Effective OPC Solutions mean better Control System Security
19 April 2011
For the past decade, industrial control system professionals have wanted to believe that ‘air gaps’ truly existed between their systems and the rest of the world. They have also hoped that ‘security by obscurity’ would keep them safe from security threats.
Those days are over. Recent security incidents such as the game-changing Stuxnet worm are a wakeup call for the industrial automation industry. While the risk of cyber attacks and malware are no longer in doubt, the question remains, “Exactly how can an engineer reliably secure his or her control system?”
Complicating the situation is the widespread use of commercial off-the-shelf (COTS) information technologies like Windows and Ethernet on critical control systems. The use of these common networking, computer and software technologies has certainly reduced costs and increased business agility. However, it has also increased the demands to balance the need for accessibility to control system data with the need to safeguard the integrity and usability of mission critical systems.
One of the most effective ways to manage the conflict between the demands of efficient access and the demands of effective security is to minimize the variety of interfaces and protocols operating between the control system and external networks. Having one approved connectivity solution serving multiple corporate requirements not only reduces administration costs, but also reduces the opportunities open to the attacker or worm. This is known as “reducing the attack surface” of a system.
Thus the key task for an administrator is to select an appropriate communications technology that can be used by the widest variety of control AND business systems. While there are a number of possible candidates, OPC is without question one of the easiest and most widespread standards to address the demands of universal data access in the industrial automation world.
By layering defenses that are OPC-aware, high security solutions can be created that meet both the security and access expectations of a company, all without administrative overload on the network or controls team. The result is a standards-based solution that has been proven across numerous control systems.
Furthermore, since OPC is so universal, it has the potential to be the only protocol needed for enterprise to control system communications. And following the security principle of “reducing the attack surface”, an OPC-based solution is possibly the most secure solution for control system interfacing available today.
It is important to emphasize the standards in recommending an OPC security solution. There are many so called “security solutions” that are secure only because they are obscure. It only takes one determined hacker (such as Luigi Auriemma who published 34 SCADA/HMI vulnerabilities in March 2011) to break into proprietary systems and publish the exploit code on the Internet. Then “security by obscurity” is useless.
In terms of providing network-focused security, an OPC-aware solution is the Tofino Security Appliance with the Tofino OPC Enforcer Loadable Software Module. It is designed to secure ANY OPC product, because it uses core IP, TCP, RPC and DCOM standards exactly as they were intended. Similarly, for application-focused security, and for granular role and user-based security, the MatrikonOPC Security Gateway is fully based on the OPC Security specification and provides complete security for OPC architectures.
These two products have been successfully tested together with the Tofino technology providing front line protection from 99.99% of all network based attacks such as Denial of Service, unapproved clients, malformed DCOM connections etc. Once network traffic related to OPC has been vetted, the MatrikonOPC Security Gateway enforces the specific security policies chosen by the administrator– ensuring each user only gets access to the specific data he or she has authorization to work with.
The bottom line for control engineers looking for a reliable security solution is: if you use one protocol for control system communications and if you select standards-based OPC security products, you can achieve high security without administrative overload.
For a detailed discussion of defense in depth for OPC Security, download the White Paper “Effective OPC Security for Control Systems – Solutions you can bank on”
Byres Security Inc
PO Box 178
No. 5-7217 Lantzville Road
Tel: 001 250 3901333
Fax: 001 250 3903899