OPC Security White Paper #1 - Understanding OPC and How it is Deployed
Abstract: This White Paper is the first in a series on the security of OPC (OLE for Process Control) and focuses on providing an overview of the widely-used industrial communication standard and how it is actually used in industry. Based on the results of end-user surveys and interviews, it shows that the way OPC is being used may be putting the operations of major industries at risk. Companies are using it for mission critical applications, operating it over potentially insecure networks and don’t understand how to secure properly.
Over a quarter of the end- users surveyed reported that loss of OPC communications would result in a shutdown of their company’s production. While a few users remarked that they had deliberately structured their systems to minimize any safety and operational effects if loss of OPC-based information should occur, others stated the opposite; “We control the motor drives by OPC with the DCS. If we lose the OPC we stop the production!”
The other bad news is that approximately 20% of the companies reported deploying OPC over the site business networks and corporate Intranets and 12% used OPC over the Internet, most without encryption. Since these networks are often connected to the Internet they are inherently less secure than the control networks found on the plant floor. The use of OPC over non-control systems networks leads to the distinct possibility of DCOM-based attacks disrupting critical operations.
White Paper #2 outlines the risks and vulnerabilities incurred in deploying OPC in a control environment. White Paper #3, to be released June 12th, summarizes current good practices for securing OPC applications running on Windows-based hosts. All three papers are intended to be read and understood by IT administrators and control systems engineers/technicians rather than OPC programming or security experts.
Understanding OPC and How it is Deployed - White Paper (745kb)