Detecting Attacks On Historian Servers

When to Use

• When monitoring historian servers that bridge IT and OT networks for compromise indicators
• When detecting unauthorized queries or data manipulation in process historian databases
• When investigating lateral movement through historian servers between IT and OT zones
• When responding to alerts about exploitation of historian-specific vulnerabilities (CVE-2025-0921)
• When validating historian data integrity after a suspected OT security incident

Do not use for general database security monitoring (see database security skills), for historian deployment and configuration, or for IT-only data warehouse security.

Prerequisites

• Historian server inventory (OSIsoft PI, Ignition, GE Proficy, Wonderware InSQL)
• Network monitoring on historian network segments (both IT-facing and OT-facing interfaces)
• Historian API access for data integrity validation
• Baseline of normal historian query patterns (which applications query which tags)
• Understanding of historian architecture (data sources, interfaces, client connections)