OPC Classic is widely used in control systems as an interoperability solution, interfacing control applications from multiple vendors, and this has made it very difficult to secure. The new Tofino OPC Enforcer Loadable Software Module (LSM) has been developed by Byres Security and is now available from MTL Instruments. This extension to the MTL Tofino product line of industrial network security products is claimed to be the first ever industrial firewall for managing OPC traffic. It covers OPC Classic systems; i.e.. all OPC variations except OPC-UA (unified architecture).
The Tofino OPC Enforcer inspects, tracks and secures every connection made by an OPC application, opening only the exact TCP port required for a connection between an OPC client and server. The result is improved network reliability, availability and security for the process control and SCADA industries.
The Enforcer is implemented without any control system changes. The Tofino hardware is simply installed into the live network and configured using a drag-and-drop editor to select permitted clients and servers. Once installed, network security is assured, with all OPC traffic managed behind the scenes.
While a lot of the headlines around cyber security focus on hacker attacks, in fact many incidents result from internal network incidents. "Past plant shutdowns, for example, haven't been caused by hackers. Instead they were the result of badly configured software causing traffic storms that impacted critical controllers and other systems," said Eric Byres, security expert and chief technical officer at Byres Security. "The Tofino OPC Enforcer LSM does much more than block hackers and viruses from accessing the safety system. Its dynamic port management and built-in traffic-rate controls prevent many basic network problems from spreading throughout a plant."
Tricon launch earlier in 2010
Earlier this year, to enable greater interoperability of its Triconex safety systems, Invensys pioneered embedding OPC servers within its Tricon communications module (TCM). To ensure that these modules were cyber secure, Invensys also teamed with Byres Security, which had recently introduced the content inspection firewall for the Modbus TCP protocol, to create a firewall specifically for Triconex systems. The two companies then enlisted the services of MTL Instruments to build the security hardware. The result was the Triconex OPC Tofino firewall, which was introduced for Invensys customers using the Triconex TCM with the embedded OPC solution, in May 2010.
Situation with OPC-UA
Thomas J Burke, president, OPC Foundation commented on the OPC-UA development: "The next generation of the OPC Foundation interoperability specifications, the OPC Unified Architecture, incorporates similar cyber security protection, based on the excellent work of founding companies like Byres Security, MTL Instruments and Invensys. As the use of OPC Unified Architecture expands, we look forward to collaborating with these market leaders to develop additional innovative, readily deployable solutions for the benefit of the entire OPC user community."
To provide further background on the problems in achieving OPC security, Eric Byres has co-authored a paper with Thomas J. Burke, the President of the OPC Foundation, entitled "Securing Your OPC Classic Control System."