Securing Your OPC Classic Control System

Test the New OPC Permissions
As you will have noted from the above, the settings for restricting DCOM account permissions are more complex than the ones needed for OPC-aware firewalls. In addition, making these changes can negatively impact the operation of some OPC products. Thus we highly recommend that you test all the above security settings first in a non-production environment and then again in the actual production system.

Looking Forward - OPC-UA and OPC-XI
Over the past few years, the OPC Foundation has developed two new versions of OPC called OPC-UA and OPC-XI, which are based on protocols other than DCOM. Once most OPC applications make this migration from the DCOM-based architecture to .NET-based architecture, then industry will have a significant opportunity for better security when it comes to OPC.

If your operation has already converted to OPC-UA or XI, we salute you. However, if your company is like most, it will be a while before you can rid your plant of all traces of OPC Classic. With the world facing new and evolving cyber threats, some now directed specifically at industrial control systems, we recommend that all companies take a serious look at improving the security of their OPC Classic systems. The techniques and technologies for better OPC security outlined in this white paper are available and proven. As many companies have discovered, not using them can be costly.

Frequently Asked Questions

What is OPC Classic?
OPC Classic is the new name for all OPC specifications that are based on Microsoft's COM and DCOM technologies. This includes the most popular OPC specifications such as OPC Data Access (OPC DA), OPC Alarms and Events (OPC A&E) and OPC Historical Data Access (OPC HDA).

What is OPC-UA (Unified Architecture)?
OPC-UA is a new specification created by the OPC Foundation to tie together all existing OPC technology using the Microsoft .NET Architecture. OPC-UA replaces COM, DCOM and RPC in favor of two different transports: SOAP/HTTPS and a binary message encoding scheme that operates direct communications on top of TCP.

What are COM, DCOM and RPC?
COM (Component Object Model), DCOM (Distributed Component Object Model) and RPC (Remote Procedure Call) are the actual communications protocols used by OPC Classic to communicate between clients and servers. In most cases, DCOM and RPC use the lower layer Ethernet, IP and TCP protocols to travel between computers.

What is a TCP or UDP Port Number?
The Transmission Control Protocol (TCP) and the User Datagram Protocol  (UDP) specify a that 16-bit unsigned integer (i.e. 0 to 65535) should be placed in the packet header to indicate the application which is sending or receiving the message. This is known as the port  number.

What is a Firewall?
A firewall is a mechanism used to control and monitor traffic to and from a network for the purpose of protecting devices on the network. It compares the traffic passing through it to a predefined security criteria or policy, discarding messages that do not meet the policy's requirements.

My control system is never connected to the Internet. Am I skill at risk from cyber incidents?
ABSOLUTELY – Studies have shown that only a few attacks on control systems have come directly from the Internet. Most enter the system from either the business network or through secondary pathways such as infected laptops, USB keys, remote access over Virtual Private Networks (VPNs) or modems.