Skip to main content
PISharp

What are the security best practices for PI System?

What are the security best practices for PI System?

Securing your PI System involves network architecture, authentication, authorization, and monitoring.

Network Architecture

PI System Security Zones

AVEVA recommends a layered architecture:

  1. Level 0-2: Field devices and control networks (PLCs, DCS)
  2. Level 3: PI Data Archive, PI Interfaces (DMZ between OT and IT)
  3. Level 4: PI Vision, PI Web API, AF Server (enterprise network)
  4. Level 5: Cloud and external access

Use firewalls between each level with only required ports open:

  • PI Data Archive: TCP 5450
  • PI AF: TCP 5457-5459
  • PI Web API: TCP 443 (HTTPS)

Authentication

Windows Integrated Authentication

  • Use Kerberos for all PI client connections
  • Avoid PI trusts based on IP address — use domain accounts
  • Configure service accounts with least-privilege principles

PI Web API

  • Enable HTTPS only — never expose PI Web API over HTTP
  • Use OIDC/OAuth for modern authentication flows
  • Configure CORS policies to restrict allowed origins

Authorization

PI Point Security

  • Assign read/write permissions per tag or tag group
  • Use security groups rather than individual accounts
  • Restrict write access to interface service accounts only

AF Security

  • Set security at the AF database and element level
  • Use AF security templates for consistent permissions
  • Limit who can create/modify analytics and event frames

PI Mappings & Trusts

  • Prefer PI Mappings (Windows identity-based) over PI Trusts
  • Remove default PIWorld mapping or restrict it to read-only
  • Audit and remove unused trusts regularly

Monitoring

  • Enable PI Audit Trail to log configuration changes
  • Monitor failed authentication attempts in Windows Event Log
  • Review PI Message Logs for security-related events
  • Use PI Vision to create security dashboards tracking access patterns

Common Mistakes

  • Leaving PIWorld with write access
  • Using the piadmin account for application connections
  • Not encrypting PI Web API traffic
  • Skipping security hardening on secondary collective members

Want to ask a follow-up?

PiChat can help with your specific PI System use case. Ask follow-up questions, get code examples, and troubleshoot issues.

Ask a Follow-UpTry Without Login

Related Questions

What are the main components of PI System architecture?How do I authenticate with PI Web API from Python?

Dive Deeper

Securely Storing Credentials in PI AF: Strategies and Best PracticesPI Collectives Across Security Boundaries: Data Sync & Security Best PracticesPI Web API Impersonation: Secure Scheduled Jobs in Distributed Systems

More Questions

How do I configure PI AF templates?How do I authenticate with PI Web API from Python?What's the difference between snapshot and archive values in PI?What's the difference between PI Vision and PI ProcessBook?How do I build effective PI Vision displays?What are PI Event Frames and how do I use them?How do I write PI AF Analytics expressions?How do I use PI DataLink in Excel?Should I use PI Web API or AF SDK for my application?How do I write data to PI Data Archive?What are the main components of PI System architecture?How do I optimize PI Data Archive performance?How do I set up the PI Interface for OPC DA?How do I use PI Connector for UFL to import file data?How do I set up PI Data Archive high availability with collectives?How do I migrate PI Data Archive to a new server?How do I connect Power BI to PI System?How do I manage units of measure in PI System?What's the best way to learn PI System?How does PI time syntax work?What are good PI tag naming conventions?How do I access PI System data from Java or Linux?How do I set up PI AF notification rules?How do I use batch requests in PI Web API?How do I connect to PI AF Server using AF SDK in C#?How do I write VBA macros in PI ProcessBook?How does PI data compression work?How do I get real-time streaming updates from PI Web API?How do I troubleshoot PI AF Analysis errors?How do I write SQL queries against PI using PI OLEDB?What is PI interface buffering and how do I configure it?How do I search and query PI Event Frames?What is PI Integrator for Business Analytics?How do I fix the 'Point does not exist' error in PI System?What is the difference between PI ACE and AF Analytics?How do I manually enter data into PI Data Archive?What are AF hierarchy design best practices?What is a WebID in PI Web API and how does it work?How do I configure Kerberos authentication for PI System?Can I deploy PI System in the cloud?How do I calculate summaries (average, total, min, max) in PI?What are PI digital states and how do I use them?How do I connect PI System data to Grafana?How do I backup and restore PI Data Archive?How do I create custom symbols in PI Vision?How do I automate PI System tasks with PowerShell?What is AVEVA Connect and how does it relate to PI System?How do I check and handle data quality in PI System?How do I handle pagination in PI Web API responses?How does AVEVA PI System licensing work?How do I plan a PI System upgrade?