Effective OPC Security for Control Systems - SCADAhacker

Systems are ChangingExample:Recent significantindustrial security incidents #1The Stuxnet worm, malwaredesigned specifically to attackSiemens WinCC, PCS7 and S7PLC projects, enters a controlsystem through infected USB keys(so Internet connectivity was anot a requirement for infection).However once inside it spreads toother computers using protocolsfor file sharing, printer sharing andSQL database access.Since there were no patches forthese “attacks” when theworm was first discovered, thebest defense was to not letthose protocols reach criticalservers unless absolutely needed.Unfortunately, as noted earlier, oldfashioned OPC solutions would dojust the opposite – every protocolpossible was free to be sent to theOPC server, whether it was neededfor control or not.Information networks have become the heart of the supervisorycontrol and data acquisition (SCADA) systems companies use to providecentralized management and monitoring capabilities. Traditionallycompanies constructed distributed control systems (DCS) and SCADAsystems that were separated from other corporate systems. Suchsystems were effectively “walled off” by proprietary equipment orprotocols.Business drivers have led to the convergence of companynetworks and industrial technologies. For example, the demand forremote access for either data access or support has rendered manycontrol systems accessible through non-SCADA networks. Similarly,many companies are reducing network deployment and managementcosts through shared hardware, backbones and network supportresources. Most important of all, the increased use of commercialoff-the-shelfcomputer components and office-network technologies hastransformed the way business is conducted in almost every majorindustry. These standardization strategies are enabling companies tooperate cost effectively, communicate more efficiently and implementmore agile business practices through instant access to data throughoutthe organization, including the plant floor.While companies reap the benefits of these initiatives, many are alsodiscovering the inherent dangers that result from making controlnetworks more accessible to a wider range of users. Linking corporatesystems together to provide access to customers, suppliers, and otherthird parties significantly increases the vulnerability of sensitive andproprietary information contained in these systems. It also exposes thesystems to external events such as worms, viruses and hackers. Thisincreases the demands on system administrators to balance the need foraccessibility with the need to safeguard the integrity and usability of theirmission critical control systems.Reducing the Attack SurfaceOne of the most effective ways to manage the conflict between thedemands of efficient access and the demands of effective security is tominimize the variety of interfaces and protocols operating between thecontrol system and the external networks. Having one approvedconnection solution that serves multiple corporate requirements not onlyreduces deployment and administration costs, but also reduces theopportunities open to the attacker or worm. This is known as reducingthe “attack surface” of a system.Thus the first task for an administrator is to select an appropriatecommunications technology that can be used by the widest variety ofcontrol AND business systems. While there are a number of possiblecandidates, including Modbus TCP or Hyper Text Transfer Protocol (HTTP),OPC is without question one of the easiest and most widespreadstandards to address the demands of universal data access in theindustrial automation world.2

Example:Recent significantindustrial security incidents #2In a less famous incident, a majorenergy complex was infected by avirus in 2009, when a contractorremotely connected to a vibrationmonitoring system to providemaintenance support. The viruswas able to propagate from themonitoring system computersto various DCS servers, causingrepeated crashes of key serversand loss of production.At the time, the site usedtraditional IT firewalls to isolatethe various control systems.Unfortunately OPC Classic’s use ofdynamic ports resulted in firewallsrules being deployed that wereineffective in stopping the virus.OPC-aware firewalls like the TofinoOPC Enforcer allow much tighterrules and would have prevented theworm from spreading.Once known as OLE for Process Control and now officially referred toas OPC Classic , it is the world’s most widely used industrial integrationstandard. It is employed by a broad range of industrial and businessapplications ranging from interfacing human machine interface (HMI)workstations, safety instrumented systems (SIS) and DCSs on the plantfloor, to enterprise databases, enterprise resource planning (ERP)systems and other business-oriented software in the corporate world.But what about the security demands - can OPC address these? As thispaper will illustrate, the answer is a definite YES. By layering defensesthat are OPC- aware, high security solutions can be created that meetboth the security and access expectations of a company, all withoutadministrative overload on the network or controls team. The result is astandards-based solution that has been proven across numerous differentcontrol systems.Layering DefensesIf reducing the attack surface is the first key to good security, thesecond is the layering of security defenses. Often referred to as ‘defensein depth’, the concept is to manage risk with diverse defensive strategies.Layering defenses gives several benefits. The most obvious is that if onelayer of defense is compromised, another layer of defense, using adifferent security method, presents an additional obstacle which caninhibit further penetration.A more subtle, but equally powerful benefit is that attacks come indifferent flavors and each defensive layer can be optimized to deal witha specific range of threats. For example, defending against a standardcomputer worm needs different techniques compared to defendingagainst a disgruntled employee. Thus a key to enhancing each defensein depth layer is ensuring that each layer of security considers thecontext of the information or system it is protecting.Defense in Depth: Bank ExampleSecurity in a bank presents a good analogy for the defense in depthapproach to security for control systems. What is it that makes a typicalbank more secure than a home or convenience store? The bank employsmultiple security measures to maximize the safety and security of itsemployees, customers and their valuables. Not only are there morelayers, each layer is designed to address a specific type of threat at thepoint where it is employed. For example, just to name a few defenses,a typical bank has steel doors, bulletproof windows, security guards,security box keys, safes and security-trained tellers. Bank doors areeffective, but simple security devices. They are either locked or unlocked.They either grant or deny access to customers on an all-or-nothing basis– regardless of what a visitor looks like or how the visitor behaves.One layer up is the security guards – they perform access control to‘clean’ the general flow of people into the bank. They ensure that accessto the bank is for people who have a legitimate need to be there and will3

