Access control security, or application-focused security, must be addressed through OPC-specific security measures and through properly designed OPC architectures. Corporate firewalls and general Windows DCOM security are not aware of the OPC context. Only by using security products that are OPC 'aware', that support the OPC Security specification, and that properly utilize the information this provides is it possible to provide an effective level of protection.
Role and User-Focused Security
The OPC Security specification focuses on client identification by using trusted credentials to determine access authorization decisions by the OPC Server. It enables OPC products to provide specific security controls on adding, browsing, reading and/or writing individual OPC items.
Within the plant environment different job roles require different types of data access:
- Control system engineers might require full read and write access to all points in the automation system
- Operators might be restricted to only those data points associated with the status and control of machines within their particular plant unit
- Management level personnel would most certainly only require read access to key performance data items
Applying the most appropriate security access means applications must be able to understand the context in which particular users are accessing information.
Combining network-focused and application-focused OPC security technologies is a tested and proven solution for industry. For network-focused security, the Tofino Security Appliance with the Tofino OPC Enforcer Loadable Software Module (www.tofinosecurity.com) can be used to secure any vendor's OPC client/server software.
Similarly, for granular role and user-based security (that is, application-focused security), the MatrikonOPC Security Gateway (www.opcsecurity.com) is fully based on the OPC Security specification. It delivers control down to the per-user-per-tag level and provides complete security for OPC architectures regardless of what vendor the OPC components are from.
These two products have been successfully tested and used together. The Tofino technology provides front line protection from 99.99% of all network based attacks (such as Denial of Service, unapproved clients, and malformed DCOM connections). Once network traffic related to OPC has been vetted, the MatrikonOPC Security Gateway enforces the specific security policies chosen by the administrator– ensuring each user only gets access to the specific data he or she has authorization to work with.
Security you can Bank on
The implications of ignoring OPC security will grow rapidly as the demand for business to control network connectivity continues to increase. History shows that the root cause behind many publicized security failures has been the result of improper use of, or the complete lack of, security safeguards.
Control automation professionals who are security aware use a combination of control system focused network security practices, proper OPC architecture design, and OPC–centric security products. Using the right products, the security of existing systems can be greatly enhanced without the need for replacing equipment or in-depth IT experience. The MatrikonOPC Security Gateway and the Tofino OPC Enforcer are off-the-shelf components that can secure OPC-based communications quickly and effectively.
The reality is that security incidents don't just happen to 'other people'. Smart companies will prepare for the unexpected by evaluating their control system security before a costly security incident occurs.
For a detailed discussion of defense in depth for OPC Security, download the companion White Paper "Effective OPC Security for Control Systems – Solutions you can bank on"