Study finds OPC use may put industries at risk

June 27, 2007
The report is on based on surveys and in-lab testing of OPC’s vulnerabilities and security solutions and is the first in a series of three whitepapers that will be released over the next two months.

Despite initial communication advantages, OPC deployments may put some industries at risk, according to a recent survey of 113 OPC users from Fortune 500 companies. These firms reportedly are using OPC for critical applications, allowing access from potentially insecure networks, and don’t understand how to secure OPC properly.

The survey’s results and an OPC overview are presented in OPC Security Whitepaper #1—"Understanding OPC and How it is Deployed," produced jointly by security experts at the British Columbia Institute of Technology (BCIT), Digital Bond and Byres Research. The report is on based on surveys and in-lab testing of OPC’s vulnerabilities and security solutions. It’s the first in a series of three whitepapers that will be released over the next two months. The second and third whitepapers will investigate the specific security risks incurred in deploying OPC and offer users security guidelines.

Though many believe that OPC is just used for data management purposes on the plant floor and isn’t all that vital, the survey results contradict this myth, showing that OPC is a critical component of many production systems. Over a quarter of the end users surveyed reported that loss of OPC communications would result in a shutdown of their company’s production. While a few users say they deliberately structure their systems to minimize safety and operational effects if loss of OPC-based information occurs, others report that, “We control the motor drives by OPC with the DCS. If we lose the OPC, we stop the production!” Many experts note that OPC was never designed with this level of criticality in mind.

Unfortunately, viruses and worms from the IT world may be increasingly focusing on the underlying RPC/DCOM protocols used by OPC.

Other bad news is that approximately 20% of the companies reported deploying OPC over the site business networks and corporate intranets, while 12% used OPC over the Internet, most without encryption. Since these networks are often connected to the Internet, they are inherently less secure than the control networks found on the plant floor. The use of OPC over non-control systems networks leads to the distinct possibility of DCOM-based attacks disrupting critical operations.

The situation is exacerbated by the fact that that securely deploying OPC is a challenge for most engineers and technicians. While OPC is an open technology with freely available specifications, engineers must wade through a lot of detailed information to answer even basic security questions. There’s little direct guidance on securing OPC, and this new research indicates that much of what’s available may be ineffective or misguided. This highlights the need for better OPC security guidance.

“The results were surprising because they indicate that OPC has been used in ways that are far more risky than we expected,” says Eric Byres, CEO of Byres Security Inc. “Not only are the chances of a successful cyber attack on OPC more likely (considering the networks it’s being used on), but consequences are significantly more severe. All things considered, there’s little doubt that some clear advice for the control engineer on how best to secure OPC systems would be very useful. We hope these whitepapers start to address that need.”