By Eric Murphy, columnist
September 11, 2008 marked seven years since the worlds view on many things including security changed drastically. Seven is a special number to many people and cultures around the world. Lucky number seven. Seven years bad luck. Seven deadly sins. Seven Wonders of World. The first OPC Security specification was released in 2000, and the next major OPC security revision, OPC UA Security, was released in 2007, coincidently seven years later. Its said that a little fear is a good thing. Here are seven security fears every OPC systems owner should consider, and what OPC options exist to sooth them.
Fear the Loss of Obscurity
Countless systems in the past relied on security by obscurity or the belief that control systems were unknown and isolated from the outside world. In the age of wide spread connectivity, users are demanding more access, more easily to industrial information. The unfortunate side effect is insecure systems that were never intended to be connected to the Internet are now online. Information networks have numerous holes and data integrity is often compromised.
The boundless enterprise means that todays control systems are on or near the Internet. While this global connectivity adds agility and knowledge sharing for companies, it is also a main source of fear for security professionals. The best way to handle fear is to deal with it. It terms of OPC that means understanding and applying proper OPC security. For classic OPC architectures this implies configuring appropriate Windows and DCOM Security to restrict access to authorized nodes. This access can be further restricted to granting read/write or browse access on a per item level by employing products that support the OPC Security specification. Next generation control systems employ more web based applications. The next generation of standard service based connectivity, OPC UA, has multiple layers of security. As with classic OPC, these security features are only effective if users decide to make use of them.
As the way business changes and the enterprise loses its borders, companies must realize that traditional security models are no longer sufficient. Simply installing antivirus scanners and firewalls no longer is sufficient security protection. Countless incident reports and near misses show that there are too many ways to get around the network perimeter. Cyber security threats are continually evolving and so must OPC security measures.
Just because an existing system hasnt been compromised, doesnt mean it cant be. Overcoming complacency means evaluating and upgrading current systems. Its been said there are three things that are important in upgrading software security. Layers. Layers. Layers. Defense in depth or multiple layers of different types of protection from different vendors provide a higher degree of protection. In the event one part of the system is compromised, the rest remains secure. These layers might include: physical systems, firewalls, intrusion detection systems, and business to process layer controls. OPC specific security measures include OPC architecture security, DCOM configuration and security aware OPC products. For OPC UA architectures the specifications inherent application and transport security measures would build on existing OPC security implementations.
Fear the Unknown
Numerous studies estimate that cybercrime costs billions of dollars in lost revenue, loss of current and prospective customers and impacted employee productivity. These numbers continue to climb each year as the nature of the threats change, and the lone hackers are replaced by technically sophisticated, organized criminal groups. Industrial automation and control systems are increasingly becoming targets. This trend is highlighted by recent news reports that include a publicized vulnerability in popular SCADA software and successful attacks on utility companies and scientific institutions.
Every companys data is precious and needs to be protected. All aspects of information from the control system to the historian to the ERP system require security layering. There are many options for OPC architectures to be hardened against targeted attacks from the outside. Classic OPC systems should consider gateway solutions that create demilitarized zones or implementing encrypted OPC tunneling solutions to maintain integrity of network Firewalls. The OPC UA specification provides another level of protection by utilizing standard WS protocols, such as WS-Secure Conversation and WS-Security.
Fear the Internal User
Another growing trend is that many of the security incidents that cost enterprises money involve insiders in some way or another. Companies sometimes focus all their time and money on threats from outside the enterprise walls and forget about the dangers that lurk within. The risks posed by employees and trusted users can run from complete fraud to simple user errors or the wrong data being seen by the wrong people. In the face on increasing insider threats, companies can no longer rely on the belief that users will do the right thing and only access the data they are supposed to.
Accidents will happen and there is no guarantee that employees will always be loyal. In order to reduce this fear, companies need to implement more focused OPC security for critical data systems. This more focused security model can be achieved by using OPC security enabled products that prove item level security or OPC UA products that implement node level security. Restricting information views of to only those that need it greatly reduces the chances of data security breaches.
Fear Departmental Silos
Security, auditing, regulatory affairs and privacy impact the entire organization and should not be kept in departmental silos. People, process and technology must be integrated. This means data and information needs to be shared, securely across departmental boundaries and throughout the enterprise. There are many reasons departmental silos get created, and often security fears make this problem even worse. The truth is that companies who share information, implement common policies and processes, and work together are create more effect and secure information systems.
Being open does not mean being exposed. Just as there are solutions for connecting to external systems, there are OPC architectures and products designed to securely connect internal networks. Security aware and encrypted OPC tunneling solutions safely bridge firewalled systems. One-way push architectures allow information to be shared to selected systems, without exposing the source system. OPC UA secure channel implementation and certificate handling give users control over who can and cannot access key OPC data. OPC provides the ability to easily share information across the enterprise and the OPC Security and OPC UA specifications ensure this is done securely.
Fear the Silver Bullet
It is important that technical managers do not get so involved in a particular technology that they forget the overarching goal of system security. There is no single technology or silver bullet that will solve security problems or provide regulatory compliance. Information security and risk management is a process that requires continuous monitoring, auditing and adjustment of how information is used.
The industrial security landscape has changed over the years and will continue to shift and evolve. Security is more that an initial security assessment and product purchase. OPC security is yet another part of the overall information management system and must be part of the ongoing policy and process that are crucial to secure systems. Companies need to choose an OPC partner that understands their security needs of existing legacy systems and can roadmap the migration path to implementing next generation of secure OPC solutions.
Fear. It will happen.
Of all the things security information managers fear, the healthiest one is to acknowledging the fear that something will happen. The costs of ignoring OPC security can be very high. Often the root cause behind many publicized security failures was simply short-sighted leadership decisions to save money on IT security implementations. Security incidents dont just happen to other people. Companies need to expect the unexpected by evaluating their OPC security before a privacy breach occurs.
End users who are security aware use a combination of IT network security practices, proper OPC architecture and OPC products that incorporate security features to successfully create robust systems. An experienced vendor, working closely with the end user, incorporating network assessments and security evaluations, can produce a secure OPC architecture that puts even the most fearful manager at ease.
Next Seven Years?
Over the last few years not enough installations have been following rigorous security processes, and for those associated with critical infrastructure that is a scary thing. What will the next seven years bring for industrial network security? Seventh Heaven or more like the Seven Years War? That really depends on how diligent end users are in understanding their OPC security requirements and demanding compliance from their vendors. OPC architectures are implemented all over the world, across all major industries and utilities and connect many layers of the enterprise. If the right consideration is given to securing these OPC installations, then there should be nothing to fear.