By Darek Kominek, P. Eng., Manager, OPC Marketing, MatrikonOPC, www.matrikonopc.com
Eric Byres, P. Eng., ISA Fellow, CTO Byres Security Inc. www.tofinosecurity.com
For the past decade, industrial control system professionals have wanted to believe that 'air gaps' truly existed between their systems and the rest of the world. They have also hoped that 'security by obscurity' would keep them safe from security threats.
Those days are over. Recent security incidents such as the game-changing Stuxnet worm are a wakeup call for the industrial automation industry. While the risk of cyber attacks and malware are no longer in doubt, the question remains, "Exactly how can an engineer reliably secure his or her control system?"
Complicating the situation is the widespread use of commercial off-the-shelf (COTS) information technologies like Windows and Ethernet on critical control systems. The use of common networking, computer and software technologies has certainly reduced costs and increased business agility. However, it has also increased the demands to balance the need for accessibility to control system data with the need to safeguard the integrity and usability of mission critical systems.
Reducing the Attack Surface
One of the most effective ways to manage the conflict between the demands of efficient access and the demands of effective security is to minimize the variety of interfaces and protocols operating between the control system and external networks. Having one approved connectivity solution serving multiple corporate requirements not only reduces administration costs, but also reduces the opportunities open to the attacker or worm. This is known as "reducing the attack surface" of a system.
Thus the key task for an administrator is to select an appropriate communications technology that can be used by the widest variety of control AND business systems. While there are a number of possible candidates, OPC is without question one of the easiest and most widespread standards to address the demands of universal data access in the industrial automation world.
Once known as OLE for Process Control, OPC is now commonly interpreted to mean Open Connectivity and the original OPC specifications are referred to as OPC Classic. OPC is the world's most widely used industrial integration standard. It's employed by a broad range of industrial and business applications ranging from interfacing human machine interface (HMI) workstations, safety instrumented systems (SIS) and DCSs on the plant floor, to enterprise databases, enterprise resource planning (ERP) systems and other business-oriented software in the corporate world.
But what about the security demands - can OPC address these? As this article will illustrate, the answer is a definite YES. By layering defenses that are OPC-aware, high security solutions can be created that meet both the security and access expectations of a company, all without administrative overload on the network or controls team. The result is a standards-based solution that has been proven across numerous control systems.
Layering Defenses: Defense in Depth
If reducing the attack surface is the first key to good security, the second is the layering of security defenses. Often referred to as 'defense in depth', the concept is to manage risk with diverse defensive strategies.
Layering defenses gives several benefits. The most obvious is that if one layer of defense is compromised, another layer of defense, using a different security method, presents an additional obstacle which can inhibit further penetration.
A more subtle, but equally powerful benefit is that attacks come in different flavors and each defensive layer can be optimized to deal with a specific range of threats.
Defense in Depth: Bank Example
Security in a bank presents a good analogy for the defense in depth approach to security for control systems. What is it that makes a typical bank more secure than a home or convenience store?
The bank employs multiple security measures to maximize the safety and security of its employees, customers and their valuables. Not only are there more layers, each layer is designed to address a specific type of threat at the point where it is employed.
Bank doors are effective, but simple security devices. They are either locked or unlocked. They either grant or deny access to customers on an all-or-nothing basis – regardless of what a visitor looks like or how the visitor behaves.
One layer up is the security guards. They ensure that access to the bank is for people who have a legitimate need to be there and will 'behave' within expected norms. They regard each visitor based on specific criteria, such as, not wearing a mask, suspicious behavior, acting erratically etc.
At yet another level, the tellers, security box keys, passwords, etc. keep these pre-screened customers from accessing other accounts or information. Rather than worrying if a visitor should or should not be in the bank, the tellers and passwords present a different layer of security: account security. These measures 'filter' what account access individual customers are allowed, based on who they are.
Note that the security layers are context specific, which is why banks don't simply have additional security guards at every level. The security solution must fit the context of the threat expected at that level.