New study reveals OPC usage may be putting major industries at risk

April 5, 2007
Survey results show companies are using OPC for mission critical applications, are allowing access from potentially insecure networks, and don’t understand how to secure it properly.
A survey of 113 OPC users from Fortune 500 companies show that OPC deployments may be putting industry at risk. Companies are using it for mission critical applications, are allowing access from potentially insecure networks and don’t understand how to secure OPC properly. The survey results and an OPC overview are presented in the report, OPC Security Whitepaper #1 - Understanding OPC and How it is Deployed. The report was produced jointly by security experts at the British Columbia Institute of Technology (BCIT), Digital Bond and Byres Research. Over a year in the making, the report is on based on industry surveys and in-lab testing of both OPC vulnerabilities and security solutions. It is the first in a series of three whitepapers that will be released over the next two months. The second and third white papers will investigate the specific security risks incurred in deploying OPC and offer security guidelines for industrial companies using the technology. OPC is a communications technology designed to facilitate the transfer of data between industrial control systems, supervisory systems and enterprise systems in industries such as electricity, petroleum refining, chemical production, nuclear power, water, transportation and manufacturing. It was developed in response to the need for a standardized method for allowing different control systems to interface with each other. Today it has grown to be the leading technology for integrating different control products.Many in the industry believe that OPC is just used for data management purposes on the plant floor and isn’t all that vital. The survey results contradict this myth, showing that OPC is a critical component of many production systems. Over a quarter of the end-users surveyed reported that loss of OPC communications would result in a shutdown of their company’s production. While a few users remarked that they had deliberately structured their systems to minimize any safety and operational effects if loss of OPC-based information should occur, others stated the opposite; “We control the motor drives by OPC with the DCS. If we lose the OPC we stop the production!” Many OPC experts note that the technology was never designed with this level of criticality in mind.Unfortunately, viruses and worms from the IT world may be increasingly focusing on the underlying RPC/DCOM protocols used by OPC. At the same time, news of the vulnerabilities in OPC are starting to reach the mainstream press, as seen in the March 2007 eWeek article entitled “Hole Found in Protocol Handling Vital National Infrastructure”. Other bad news is that approximately 20% of the companies reported deploying OPC over the site business networks and corporate Intranets and 12% used OPC over the Internet, most without encryption. Since these networks are often connected to the Internet they are inherently less secure than the control networks found on the plant floor. The use of OPC over non-control systems networks leads to the distinct possibility of DCOM-based attacks disrupting critical operations.The situation is further exacerbated by the fact that that securely deploying OPC applications has proven to be a challenge for most engineers and technicians.  While OPC is an open technology with the specifications freely available, engineers must wade through a large amount of very detailed information to answer even basic security questions. There is little direct guidance on securing OPC, and this new research indicates that much of what is available may actually be ineffective or misguided. This highlights the urgent need for better OPC security guidance.Eric Byres, the CEO of Byres Security Inc., says: “The results were a surprise to us because they indicate that industry has been using OPC in ways that are far more risky than we expected. Not only are the chances of a successful cyber attack on OPC more likely (considering the networks it is being used on), but consequences are significantly more severe. All things considered, there is little doubt that some clear advice for the control engineer on how best to secure OPC systems would be very useful. We hope that these whitepapers start to address that need.”The first whitepaper focuses on providing an overview of OPC Technology and how it is actually deployed in industry. Whitepaper #2, due out May 7, will outline the risks and vulnerabilities incurred in deploying OPC in a control environment. The third whitepaper summarizes current good practices for securing OPC applications running on Windows-based hosts. All three papers are intended to be read and understood by IT administrators and control systems engineers/technicians rather than OPC programming or security experts. Initial reviews of whitepaper #1 support the paper and its findings. Ralph Langer, an internationally recognized OPC security expert, comments “This is certainly one of the best introductions to OPC that I have ever come across”. The first whitepaper, OPC Security Whitepaper #1 - Understanding OPC and How it is Deployed, is available on the Byres Security and Digital Bond websites.