Securing Your OPC Classic Control System

Independent Techniques for Ensuring Strong Security in Your System

By Thomas Burke and Eric J. Byres

4 of 5 1 | 2 | 3 | 4 | 5 View on one page

Launching Component Services
There are two main objectives in managing accounts and permissions in an OPC Server. First, we only want to give as much permission as is required, and ideally we want to do that on a per DCOM application basis. For example, if a computer is running three OPC servers, but only one needs to be accessed remotely, only allowing remote access to that one server is the preferred solution.  Similarly, if all OPC servers and clients are on a single host, then disable remote access and allowing only local access significantly improves overall security.

Figure 3: Component Services (DCOM) Configuration Tool

Second, we need to create and use different level user accounts for OPC's Launch and Access permissions. In most control environments, the day-to-day operation of OPC-based applications does not require a highly privileged account. On the other hand, the configuration of OPC applications often does. Unfortunately, in many systems we see the highly privileged account settings being the norm, exposing the system to numerous security issues.

To address this, we recommend OPC administrators create two accounts, one for day-to-day operations and one for configuration. First, an account (or better yet an account group) should be created called "opcadmin" that is the only user account used to launch or configure OPC servers. A second account (or account group) called the "opcuser" account can be created and used by users who need only to connect and access running OPC servers.

Once these accounts are in place, we can move to the DCOM Configuration Tool that is found under Control Panel/Administrative Tools/Component Services as shown in Figure 3. Once the Component Services application is running, open up "Component Services" tab. Within it, click on "Computers" and then "My Computer".

At this point you have two options – you can either configure the default DCOM permissions for all DCOM applications or just the permissions for a specific OPC server application. Right clicking on "My Computer" in the "Component Services" screen and choosing "Properties" from the menu will let you set the defaults.

On the other hand, if you want to set the permissions for a specific OPC application click on "DCOM Config" to get the screen shown in Figure 3. This list will include all the applications on this server that can use DCOM. On the plant floor you are likely to find the OPC servers you are using, but you may have to dig around for them. For the rest of this section we will assume that you are setting the permissions for a specific OPC application.

Figure 4: General Configuration Tab for an OPC Server

Figure 5: Location Configuration Tab for an OPC Server

Figure 6: Security Configuration Tab for an OPC Server

Controlling the Authentication Level
The first change to make is to the Authentication Level of the OPC server as shown in Figure 4. These Authentication levels determine what authentication is needed for an OPC client to connect, and are defined as follows:

•    Default - May vary depending upon operating system and obviously the default "My Computer" Property settings. Usually it is "None" or "Connect."

•    None - No authentication.

•    Connect - Authentication occurs when a connection is made to the server.

•    Call - The authentication occurs when a RPC call is accepted by the server.

•    Packet - Authenticates the data on a per-packet basis. All data is authenticated.

•    Packet Integrity - This authenticates the data that has come from the client, and checks that the data has not been modified.

•    Packet Privacy - In addition to the checks made by the other authentication methods, this authentication level causes the data to be encrypted.

Select the OPC server you are configuring and in the General Tab, and change authentication to "Connect". The "Packet Privacy" option can be used if data confidentiality is required since it encrypts all traffic and is the most secure option. However it is important to test this offline first as the encryption may impact performance. In most cases "Connect" is sufficient.

Controlling the Location
The "Location" tab lets you configure where the DCOM server can run. Here only the local computer is specified which is the typical situation in most environments as shown in Figure 5.

Managing DCOM Permissions
From here we move to the "Security" tab which allows you to configure the permissions for the different accounts. COM server applications have three types of permissions, namely Launch permissions, Access permissions and Configuration permissions. Configuration permissions control configuration changes to a DCOM server, while Launch permissions control the authorization to start a DCOM server if the server is not already running. Finally Access permissions control authorization to call a running COM server, and are the least dangerous. These permissions can be further divided into Local and Remote permissions.

These permissions control what user accounts can execute which action on an OPC server. For all three options choose Customize, then Edit and adjust the accounts as follows:

•    Launch Permissions - Remove all existing entries and add the opcadmin account created earlier. (Some servers may also require launch permission for the opcuser account.) If a particular OPC server is meant only to be used locally, then remote access to that server can also be disabled.

4 of 5 1 | 2 | 3 | 4 | 5 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments