detecting-attacks-on-historian-servers

Installation
SKILL.md

Detecting Attacks on Historian Servers

When to Use

  • When monitoring historian servers that bridge IT and OT networks for compromise indicators
  • When detecting unauthorized queries or data manipulation in process historian databases
  • When investigating lateral movement through historian servers between IT and OT zones
  • When responding to alerts about exploitation of historian-specific vulnerabilities (CVE-2025-0921)
  • When validating historian data integrity after a suspected OT security incident

Do not use for general database security monitoring (see database security skills), for historian deployment and configuration, or for IT-only data warehouse security.

Prerequisites

  • Historian server inventory (OSIsoft PI, Ignition, GE Proficy, Wonderware InSQL)
  • Network monitoring on historian network segments (both IT-facing and OT-facing interfaces)
  • Historian API access for data integrity validation
  • Baseline of normal historian query patterns (which applications query which tags)
  • Understanding of historian architecture (data sources, interfaces, client connections)
Installs
42
GitHub Stars
24.2K
First Seen
Mar 16, 2026
detecting-attacks-on-historian-servers — mukul975/anthropic-cybersecurity-skills