OPC Security: Seven Years, Seven Fears

Seven Security Fears Every OPC Systems Owner Should Consider

1 of 2 < 1 | 2 View on one page

Eric MurphyBy Eric Murphy, columnist

September 11, 2008 marked seven years since the world’s view on many things including security changed drastically. Seven is a special number to many people and cultures around the world. Lucky number seven. Seven years bad luck. Seven deadly sins. Seven Wonders of World. The first OPC Security specification was released in 2000, and the next major OPC security revision, OPC UA Security, was released in 2007, coincidently seven years later.  It’s said that a little fear is a good thing. Here are seven security fears every OPC systems owner should consider, and what OPC options exist to sooth them.

Fear the Loss of Obscurity

Countless systems in the past relied on ‘security by obscurity’ or the belief that control systems were unknown and isolated from the outside world. In the age of wide spread connectivity, users are demanding more access, more easily to industrial information. The unfortunate side effect is insecure systems that were never intended to be connected to the Internet are now online. Information networks have numerous holes and data integrity is often compromised.

The boundless enterprise means that today’s control systems are on or near the Internet. While this global connectivity adds agility and knowledge sharing for companies, it is also a main source of fear for security professionals. The best way to handle fear is to deal with it. It terms of OPC that means understanding and applying proper OPC security. For classic OPC architectures this implies configuring appropriate Windows and DCOM Security to restrict access to authorized nodes. This access can be further restricted to granting read/write or browse access on a per item level by employing products that support the OPC Security specification.  Next generation control systems employ more web based applications. The next generation of standard service based connectivity, OPC UA, has multiple layers of security.  As with classic OPC, these security features are only effective if users decide to make use of them.

Fear Complacency

As the way business changes and the enterprise loses its borders, companies must realize that traditional security models are no longer sufficient.  Simply installing antivirus scanners and firewalls no longer is sufficient security protection. Countless incident reports and near misses show that there are too many ways to get around the network perimeter. Cyber security threats are continually evolving and so must OPC security measures.

Just because an existing system hasn’t been compromised, doesn’t mean it can’t be. Overcoming complacency means evaluating and upgrading current systems.  It’s been said there are three things that are important in upgrading software security. Layers. Layers. Layers. Defense in depth or multiple layers of different types of protection from different vendors provide a higher degree of protection. In the event one part of the system is compromised, the rest remains secure. These layers might include: physical systems, firewalls, intrusion detection systems, and business to process layer controls. OPC specific security measures include OPC architecture security, DCOM configuration and security aware OPC products.  For OPC UA architectures the specification’s inherent application and transport security measures would build on existing OPC security implementations.

Fear the Unknown

Numerous studies estimate that cybercrime costs billions of dollars in lost revenue, loss of current and prospective customers and impacted employee productivity. These numbers continue to climb each year as the nature of the threats change, and the lone hackers are replaced by technically sophisticated, organized criminal groups. Industrial automation and control systems are increasingly becoming targets.  This trend is highlighted by recent news reports that include a publicized vulnerability in popular SCADA software and successful attacks on utility companies and scientific institutions.

Every company’s data is precious and needs to be protected.  All aspects of information from the control system to the historian to the ERP system require security layering. There are many options for OPC architectures to be hardened against targeted attacks from the outside. Classic OPC systems should consider gateway solutions that create ‘demilitarized zones’ or implementing encrypted OPC tunneling solutions to maintain integrity of network Firewalls.  The OPC UA specification provides another level of protection by utilizing standard WS protocols, such as WS-Secure Conversation and WS-Security.

Fear the Internal User

Another growing trend is that many of the security incidents that cost enterprises money involve insiders in some way or another. Companies sometimes focus all their time and money on threats from outside the enterprise walls and forget about the dangers that lurk within. The risks posed by employees and trusted users can run from complete fraud to simple user errors or the wrong data being seen by the wrong people. In the face on increasing insider threats, companies can no longer rely on the belief that users will do the right thing and only access the data they are supposed to. 

Accidents will happen and there is no guarantee that employees will always be loyal. In order to reduce this fear, companies need to implement more focused OPC security for critical data systems. This more focused security model can be achieved by using OPC security enabled products that prove item level security or OPC UA products that implement node level security. Restricting information views of to only those that need it greatly reduces the chances of data security breaches.

1 of 2 < 1 | 2 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments