By Eric Murphy, columnist
With the prevalence of information technology and the drive towards having information readily available from any location, many previously isolated control systems are more accessible.The drive to reduce operational costs and improve performance has led control system vendors and critical infrastructure owners to move towards standardized technologies, operating systems, and protocols such as Ethernet, Microsoft Windows and OPC. However, the more widely accepted a technology, the larger the risk of attracting cyber vulnerabilities, exploitation tools and other threats. Fortunately, the OPC portfolio offers several security options to help reduce the risk to control system integrity.
Importance of Industrial Connectivity Security
Control systems are integral components of the critical infrastructure that monitors and controls sensitive processes. This includes all the computers, process control equipment, process interface systems and associated applications which work in concert to manage the process. Industries are under increasing pressure to provide information access throughout the enterprise. The enormous growth of process interconnectivity has given automation systems new means to share and distribute information - but with added functionality comes added risk. Maintaining the security and system integrity of data communications is extremely important, particularly for crucial systems.
The use of data connectivity and IT in industrial applications has significantly increased over the years.As Microsoft operating systems and Ethernet based communications became more reliable and accepted, major control system vendors introduced operator stations, engineering consoles and application platforms running on PC hardware. These factors, coupled with the rise of OPC as the preferred communication standard, have led to an accelerating penetration of IT based data connectivity into industrial architectures. OPC is now a cornerstone component of many mission-critical or near safety applications such as turbine-compressor monitoring, burner management systems, rail system management, radiation detection and reporting, and many more. This significantly increases the need for secure industrial connectivity.
Security for Each OPC Flavor
Even though OPC is an open standard, it is possible to increase the security of OPC architectures. As with any good IT security plan, the OPC communications would be one of several layers of protection. In the event one part of the system is compromised, the rest remains secure. These layers might include: physical systems, firewalls, intrusion detection systems, and business to process layer controls. OPC specific security measures include OPC architecture security, DCOM configuration and security aware OPC products. For OPC UA and OPC Xi architectures, the specification's inherent application and transport security measures would build on existing OPC security implementations.
While the base classic OPC specifications themselves do not mandate any security beyond that supplied by the Microsoft operation system, end users do have some choices when it comes to installing products with higher security features. Any Classic OPC Server vendor has the option to implement one of three levels of security: Disabled, DCOM or OPC Security. Each level offers more security and control over who has access to data within the OPC architecture.
- Disabled Security – No security is enforced. Launch and Access permissions to the OPC Server are given to everyone, and Access permissions for clients are set for everyone. The OPC Server does not control access to any vendor specific security functions.
- DCOM Security – Only Windows DCOM security is enforced. Launch and Access permissions to the OPC Server are limited to selected clients, as are the Access permissions for client applications. However, the OPC Server does not control access to more specific security functions. This is the default security level provided by DCOM.
- OPC Security 1.0 – Support the OPC Security specification. The OPC Server serves as a reference monitor to control access to specific security functions that are exposed by the OPC Server. An OPC Server may implement OPC Security in addition to DCOM Security, or implement OPC Security alone.
The OPC Security specification focuses on client identification by using trusted credentials to determine access authorization decisions to the OPC Server. It enables OPC products to provide specific security controls on adding, browsing, reading and/or writing individual OPC items.
OPC Unified Architecture
An OPC UA Server or application is commonly referred to as an Application Instance. Each Application Instance has its own Certificate which it uses to uniquely identify itself when connecting to other applications. These certificates come with private keys that allow applications to create secure communication channels that cannot be viewed by 3rd parties or modified while in transit. OPC UA also offers several layers or tiers of security.
- No Authentication – OPC UA applications allow any peer to communicate therefore all valid certificates are trusted. The receiver is unable to verify that the sender is the legitimate holder of the certificate. While this tier requires no configuration at the server or client, it cannot ensure the privacy of any information transmitted, including user credentials.
- Server Authentication – The OPC UA server will allows any client to connect. If the server requires user authentication, this done using user credentials such as a username/password after the secure channel has been established. OPC UA clients can only connect to trusted servers, as configured by a system administrator. This is done using a trusted list of Server certificates or certificates issued by a trusted Certificate Authority. This method is used by many Internet banking applications where the institution's web server has a certificate issued by a well-know and trusted Certificate Authority. These certificates are automatically placed in the browsers trust list by the Windows operating system. This provides a higher level of security but the server cannot restrict the client applications.
- Client Authentication – Only trusted OPC UA client can connect to a particular server. Clients do not need any pre-configuration other than the location of the server; however they would never provide sensitive information since it is not known if it the server is legitimate. Again this is done using a trusted list of Client certificates or certificates issued by a trusted Certificate Authority. This mode is used by OPC UA discovery services.
- Mutual Authentication - Both the OPC UA client and server only allow trusted peers to connect. This offers the highest level of security but requires that both the client and server be configured in advance. It is expected that application installation will default to this most secure option.
OPC UA security also provides several choices for private keys, certificate stores and encryption to ensure a wide range of interoperability and security for different platform and systems. As with Classic OPC Security, OPC UA provides the framework for OPC products to provide specific security controls on adding, browsing, reading and/or writing individual OPC items. It is up to the OPC vendor to implement this level of security granularity.
Providing a secure means of data communication was one of the primary goals in the development of OPC Xi. OPC Xi also provides a layered security model designed to meet different user options and uses a number of different data security mechanisms.
- WCF Security – OPC Xi is based on Microsoft WCF (Windows Communication Foundation) which provides multiple binding options. Across all service bindings there are five possible security modes:
- None - Turns security off.
- Transport - Uses transport security for mutual authentication and message protection.
- Message - Uses message security for mutual authentication and message protection.
- Both - Allows you to supply settings for transport and message-level security (only MSMQ supports this).
- TransportWithMessageCredential - Credentials are passed with the message and message protection and server authentication are provided by the transport layer.
- TransportCredentialOnly - Client credentials are passed with the transport layer and no message protection is applied.
- WCF Security also provides multiple options for client credentials, authentication and message encryption and signing.
- Authorized Functionality Limiting - OPC Xi uses patented interface security layered on top of traditional security mechanisms to allow OPC Xi client access to be enabled or disabled based on location of the client and on the client itself. Servers may limit a client's ability to read, write or subscribe to data using security configuration.
Security for Today and Tomorrow
Security is an ongoing process. For every computer technology developed to provide solutions, there will be those who seek to circumvent these security measures. While it's a continual learning process to discover potential vulnerabilities and address them, users should make use of the options they have available to reduce security risks to their data communication systems.
Best of breed universal connectivity OPC products will have "security by design." OPC provides a range of communication technologies and associated security options to fit every user situation. By choosing product and service vendors who have proven their commitment to quality and security, end users have assurances that they will have the secure OPC connectivity they need.