‘behave’ within expected norms. They regard each visitor based onspecific criteria, such as, not wearing a mask, suspicious behavior,acting erratically etc.Backround:The term “OPC Classic” refersto all OPC standards prior to thenew OPC-Unified Architecture(OPC-UA) standard. This includesthe most popular specificationssuch as OPC Data Access (OPCDA), OPC Alarms and Events(OPC A&E) and OPC HistoricalData Access (OPC HDA).Visit the OPC Foundationwebsite for more information.At yet another level, the tellers, security box keys, passwords, etc.keep these pre-screened customers from accessing other accountsor information. Rather than worrying if a visitor should or should notbe in the bank, the tellers and passwords present a different layer ofsecurity: account security. These measures ‘filter’ what accountaccess individual customers are allowed, based on who they are.Note that the security layers are context specific, which is whybanks don’t simply have additional security guards at every level.The security solution must fit the context of the threat expected atthat level.Industrial Control System SecuritySo what does this have to do with security on the plant floor?Well, for industrial communications the roles of the ’bank guard’and the ‘teller’ are broadly analogous to ‘Network Security’ and‘Application-Focused Security’.For example, the firewall acts like the guard, so that specifiedprotocols are either permitted or denied access into the controlnetwork. And just like a more experienced bank guard, a moresophisticated SCADA-aware firewall observes the traffic beyond theobvious protocol types and makes additional filtering decisions basedon the behavior and context of the systems using these protocols onthe network.Similarly, an OPC server with a robust OPC security implementationcan act like a well-trained bank teller. After a user successfullyconnects to an OPC server, the OPC Security configuration ensuresthey only get access to the specific sets of data they are supposed tosee. Attempts to access others’ data should be blocked and logged.As with the guard and the bank teller example, the firewall providingthe network security and the OPC server providing the applicationsecurity are an essential team. For example, a firewall can blockmillions of randomly malformed messages directed at a server aspart of a Denial of Service (DoS) attack. At the same time, userauthentication and authorization checks can prevent an attacker insidethe firewall from accessing process set points in a system and makingchanges that might risk property or lives.4

Step 1Invalid RequestOPC Conn ReqOPC Conn ReqOPC Client Firewall OPC ServerThe OPC Firewall intercepts a connection request from the OPC client andconfirms it is an approved server from an approved client and the message isa properly formed OPC connection request.Step 2OPCServerOPC Conn ReplyOPC Conn ReplyOPCServerOPC Client Firewall OPC ServerThe OPC firewall intercepts the connection reply from the OPC server andconfirms it is to original client and is properly formed. It also determines thenew TCP port that the server wants to use.Step 3Invalid Client/PortData Req (5555)OPC Conn ReplyOPC Data ReqOPC Conn ReplyOPCServerOPC Client Firewall OPC ServerThe OPC firewall momentarily opens the TCP port it found in the replymessage, but only for communications between that client and server. If aproper TCP session does not occurs within a few seconds, the port is closedagain.Step 4Malformed MsgInvalid Port #Invalid ServerInvalid ClientOPC DataOPC DataOPCServerOPC Client Firewall OPC ServerValid OPC data continues to flow, while malformed messages, messagesusing invalid ports, or messages from invalid clients or server are blockedand logged by the firewall.Figure 1 – How OPC-aware firewalls work5

