OPC Security Whitepaper, Part III Is Out

It was a very long time in the works, and I have to give Eric Byres a lot of credit for his diligence in getting reviews and incorporating feedback from a cast of thousands for Part III. The final part of the OPC Security Whitepaper Series written by Byres Research, Digital Bond and BCIT is now available on our site to subscribers and likely will be on Eric’s site soon as well.

As a reminder, Part I provided an overview of OPC and included interesting survey results on how OPC is being used. Part II described risks and vulnerabilities in OPC clients and servers. Part III completes the picture by provide specific and detailed guidance on how to harden OPC clients and servers.

Part III is 54 pages long, which represents the complexity of the OPC / DCOM security problem. Some of the possible security measures, such as configuring the Windows firewall, are quite frankly so complicated we would be hard pressed to recommend them, but they are a technical control that is available to OPC clients and servers.

Other portions, such as guidance on setting DCOM authentication and permissions to limit access to OPC servers as well as the RPC hardening recommendations to make OPC more firewall friendly, we consider essential. The good news is there finally is a step by step guide to a thorough set of security hardening recommendations for OPC clients and servers.

If the paper is not enough – - stay tuned for next week when we will release a tool to subscribers that will allow you to audit your OPC servers to the guidance provided in Part III.

4 comments to OPC Security Whitepaper, Part III Is Out

  • sb

    Hi,

    a very nice and quite comprehensive guide! thanks to all the authors!

    Several times I discussed with OPC users some of the security measures described in the whitepaper. Quite often, these users argued that they fear decreased performance caused be security measures. Others said that they had already tried to lock down their OPC servers (e.g. by setting more restrictive access rights), but experienced performance problems afterwards. Assuming a 100 Mbit/s local network and a correctly configured Windows environment I can’t see how setting access rights can have a measureable impact on peformance distinguishable from statistical fluctuations of network throughput.

    My question to the commnity would be: Has anyone experienced performance problems when locking down OPC servers? Could these problems be solved? Or is this some kind of a technical myth a.k.a the never-touch-a-running-system-philosophy?

    regards,

    stephan

  • sb

    aargh. I didn’t have my morning coffee yet. sorry for all the spelling mistakes :(

  • rl

    Performance degradation caused by setting DCOM access rights properly appears to me as some kind of bizarre perceptual problem. BTW, anybody concerned about performance would better think about getting rid of OPC in the first place. ;-)

  • [...] third installment of the OPC Security Whitepaper Series written by Byres Research, Digital Bond and BCIT.    I’ve posted before on Parts One and Two.   This final paper presents guidelines [...]

Leave a Reply