InfrastructureOSIsoft PI Web API XSS mitigations for OT historians
CISA warns that PI Web API 2019 instances can be coerced into executing arbitrary JavaScript through crafted requests, risking unauthorized data view or tampering on OT historians.
Verified for technical accuracy — Kodi C.
High-level summary
CISA advisory ICSA-20-163-01 published on disclosed a cross-site scripting (XSS) vulnerability in OSIsoft PI Web API 2019, a REST API providing web-based access to PI System historian data. The vulnerability enables authenticated attackers with write access to execute arbitrary JavaScript in victims' browsers, potentially leading to unauthorized viewing, modification, or deletion of process data.
PI System Context
OSIsoft PI System is one of the most widely deployed historian platforms in industrial environments:
- Market penetration: PI System is used by thousands of organizations across energy, manufacturing, utilities, and other process industries.
- Data criticality: Historians store time-series data essential for process improvement, regulatory compliance, and operational decision-making.
- Integration breadth: PI Web API enables integration with business applications, analytics platforms, and third-party visualization tools.
- Multi-user access: Various user roles access historian data, creating diverse attack surfaces for XSS exploitation.
How the vulnerability works
The vulnerability enables cross-site scripting attacks:
- Stored XSS (CWE-79): Attackers with write access can inject malicious JavaScript that executes when other users view affected data through PI Web API interfaces.
- Authentication requirement: Exploitation requires authenticated access with write permissions to a PI Server.
- Victim interaction: Victims must interact with PI Web API endpoints displaying the injected content.
- Permission inheritance: Malicious scripts execute with the victim's permissions, enabling data access matching their authorization level.
Attack Scenarios
Exploitation could enable various malicious activities:
- Session hijacking: Stealing session tokens to impersonate users with higher privileges.
- Data exfiltration: Accessing historian data the victim can view but the attacker cannot directly access.
- Data manipulation: Modifying or deleting process data within the victim's authorization scope.
- Credential theft: Presenting fake login dialogs to harvest additional credentials.
- Malware delivery: Redirecting victims to malicious sites for further exploitation.
Affected Versions
PI Web API 2019 (version 1.12.0.x) is affected. If you are affected, inventory PI Web API installations to determine exposure.
Remediation Steps
OSIsoft recommends upgrading to PI Web API 2019 SP1:
- Apply patch: Upgrade all PI Web API installations to version 2019 SP1 or later.
- Access review: Audit users with write permissions to PI Servers and remove unnecessary privileges.
- Service account hardening: Use dedicated service accounts with minimal permissions for PI Web API integrations.
- Network isolation: Restrict PI Web API access to required users and systems.
Security Hardening
Beyond patching, implement full PI System security:
- HTTPS enforcement: Require encrypted connections with modern TLS configurations.
- Authentication controls: Integrate with enterprise identity providers and enforce MFA where supported.
- Reverse proxy: Front PI Web API with reverse proxies or API gateways providing additional filtering and monitoring.
- Logging: Enable full logging of PI Web API requests for security monitoring and forensics.
Detection and Monitoring
Implement detection capabilities:
- Monitor for unusual POST/PUT requests to PI Web API endpoints.
- Alert on requests containing JavaScript-like content in parameters or payloads.
- Review PI Web API access logs for suspicious patterns.
- Monitor for data modifications inconsistent with normal operational patterns.
Integration Security
Organizations with applications consuming PI Web API should review integration security, validate inputs before displaying PI data in web interfaces, and implement content security policies preventing script execution from untrusted sources.
Closing analysis
ICSA-20-163-01 highlights the importance of web application security even in industrial data systems. If you are affected, focus on patching while implementing access controls and monitoring to protect historian data integrity and confidentiality.
Continue in the Infrastructure pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Telecom Modernization Infrastructure Guide
Modernise telecom infrastructure using 3GPP Release 18 roadmaps, O-RAN Alliance specifications, and ITU broadband benchmarks curated here.
-
Infrastructure Resilience Guide
Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.
-
Edge Resilience Infrastructure Guide
Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.
Coverage intelligence
- Published
- Coverage pillar
- Infrastructure
- Source credibility
- 73/100 — medium confidence
- Topics
- OSIsoft · PI System · XSS
- Sources cited
- 3 sources (cisa.gov, cvedetails.com, iso.org)
- Reading time
- 5 min
Cited sources
- ICSA-20-163-01 OSIsoft PI Web API 2019
- CVE Details - Vulnerability Database — CVE Details
- ISO/IEC 27017:2015 — Cloud Service Security Controls — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.