Network-Focused SecurityTo understand network-focused security, it is important to know thatmost TCP/IP protocols, such as Modbus TCP, include an internationallyrecognized number (called a port number) in each message toidentify the message as being part of a specific upper layer protocol.This consistent protocol identification makes it easy for firewalls toblock specific protocol messages or to allow them to pass. Forexample, to block all Modbus TCP traffic, all a firewall needs to do issearch for and then block any message that contains the numberassigned to Modbus TCP (namely 502) in certain fields.An out-of-the-box OPC server does not use a fixed TCP port number.Instead the server dynamically assigns a new TCP port number toeach process that it uses to communicate with OPC clients. The OPCclients must then discover these associated port numbers by connectingto the OPC server and asking what TCP port number they shoulduse for the session. OPC Clients then make a new TCP connection tothe OPC server using the new port number. OPC servers may use anyport numbered between 1024 and 65535 which makes OPC Classic“firewall unfriendly”.On one hand, configuring a traditional IT firewall to leave such a widerange of ports open is like having a sleeping bank security guard watchthe front door. On the other hand, insisting on locking down theseports effectively ends up blocking OPC communications. Today, the OPCdynamic port allocation issues are no longer an excuse not to installfirewalls in front of OPC servers. New OPC-aware firewalls can nowautomatically track and manage OPC Classic’s dynamic port problem.These firewalls are designed to be dropped into existingnetworks without any changes to existing OPC clients and servers.A good example is the Byres Security’s Tofino Security Appliance withthe Tofino OPC Enforcer - a security appliance and OPC firewall. Suchdevices are designed to be installed in a live control network withno network changes and no plant downtime. They are a simple andcost-effective way to create zones of security in a control system, asrecommended by ANSI/ISA99, NERC CIP and IEC Standards.6

OPC ClientOPC ClientInfected ComputerRejectedInappropriateTrafficRejectedWormTrafficOPCServerPermittedOPC TrafficOPC-AwareFirewallOPCServerOPC ServerConnectingto Field DevicesOPCServerOPC ServerConnectingto PLCsOPC Server Embeddedin ControllersFigure 2 – An OPC-aware firewall safeguarding OPCclients and serversApplication-Focused SecurityReturning to the bank analogy, once visitors get past the front doorand the guard they approach a teller to take care of their transactions.The teller’s job is to both facilitate transactions and to ensure onlythose accounts the visitor has access to are affected. The OPC serversof virtually all OPC vendors simply rely on DCOM to address security(the guard at the door) and do not provide specific access controlsecurity (the tellers).Access control security, or application-focused security, must beaddressed through OPC-specific security measures and throughproperly designed OPC architectures. As connectivity continuesto expand throughout the enterprise, properly implementeddefense-in-depth is crucial. Without it, systems exposed to a growinglist of threats may not work within target parameters, potentiallycausing expensive safety, environmental and production incidents.7

While many OPC installations rely on corporate firewalls and properDCOM configuration for security, assessments show that open firewallsand permissive DCOM access rights remain common vulnerabilities.Even in cases where systems are configured correctly, they still donot offer the granularity of security needed to fully protect thesystem. What is the problem? Corporate firewalls and generalWindows DCOM security are not aware of the OPC context. Only byusing security products that are OPC ‘aware’, that support the OPCSecurity specification, and that properly utilize the information thisprovides is it possible to provide an effective level of protection.OPC Server Security OptionsAny OPC server or product has the option to implement one of threelevels of security: Disabled, DCOM or OPC Security. Each level offersmore security and control over who has access to data within the OPCarchitecture.• Disabled Security – No security is enforced. Launch and Accesspermissions to the OPC server are given to everyone, and Accesspermissions for clients are set for everyone. The OPC server doesnot control access to any vendor specific security functions.• DCOM Security – Only Windows DCOM security is enforced. Launchand Access permissions to the OPC server are limited to selectedclients, as are the Access permissions for client applications. However, the OPC server does not control access to more specificsecurity functions. This is the default security level provided byDCOM.• OPC Security – Supports the OPC Security specification. The OPCserver serves as a reference monitor to control access to specificsecurity functions that are exposed by the OPC server. An OPCserver may implement OPC Security in addition to DCOM Security,or implement OPC Security alone.Role and User-Focused SecurityThe OPC Security specification focuses on client identification by usingtrusted credentials to determine access authorization decisions by theOPC server. It enables OPC products to provide specific security controlson adding, browsing, reading and/or writing individual OPC items.Within the plant environment different job roles require different typesof data access:• Control system engineers might require full read and write accessto all points in the automation system• Operators might be restricted to only those data points associatedwith the status and control of machines within their particularplant unit8

