More security audit files are now available from Bandolier, a Digital Bond project funded by the US Department of Energy. We are excited to announce a beta release package for MatrikonOPC Security Gateway/Tunneler servers. Asset owners and integrators will now be able to audit the security settings of this control system application component–both at the time of deployment and periodically to verify that it is in the optimal security configuration. This release brings the total number of application components with Bandolier security audit files to 18, with even more on the way.
The MatrikonOPC Security Gateway and Tunneler products can add some important security features to an OPC installation including granular tag permissions and better DCOM handling. The Bandolier files verify that these applications themselves and the underlying OS are in an optimal security configuration. Like all the other releases, there is one file for the OS-level checks and one for the application checks. The OS checks are based on CIS Benchmarks for Windows Server 2003. The application file includes some important checks for default permissions assignment, DCOM permissions, and a handful of other key security settings.
DCOM permissions are a key part of OPC security. If you haven’t already, you may want to check out the Digital Bond/Byres Research OPC security whitepaper series which covers the issues in detail. This audit file release checks DCOM permissions based on an ACL that uses the Windows built-in groups Administrators and Users. Following the advice of the whitepapers, you may want to further restrict permissions to specific opcuser/opcadmin accounts and update the audit file accordingly.
What about other OPC server products? We’re working on some additional tools to expand on this release and Digital Bond’s existing OPC test tools so stay tuned for an announcement on that.
The Bandolier security audit files work with the Nessus vulnerability scanner. If you already use the Nessus compliance checks and are a Digital Bond site subscriber, simply download the release package:
MatrikonOPC Security Gateway/Tunneller Release Package
If you are new to the Nessus compliance checks, check out this SCADApedia article: Bandolier User Guide for Nessus.
We would like to extend a special thanks to MatrikonOPC who helped us identify and test the settings and continue to work with us on Bandolier. As always, we appreciate any feedback you have.
[...] off is Digital Bond has released the Bandolier security audit files for the MatrikonOPC Security Gateway and Tunneller servers. These products can add some important [...]