Safety and security issues cropped up frequently during the recent OPC Technology Summit, none more startling than those raised by Lisa Kaiser, Director of Strategic Planning for the Control Systems Security Program of the U.S. Department of Homeland Security (shown pictured with Tom Burke, President and Executive Director of the OPC Foundation). Kaiser took a cold, hard look at the growing menace of cyber security and what defensive measures are needed in a world where industrial organizations are coming under increasingly specific attack.
Kaiser showed how, in recent months, exponential growth in activity has been reported, with specific PLC systems coming under direct attack by individuals, organizations and even national agencies. Unlike earlier, when mainly glory-seekers were involved, activity now can be deeply malicious. A black-market has emerged for zero-day exploits, she said: newly-discovered vulnerabilities in industrial systems are being traded for money before the anti-malware guys can get to work.
A 400 percent increase in the reporting of vulnerabilities was experienced between 2010 and 2011. In the past six months, more than 20,000 reports of unauthorized internet accesses to control systems have been noted. Her message was clear: industrial automation systems are now a prime target for the bad guys. Adversaries are becoming extremely knowledgeable and money is now a key driver, she added. Defense-in-depth must be the target. But make sure the simple things are addressed first, such as changing predictable passwords like “password” and re-naming files currently called “my_user_IDs”
OPC UA Security Model
A different kind of security was highlighted by Mbaga Ahorukomeye from Schlumberger’s drilling division. He explained how drilling for oil and gas has become highly automated, with staff now able to direct the drilling process from remote locations once the drilling contractor has installed his heavy equipment. This enables close monitoring and control of the drill bit, especially the direction it takes deep underground. Recently, OPC UA systems have been used to help move data to and from the drill bit. “The OPC UA security model—well that was a plus,” he said. “If you are going to a rig and telling someone you are taking control, he’s asking you, ‘how can you guarantee that someone is not sending the wrong value to my controller?’”
The value proposition of OPC UA security, particularly the “out-of-the-box” capability was praised by many speakers. Veronika Schmid-Lutz of SAP said that her company already uses OPC DA and HDA for data transfers between top floor and shop floor but “our strategy is moving clearly towards OPC UA.” Security is for SAP one of the hot topics for our company, she said, and if we get the security mechanism out-of-the-box “this is very valuable for us.”
Other speakers concurred: Stephen Briant from OPC Foundation Board Company Rockwell said that security was one of the biggest challenges facing automation, while Dave Emerson of Yokogawa, also a Board Company, said that OPC UA’s built-in certificates are “a strong driver for the critical industries we deal with.” End user Mark Conde of Universal Parks and Resorts Information Technology Group in Orlando described how ICONICS’s systems and OPC products are helping Universal protect customers and equipment at its Orlando theme parks, where safety is an absolute priority. (Conde’s talk is covered in the “OPC UA Takes Center Stage at OPC Technology Summit” article in this newsletter.)
Certification Makes Life Easier
On certification, a valuable insight into latest developments was given by Nathan Pocock, Director of Certification & Test Lab for the OPC Foundation in Scottsdale, Arizona, USA. Pocock highlighted the history of OPC compliance, starting with the original self-certification processes. Compliance test tools followed later, and then in 2006 a formal OPC Test Lab was founded. Today, the OPC Foundation uses sanctioned test labs (the Scottsdale lab in North America and a lab in Germany) to test products against rigid procedures designed to enhance aspects such as reliability and interoperability.
“It’s a complete program for defining the quality guidelines for OPC products.” said Pocock. Quality, he said, covers five core competencies: compliance (with the specs); interoperability, (plug and play); robustness (the ability of products to work during good and bad situations, and recover); efficiency (avoiding CPU overloads, memory leaks); and usability. The latter, said Pocock, was related to user expectations. Does the OPC product perform as stated? Does documentation exist? Is it accurate? Does the product perform in a way that is consistent with the overall OPC way of doing things?
Certification, said Pocock, means that the product has been tested in an OPC-sanctioned Test Lab and that it meets or exceeds those quality guidelines. Procedures are carried out independently and are completely open. A Compliance Working Group defines everything. “And we work continuously to refine our procedures and develop test cases against which we test products,” he said. All the tools and test cases are made freely available online to enable vendors to produce quality products from scratch. Vendors are expected to have carried out all preliminary tests for themselves before sending their products to the Test Lab. “Once the product is submitted, we carry out our own independent tests, everything being tightly governed by those ‘procedures.’ We work steadily through all the test cases, feeding back the results step-by-step to a database to ensure consistency for everyone.” As of today, Pocock said, there are 42 certified products, with many more coming. Self-testing will be phased out because it does not give the level of confidence needed.
Pocock introduced Bill Cotter of 3M, who explained his own views on certification. “It’s all about ‘me’ the end user,” he said. “There’s no one who’d say certification is not a good thing! But it’s not a homogeneous world. We have to mix and match different things together, so we to have to have tests done. I particularly like the idea of testing for robustness,” he said. “And I love knowing that things will recover properly after stress.” He pointed out the value proposition for vendors: “They [the OPC Foundation] are giving you ways to test your products, and they are giving you the tools—what’s better than that? I think this is great value because they make you think about testing in ways you perhaps wouldn’t think of yourselves.”
One of Cotter’s soundbites was: “I just want get my job done so I can go home to see the kids.” This was echoed by Pocock: “If you use OPC-certified products today, your life will be easier.”
The OPC Technology Summit speaker presentation slides (with the exception of the Lisa Kaiser “Security” presentation, by request of the DHS) have been made available for download at the OPC Foundation web site. Visit the DHS Control Systems Security Program web site for more information on U.S Department of Homeland Security industrial control system security resources.