Infrastructure Briefing — OSIsoft PI Web API XSS mitigations for OT historians

Executive briefing: CISA’s ICSA-20-163-01 advisory details a cross-site scripting flaw in OSIsoft’s PI Web API 2019. The weakness allows a remote authenticated attacker to trick a PI user into executing attacker-supplied JavaScript, potentially leading to unauthorized viewing, modification, or deletion of historian data.

Immediate actions for PI administrators

• Patch to PI Web API 2019 SP1. OSIsoft’s fix elevates input validation and should be deployed on all internet-facing and internal PI Web API nodes.
• Constrain write-capable accounts. Limit which users and service principals have write permissions to PI Servers exposed through PI Web API endpoints; prefer dedicated service accounts with scoped privileges.
• Harden exposure. Keep PI Web API off the open internet, enforce HTTPS with modern ciphers, and front-end the service with reverse proxies or VPNs to filter unexpected requests.

Strategic follow-through

• Review historian integrations. Validate upstream applications that call PI Web API to ensure they cannot be abused as cross-site scripting pivots.
• Detection engineering. Add logging and alerts for unusual POST/PUT requests to PI Web API endpoints, especially those originating from user workstations instead of application servers.
• Governance. Document PI Web API surface area in asset inventories and ensure quarterly patch windows include the service.

Source excerpts

Primary — impact: “Successful exploitation of this vulnerability could allow a remote authenticated attacker with write access to a PI Server to trick a user into interacting with a PI Web API endpoint that executes arbitrary JavaScript in the user’s browser, resulting in view, modification, or deletion of data as allowed for by the victim’s user permissions.”

CISA ICSA-20-163-01 (OSIsoft PI Web API 2019)

Primary — vendor fix: “OSIsoft recommends affected users upgrade to PI Web API 2019 SP1.”

CISA ICSA-20-163-01 (OSIsoft PI Web API 2019)