CISA Advisory on FactoryTalk Historian: What It Means for Your ERP and Analytics Data Pipeline
ERP & Business Systems

CISA Advisory on FactoryTalk Historian: What It Means for Your ERP and Analytics Data Pipeline

CISA's June 2026 advisory on FactoryTalk Historian SE exposes a data-governance gap that reaches beyond OT teams into ERP, cloud analytics, and AI pipelines.

6 min readJuly 12, 2026
Back to News

On June 18, 2026, CISA published advisory ICSA-26-169-03, disclosing three vulnerabilities in Rockwell Automation FactoryTalk Historian Site Edition versions 11 and earlier. The highest-severity finding carries a CVSS v3 score of 7.7. For operations leaders and CIOs whose plants feed historian data into ERP, cloud analytics, or AI workflows, this is not a routine OT patch notice. It is a data-governance trigger.

TL;DR
  • -CISA advisory ICSA-26-169-03 (June 18, 2026) discloses three vulnerabilities in FactoryTalk Historian SE v11 and earlier, CVSS 7.7.
  • -Two denial-of-service CVEs can allow an authenticated user to shut down PI Data Archive subsystems and cause data loss.
  • -CISA recommends isolating control networks from business networks and restricting port 5450 to trusted workstations.
  • -No public exploitation had been reported to CISA at initial publication, but the governance gap is real regardless.
  • -Operations leaders and CIOs should audit which historian instances feed ERP, cloud analytics, or AI pipelines and confirm validation gates exist.

The advisory covers a system that sits at the boundary between your plant floor and your business systems. What happens to that data — and what controls exist before it reaches your ERP or analytics platform — is the decision this advisory forces.

What the Advisory Confirms

CISA advisory ICSA-26-169-03 identifies three CVEs affecting FactoryTalk Historian SE v11 and earlier. The product is classified under the Critical Manufacturing critical infrastructure sector with worldwide deployment. The consequence is denial of service and potential loss of data held in snapshots and write cache. Historian records not yet committed could be lost, and the downstream ERP or analytics feed could receive incomplete or interrupted data without any alert.

The third vulnerability, CVE-2025-13036, involves an authentication bypass condition. CISA's advisory documents the mechanism.

CISA confirmed that no known public exploitation of these specific vulnerabilities had been reported at the time of initial publication on June 18, 2026. That matters for prioritization, but it does not change the governance gap the advisory exposes.

The Risk That Reaches Your Business Systems

The OT security framing of this advisory understates the business-system exposure. FactoryTalk Historian SE is not just a plant-floor logging tool. In many mid-market manufacturing operations, it is the source of record for production data that flows into ERP production orders, quality records, compliance documentation, cloud analytics dashboards, and increasingly, AI inference pipelines.

The denial-of-service CVEs create a specific data-integrity risk: if PI Data Archive subsystems are shut down by an authenticated user exploiting CVE-2025-44019 or CVE-2025-36539, snapshot and write-cache data can be lost before it is committed.

If your ERP integration pulls from the historian on a scheduled basis and the historian goes down mid-cycle, the integration layer may receive a partial dataset, a null response, or stale records — depending on how the integration handles errors. Whether your integration layer detects and flags that condition depends entirely on how it was built and whether a validation gate exists at the handoff.

Metrotechs analysis based on the CISA-documented architecture: if no validation gate exists at the OT-IT boundary, incomplete or interrupted historian data could enter ERP production records, analytics datasets, or AI training pipelines without detection. The downstream effect — incorrect production counts, skewed analytics, or AI models trained on incomplete time-series data — depends on your specific integration design and data-quality controls.

The authentication bypass vulnerability compounds this. An attacker who obtains a valid token without valid credentials gains access to the historian environment. What they can do with that access depends on the permissions assigned to that token and the configuration of the historian instance.

Questions to Resolve Before Activation

Verify patch availability and corrected version numbers directly through that advisory before scheduling any upgrade. Do not rely on paraphrased version numbers from secondary sources, including this article.

CISA also did not confirm active exploitation in the wild as of June 18, 2026. The absence of known exploitation does not mean the governance gap is acceptable — it means the remediation window is open.

Immediate Controls CISA Recommends

CISA's advisory specifies two mitigation steps that operations leaders and CIOs can verify without waiting for a patch:

  • Isolate control system networks from business networks behind firewalls. If your historian sits on a network segment not separated from your IT environment, that separation is the first control to verify.
  • Restrict port 5450 to trusted workstations and software. This is the specific port mitigation CISA names for the denial-of-service vulnerabilities. Verify that access to port 5450 is limited to the workstations and integration services that legitimately need it.

These are network-level controls your IT and OT teams can check today. They do not require a patch cycle.

What to Audit Now

The following audit items are Metrotechs recommendations based on the CISA-documented architecture and data dependencies. They are not a Rockwell Automation or CISA checklist.

  • Document every FactoryTalk Historian SE instance running v11 or earlier and map each one to its downstream consumer. Which ERP modules receive historian data? Which cloud analytics datasets? Which AI or ML pipelines? If you cannot answer this in under an hour, the mapping does not exist.
  • Verify that port 5450 is restricted to trusted workstations per CISA ICSA-26-169-03 mitigation guidance. Confirm this with your OT team and your network team independently — the answer may differ.
  • Confirm that historian data access is logged and auditable at the OT-IT boundary. Access logs are the minimum evidence needed to detect unauthorized token use. If access to the historian is not logged, you have no visibility into who or what is reading it.
  • Confirm that a data-validation and quality gate exists before historian records enter the ERP, cloud data warehouse, or AI pipeline. This gate should check for completeness, expected record counts, and timestamp continuity. If the gate does not exist, incomplete or interrupted historian data can enter business systems silently.
  • Map the governance boundary between OT and IT teams and verify ownership of historian-data security, access control, and data integrity. In many operations, OT owns the historian and IT owns the ERP integration, with no formal handoff protocol between them. This advisory is the prompt to document that boundary and assign clear ownership.
  • Decide whether AI or analytics projects dependent on unvalidated historian data should be paused until controls are confirmed. If your AI pipeline consumes historian time-series data and no validation gate exists at the OT-IT handoff, the model may be training or inferring on data that is incomplete or interrupted. That is a data-quality decision, not only a security decision.

What to Watch

CISA advisory ICSA-24-130-01, published in May 2024, covered denial-of-service vulnerabilities in an earlier version of FactoryTalk Historian SE and recommended upgrading to version 9.01 or higher. If your operation has not yet established a formal process for tracking OT vendor security advisories and mapping them to downstream business-system dependencies, this advisory is the right moment to build one.

The governance gap it exposes — no validation gate, no access log, no documented OT-IT boundary — is not unique to FactoryTalk Historian. It is a structural condition in manufacturing operations that have added ERP integration and analytics pipelines incrementally over time.

Sources and supporting resources
Previous
Microsoft Is Ending Basic Authentication for SAP SuccessFactors Provisioning — November 2026 Deadline
Next
Business Central 2026 Wave 1: What to Audit Before Enabling AI Agents