The viruses and hacker attacksThe viruses and hacker attacks that occur daily in the information technology field may be inching closer to the factory floor. Recent disclosures about security flaws in the OPC standard raise concerns that the security-through-obscurity concept that has helped protect production lines no longer exists. OPC is an open connectivity standard.
A recent study by the British Columbia Institute of Technology, Canadian-based Byres Security Inc. and Digital Bond, Sunrise, Fla., highlighted the vulnerabilities in OPC. They are compounded by OPC’s use of Microsoft Corp.’s Distributed Component Object Model (DCOM) and Remote Procedure Calls (RPC), which are also used in the information technology (IT) world.
That creates a huge potential for problems on the plant floor. “OPC is completely ubiquitous in control applications, and its underlying protocols are DCOM and RPC, which are a hacker’s dream,” says Eric J. Byres, chief executive officer of Byres Security, based in Lantzville, British Columbia, Canada. Security holes are particularly glaring for companies that use OPC with Internet connections or other links outside the factory walls, he adds.
That report has sparked a debate that is being monitored by managers in the huge number of facilities that employ the specification. “There are probably 200,000 to 300,000 people using OPC,” says Rashesh Mody, chief architect for the OPC Foundation.
Yes, we know
It’s not a secret that OPC security is lacking. OPC Foundation President Tom Burke notes that the original OPC development team assumed that operating system security would be sufficient for many of the OPC-based solutions that were being deployed. In the 1990s, when the specification was written, security was not a major issue in manufacturing sites, which often had minimal connections outside plant walls.
While acknowledging OPC’s shortcomings, the standard’s developers note that security isn’t a priority for many users, who often don’t take actions suggested to enhance protection. “Many times, the issues aren’t with OPC and DCOM. It’s that patches haven’t been installed, people aren’t up to date with operating systems, and a lot of other criterion people forget,” says Mody, who is also chief technology officer at Wonderware, an automation software vendor in Lake Forest, Calif., and a unit of London-based Invensys plc. However, Byres says that Microsoft is moving away from DCOM and RPC, so the flow of fixes for them is coming to an end.
Underscoring the widespread feeling that plants were safe because the technologies they used were obscure, Burke notes that an attempt to rectify OPC’s gaps with a security specification in the mid-1990s got minimal acceptance. Users didn’t push vendors to adopt it, so eventually the document met the classic definition of “not being worth the paper it is printed on,” Burke muses.
All parties agree that there’s no need to tear out OPC installations and switch to alternatives. The next generation, OPC Unified Architecture (OPC UA), was developed with an eye toward providing the security that is necessary in today’s
world. It’s even endorsed by critics of existing technology. “People should get rid of OPC and move to OPC UA,” Byres
says. The new architecture will be a significant help, providing a generic solution that allows implementation of the required security features at various places in the OPC UA architecture. Security functions can be implemented at different levels, using various maps designed to meet users’ varying requirements.
Secure channels in the communications layer provide security for messages sent at the application layer, providing encryption and requiring digital signatures. A number of other security features are employed in the new specification.
“The OPC Foundation Unified Architecture has made security a required part of the infrastructure, and the whole service-oriented architecture has taken security to the next level. It’s no longer optional for the vendors. We want to give the end-users control to decide what level of security they need,” Burke says.
However, the document has not yet been designed into equipment, so it will be a while before its benefits will be fully
used on the plant floor. Mody estimates that it will be close to a year before the first OPC UA equipment is shipping.
That means that many companies will be dealing with existing versions of OPC for several years. “This industry isn’t like IT, where new products roll out fairly often. In our industry, people put stuff in and use it for 10 to 20 years,” Byres says.
In the meantime
Until companies make the transition, there are plenty of steps that they can take to keep their facilities secure. First and foremost, users need to take advantage of the security technologies that are available to them. “Many people are guilty of opening up all the security settings. The majority of OPC installations don’t ask for a password,” Byres says. In the short term, just requiring passwords will help significantly, he observes.
Another step is to adopt encryption for messages moving throughout the factory, which makes it difficult for hackers to send commands unless they somehow learn the encryption scheme. “Network domain isolation, which uses encryption to provide security, is becoming popular,” Mody says.
Byres notes that far more extensive security steps are available on the Web. CERN, the huge particle physics laboratory in Geneva, Switzerland, provides a number of security steps, and at press time, Byres was nearing completion of a 40-page paper that addresses the OPC security issue. Mody, adds that Wonderware and other companies have information, as does the OPC Foundation.
Just how many of the suggestions a company will deploy depends on its perception of risk. Implementing security requires taking time to learn about security options, as well as the time needed to install and maintain them. Security programs can also hamper execution times.
“There will be an impact on performance, but you manage the impact on performance by exercising the functionality of security that’s germane to the problem you’re trying to solve,” Burke says.
Even users who have installed the level of security they want can sometimes find that their plans have been thwarted. When new equipment is installed, settings are sometimes altered without any user notification.
“When you install scripts from many equipment vendors, they deliberately downgrade security to make the installs easier. Many people think they’ve done everything right, only to find an installation has removed many of their security settings,” Byres says.
He feels that equipment providers at all levels should be spearheading the move to improve network security. “Vendors have a tremendous responsibility. They can add security instead of removing it, and they can help people migrate to UA more quickly,” Byres says.
All security systems are designed to provide a level of protection that matches the perceived threat. In many factories, the perceived need for much protection is quite low, partially because there have been few publicized incidents. However, the cost of attacks in industry can be high, both in cost of goods and time to repair systems.
These concerns are being addressed in the utility field. The Institute of Electrical and Electronics Engineers in the United States established the Critical Infrastructure Protection Committee late last year in hopes of getting Congress to look more closely at cyber security for power generating plants and power distribution. The North American Electric
Reliability Corp., which is charged with ensuring that the bulk electric system in North America is reliable and secure, is now completing eight Critical Infrastructure Protection reliability standards.
For more information, search keywords “OPC” and “security” at www.automationworld.com.
To see the accompanying sidebar to this story - "Physical Security is Now More Than Just Locks" - please visit www.automationworld.com/view-3293