Home » New study reveals OPC usage may be putting major industries at risk
New study reveals OPC usage may be putting major industries at risk
The survey results and an OPC overview are presented in the report, OPC Security Whitepaper #1 - Understanding OPC and How it is Deployed. The report was produced jointly by security experts at the British Columbia Institute of Technology (BCIT), Digital Bond and Byres Research. Over a year in the making, the report is on based on industry surveys and in-lab testing of both OPC vulnerabilities and security solutions. It is the first in a series of three whitepapers that will be released over the next two months. The second and third white papers will investigate the specific security risks incurred in deploying OPC and offer security guidelines for industrial companies using the technology.
OPC is a communications technology designed to facilitate the transfer of data between industrial control systems, supervisory systems and enterprise systems in industries such as electricity, petroleum refining, chemical production, nuclear power, water, transportation and manufacturing. It was developed in response to the need for a standardized method for allowing different control systems to interface with each other. Today it has grown to be the leading technology for integrating different control products.
Many in the industry believe that OPC is just used for data management purposes on the plant floor and isn’t all that vital. The survey results contradict this myth, showing that OPC is a critical component of many production systems. Over a quarter of the end-users surveyed reported that loss of OPC communications would result in a shutdown of their company’s production. While a few users remarked that they had deliberately structured their systems to minimize any safety and operational effects if loss of OPC-based information should occur, others stated the opposite; “We control the motor drives by OPC with the DCS. If we lose the OPC we stop the production!” Many OPC experts note that the technology was never designed with this level of criticality in mind.
Unfortunately, viruses and worms from the IT world may be increasingly focusing on the underlying RPC/DCOM protocols used by OPC. At the same time, news of the vulnerabilities in OPC are starting to reach the mainstream press, as seen in the March 2007 eWeek article entitled “Hole Found in Protocol Handling Vital National Infrastructure”.
Other bad news is that approximately 20% of the companies reported deploying OPC over the site business networks and corporate Intranets and 12% used OPC over the Internet, most without encryption. Since these networks are often connected to the Internet they are inherently less secure than the control networks found on the plant floor. The use of OPC over non-control systems networks leads to the distinct possibility of DCOM-based attacks disrupting critical operations.
The situation is further exacerbated by the fact that that securely deploying OPC applications has proven to be a challenge for most engineers and technicians. While OPC is an open technology with the specifications freely available, engineers must wade through a large amount of very detailed information to answer even basic security questions. There is little direct guidance on securing OPC, and this new research indicates that much of what is available may actually be ineffective or misguided. This highlights the urgent need for better OPC security guidance.
Eric Byres, the CEO of Byres Security Inc., says: “The results were a surprise to us because they indicate that industry has been using OPC in ways that are far more risky than we expected. Not only are the chances of a successful cyber attack on OPC more likely (considering the networks it is being used on), but consequences are significantly more severe. All things considered, there is little doubt that some clear advice for the control engineer on how best to secure OPC systems would be very useful. We hope that these whitepapers start to address that need.”
The first whitepaper focuses on providing an overview of OPC Technology and how it is actually deployed in industry. Whitepaper #2, due out May 7, will outline the risks and vulnerabilities incurred in deploying OPC in a control environment. The third whitepaper summarizes current good practices for securing OPC applications running on Windows-based hosts. All three papers are intended to be read and understood by IT administrators and control systems engineers/technicians rather than OPC programming or security experts.
Initial reviews of whitepaper #1 support the paper and its findings. Ralph Langer, an internationally recognized OPC security expert, comments “This is certainly one of the best introductions to OPC that I have ever come across”.
The first whitepaper, OPC Security Whitepaper #1 - Understanding OPC and How it is Deployed, is available on the Byres Security and Digital Bond websites.
SANS Control Security Training Coming to Houston
SANS Institute will hold ICS Security Training event on June 10-15 in Houston
Compressor Controls: Saudi Aramco Buys First GE Compressor Control Systems
Saudi Aramco has purchased advanced compressor control technology from GE for the Haradh GOSP-1 facility in Saudi Arabia's Eastern Province.
ISA Training Through June in Houston
Technician training, engineering survival and SIS boot camps for condensed, intense, comprehensive educational experience.
NIST Releases Initial Cyber Security Framework Comment Analysis
The National Institute for Standards and Technology has released an initial analysis of the hundreds of comments by industry and the public they have received on the Obama Administration's "Improving Critical Infrastructure Cyber Security" executive order.
Past Time to Upgrade Your DCS?
Upgrading Your DCS: Why You May Need to Do It Sooner Than You Think
Metso Provides New Heating Solution for Finnish Utility
Finland's largest pellet-fired heating plant produces environmentally friendly energy in Tampere
K-BIM Consortium Selects Siemens' Parasolid for New AEC Applications
-BIM, a consortium of commercial, academic and government organizations wants the new application suite to help create a national standard for building information management (BIM)
Friday p.m. Wrap-Up:This Week on ControlGlobal and Elsewhere
Some of the week's biggest stories in process automation
What's Bad Weather Costing Us?
U.S. taxpayers paid nearly $100 billion responding to damages caused by last year’s extreme weather events associated with climate change, about $1,100 per taxpayer, according to an analysis by the Natural Resources Defense Council (NRDC).
BP, Shell, Statoil Raided by EC
European Commission investigators raided the offices of oil companies BP, Royal Dutch Shell and Statoil as well as data collector Platts as part of a larger inquiry into price manipulation of the global crude market.
- All news »
Access the entire print issue on-line and be notified each month via e-mail when your new issue is ready for you. Subscribe today.
- Featured White Papers