We have been working on an OPC security whitepaper for a very long time now with Eric Byres – - so long that the work started when Eric was still at BCIT. The delays were due to constantly adding more info and sending it out for more review. The review including control vendors, OPC ‘experts’, Microsoft and many others, and the value of this review will be apparent in later sections.
As the whitepaper grew to almost 100 pages, Eric suggested we split it into three parts. Parts II and III will be released the first Tuesday of May and June respectively. Part I of the whitepaper is available today and goes straight to the Subscriber Only content.
Part I includes an overview of the OPC specifications and their purpose in a control system environment. I think the most interesting information in Part I are the results from a survey of 113 OPC users. Here is a sample of interesting statistics from the report:
- 27% of respondents said there would be a “loss of production” and 33% said there would be a “permanent loss of historical data” if an OPC server was unavailable
- In the believe or not category – - 8% of respondents said they had an OPC server exposed to the Internet (without VPN). 22% had an OPC server on the corporate network, and 30% had an OPC server on a control system DMZ. What this validates is compromised OPC servers are a widely available path through a perimeter security device to the control center.
- I was surprised that 15% of respondents said they were implementing the OPC Security specification. I have yet to run into an asset owner using this largely DOA specification.
Parts II and III focus on the threats and recommended practices for securing OPC.