Systems Integration

IOM Collaboration Develops First OPC Classic Firewall

By Andrew Bond, Industrial Automation Insider

Sep 03, 2010

IOM Collaboration Develops First OPC Classic Firewall
Concerns regarding the security of OPC Classic have been current for a number of years and are among the issues that have been addressed in the new OPC UA (Universal Architecture) specification. Nevertheless OPC Classic continues to be the world’s most widely used industrial integration protocol and is likely to remain so for a considerable time while, in the process automation field in particular, doubts over the ability of OPC UA to meet its specific needs have led to the development and acceptance by the OPC Foundation of the more limited OPX Xi.

Meanwhile, however, the security problems raised by OPC Classic, which relate specifically to the vulnerabilities inherent in Microsoft’s DCOM technology and its use of multiple ports, are of particular concern to vendors of mission-critical systems which rely on OPC for communication and integration. That’s especially true of Safety Instrumented System (SIS) vendors such as Invensys Operations Management (IOM) which uses OPC to provide integration of its Triconex safety systems with its own and other vendors’ HMIs and DCSs or, in safety jargon, Basic Process Control Systems (BPCSs). Hence the collaboration between IOM, cybersecurity specialist Byres Security and Cooper Crouse-Hinds subsidiary MTL, which has resulted in what is claimed to be the first firewall to protect integrated applications based on OPC Classic.

Traffic Storms
Although the nightmare scenario for those engineering or relying on SISs is one of terrorists, criminals or others hacking into their systems, the more likely risks are rather more mundane, although nonetheless serious in terms of their potential consequences. "Past plant shutdowns … haven’t been caused by hackers. Instead they were the result of badly configured software causing traffic storms that impacted critical controllers and other systems," says Byres Security chief technical officer Eric Byres. "The Triconex/Tofino OPC firewall does much more than block hackers and viruses from accessing the safety system. Its dynamic port management and built-in traffic-rate controls prevent many basic network problems from spreading throughout a plant."
IOM, which becomes the fourth major system vendor to license the Tofino technology, claims to have pioneered the embedding of OPC servers into its Tricon Communications Module (TCM), principally to enable it to offer a level of integration with host BPCSs compatible with that of the new generation of integrated SISs introduced in recent years by other vendors.

"Sanity Check"
The new OPC firewall, developed specifically for Triconex systems, builds on the approach adopted in Byres’ Modbus TCP solution, introduced in 2008 and claimed to be the world’s first "content inspection" firewall. "Its OPC ‘Sanity Check’ feature blocks OPC requests not conforming to the DCE/RPC standard, preventing many common cyberattacks," explains Byres. The resultant Triconex/Tofino OPC firewall is typically deployed in front of the Triconex OPC server, thwarting attacks and traffic storms before they reach the safety system.

Keeping a close eye on the development is OPC Foundation president Thomas J. Burke who sees the Invensys solution as an "important milestone in demonstrating that users can secure the interoperability of OPC Classic within other applications without worrying about cybersecurity. As the use of OPC Unified Architecture expands, we look forward to collaborating with these market leaders to develop additional innovative, readily deployable solutions for the benefit of the entire OPC user community."

A white paper on the Triconex/Tofino solution is available for free download at