEC 61850.