• Access Permissions - Remove all existing entries and add the opcadmin and opcuser accounts. Again, if a particular OPC server is meant only to be used locally, then remote access to that server can also be disabled.
• Configuration Permissions - Remove all existing entries other than the Everyone account. Modify Everyone to be read-only, and add opcadmin with full control.
These settings are shown in Figure 7. As noted above, if the server is only to be used locally (i.e. the clients and servers are all on the same machine) then Remote should be turned off.
Limiting RPC Ports and Protocols
The "Endpoints" tab allows you to select what protocols and ports can be used by this server. Prior to the development of OPC-aware firewalls, this tab also could be used to limit dynamic port allocation. Unfortunately, not all vendors of OPC products respect the setting of port numbers in this tab, so it was rather problematic. Today this setting should remain at Default System Protocols.
Setting the OPC Application's Account
Finally, the "Identity" tab lets you configure what user account the DCOM application will run under. Unless specifically required by the vendor of the OPC server, the OPC software should be set to run as the "opcuser" account and not the "opcadmin" account.
Test the New OPC Permissions
As you will have noted from the above, the settings for restricting DCOM account permissions are more complex than the ones needed for OPC-aware firewalls. In addition, making these changes can negatively impact the operation of some OPC products. Thus we highly recommend that you test all the above security settings first in a non-production environment and then again in the actual production system.
Looking Forward - OPC-UA and OPC-XI
Over the past few years, the OPC Foundation has developed two new versions of OPC called OPC-UA and OPC-XI, which are based on protocols other than DCOM. Once most OPC applications make this migration from the DCOM-based architecture to .NET-based architecture, then industry will have a significant opportunity for better security when it comes to OPC.
If your operation has already converted to OPC-UA or XI, we salute you. However, if your company is like most, it will be a while before you can rid your plant of all traces of OPC Classic. With the world facing new and evolving cyber threats, some now directed specifically at industrial control systems, we recommend that all companies take a serious look at improving the security of their OPC Classic systems. The techniques and technologies for better OPC security outlined in this white paper are available and proven. As many companies have discovered, not using them can be costly.
Frequently Asked Questions
What is OPC Classic?
OPC Classic is the new name for all OPC specifications that are based on Microsoft's COM and DCOM technologies. This includes the most popular OPC specifications such as OPC Data Access (OPC DA), OPC Alarms and Events (OPC A&E) and OPC Historical Data Access (OPC HDA).
What is OPC-UA (Unified Architecture)?
OPC-UA is a new specification created by the OPC Foundation to tie together all existing OPC technology using the Microsoft .NET Architecture. OPC-UA replaces COM, DCOM and RPC in favor of two different transports: SOAP/HTTPS and a binary message encoding scheme that operates direct communications on top of TCP.
What are COM, DCOM and RPC?
COM (Component Object Model), DCOM (Distributed Component Object Model) and RPC (Remote Procedure Call) are the actual communications protocols used by OPC Classic to communicate between clients and servers. In most cases, DCOM and RPC use the lower layer Ethernet, IP and TCP protocols to travel between computers.
What is a TCP or UDP Port Number?
The Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) specify a that 16-bit unsigned integer (i.e. 0 to 65535) should be placed in the packet header to indicate the application which is sending or receiving the message. This is known as the port number.
What is a Firewall?
A firewall is a mechanism used to control and monitor traffic to and from a network for the purpose of protecting devices on the network. It compares the traffic passing through it to a predefined security criteria or policy, discarding messages that do not meet the policy's requirements.
My control system is never connected to the Internet. Am I skill at risk from cyber incidents?
ABSOLUTELY – Studies have shown that only a few attacks on control systems have come directly from the Internet. Most enter the system from either the business network or through secondary pathways such as infected laptops, USB keys, remote access over Virtual Private Networks (VPNs) or modems.