OPC Security Whitepaper, Part I

We have been working on an OPC security whitepaper for a very long time now with Eric Byres – – so long that the work started when Eric was still at BCIT. The delays were due to constantly adding more info and sending it out for more review. The review including control vendors, OPC ‘experts’, Microsoft and many others, and the value of this review will be apparent in later sections.

As the whitepaper grew to almost 100 pages, Eric suggested we split it into three parts. Parts II and III will be released the first Tuesday of May and June respectively. Part I of the whitepaper is available today and goes straight to the Subscriber Only content.

Part I includes an overview of the OPC specifications and their purpose in a control system environment. I think the most interesting information in Part I are the results from a survey of 113 OPC users. Here is a sample of interesting statistics from the report:

  • 27% of respondents said there would be a “loss of production” and 33% said there would be a “permanent loss of historical data” if an OPC server was unavailable
  • In the believe or not category – – 8% of respondents said they had an OPC server exposed to the Internet (without VPN). 22% had an OPC server on the corporate network, and 30% had an OPC server on a control system DMZ. What this validates is compromised OPC servers are a widely available path through a perimeter security device to the control center.
  • I was surprised that 15% of respondents said they were implementing the OPC Security specification. I have yet to run into an asset owner using this largely DOA specification.

Parts II and III focus on the threats and recommended practices for securing OPC.

1 comment to OPC Security Whitepaper, Part I

  • Dale, I’m not surprised. In fact, the statistics are better than I feared.

    Am I happy about it? No. I’d love to use a non-OPC driver of some sort, but ever since the demise of NetDDE, there really aren’t many ways to get real time data in to the company network. OPC is one of the few well supported options we have.

    I can argue until I’m blue in the face about the perceived “need” for such real time data. The reality is that “real time” for most office workers is not “real time” to the plant floor. But trying to explain this to a cubicle commando is a wasted effort.

    If I could sell it, I’d probably post my data on an RTU or PLC and let the office folks see their real time summaries that way. However, even that has risks.

    This is where a solid security survey is really worth the money. Now if only we could teach IT about our side of the fence and they would get over their paranoia about us and teach us about their side of the fence…

Leave a Reply