• Management level personnel would most certainly only requireread access to key performance data itemsExample:OPC Security done right!Based on the OPC Foundation’sOPC Security specification, theMatrikonOPC Security Gatewaycontrols what users can browseitems, add them to groups, as wellas perform reads and writes- ona per-user-per-point basis. Suchgranular control over data accesshelps deliver the right data tothe right people and preventsaccidental or un-authorized OPCdata access on any OPC server.Applying the most appropriate security access means applicationsmust be able to understand the context in which particular users areaccessing information.While the OPC Security specification opens the door for OPC serversto make informed access decisions on a per user basis, how thisinformation is used is left up to each OPC vendor. MatrikonOPC isthe one vendor that specifically focuses on ensuring users canfully protect their OPC architectures by providing a robust OPCSecurity implementation that delivers security control down to theper-user-per-tag level – regardless of what vendors’ OPC servers arebeing used.Using the MatrikonOPC SecurityGateway as the top-level OPCserver, data from any of theunderlying, un-secure OPC serverscan only be accessed by users whohad such rights granted to them bythe system administrator. Suchrole-based security provideseffective OPC-centric securitythat directly contributes to asystem’s overall Defense-in-Depthstrategy.File Edit HelpFile Edit HelpOPC ClientSecurity GatewayFile Edit HelpOPC ServerVendor XFile Edit HelpOPC ServerVendor YFile Edit HelpOPC ServerVendor ZFigure 3 – MatrikonOPC Security Gateway Architecture9

Type of Security Bank IndustrialControl System (ICS)Example ICS DefenseSolutionsNetwork-FocusedSecuritySecurity Guards OPC-Aware Firewall Tofino Security Appliance andTofino OPC Enforcer:• Tofino Security Appliancesare installed to create zonesof security for groups of PLCs,DCS, HMIs with similar securityrequirements• Installation is “plug-n-protect”requiring no pre-configuration,no network changes, and noplant downtime• Automatically tracks andmanages OPC Classic’sdynamic ports; and inspects,tracks and secures everyconnection made by an OPCapplicationApplication-FocusedSecurityTellers• Determine accessto accounts, cash,vault and even tothe bank manager• The effectivenessof this security layerdepends on how welltrained and diligentthe Tellers areOPC servers using OPCSecurity• Determine the levelof access allowed tothe OPC clientapplication• The effectivenessof this dependson how fully the OPCsecurity specificationis implemented bythe OPC servervendorMatrikonOPC Security Gateway:• Provides comprehensiveimplementation of the OPCSecurity Specification.• Uses security data providedby the OPC SecuritySpecification for all data accessdecisions – not just for initialconnection acceptance.• Protects all OPC servers –regardless of what OPC vendorthey are from. Allows usersto secure their existing OPCinfrastructures withoutreplacing OPC servers.Role and User-basedSecurity• Different Customershave differentaccess rights to agiven bank account.For example allfamily membersmay check thebalance and makedeposits, but noteveryone can makewithdrawals.• Control engineersmight have read writerights to all pointsin the automationsystem, whilemanagementhas access toperformancereports onlyMatrikon OPC Security Gateway:• Enforces security down to themost granular level: per-userper-tag. This is the mostcomprehensive application ofthe OPC Security Specification.• Controls what users can seeon any given OPC serverand only allows the users toperform those actions they arecleared for.Figure 4: Comparing defense in depth measures for banks and industrial systems10

Security You Can Bank OnThe implications of ignoring OPC security will grow rapidly as thedemand for OPC connectivity continues to increase. History showsthat the root cause behind many publicized security failures has beenthe result of improper use of, or the complete lack of, IT securitysafeguards.Control automation professionals who are security aware use acombination of control system focused network security practices,proper OPC architecture design, and OPC–centric security products.Using the right products, the security of existing systems can begreatly enhanced without the need for replacing equipment orin-depth IT experience. The MatrikonOPC Security Gateway and theTofino OPC Enforcer are off-the-shelf components that can secureOPC-based communications quickly and easily.The reality is that security incidents don’t just happen to ‘otherpeople’. Smart companies will prepare for the unexpected byevaluating their OPC security before a costly security incident occurs.File Edit HelpOPC ClientNetworkTofino Security Appliancewith Tofino OPC EnforcerFile Edit HelpSecurity GatewayFile Edit HelpOPC ServerPLCFigure 5 – Tofino & MatrikonOPC Security GatewaySolution11

Next Step: Try These Solutions YourselfMATRIKONOPC SECURITY GATEWAYMatrikonOPC Security Gateway secures all real-time OPC architectures.Unlike OPC solutions that rely only on DCOM security, Security Gatewaycontrols who can browse, add, read and/or write to a tag on a per-userpertag basis on any OPC DA server. Fully standards-based for maximumcompatibility, the Security Gateway implements the OPC Foundation’s OPCSecurity specification.Download Security GatewayABOUT BYRES SECURITY INC. AND THE TOFINO OPC ENFORCERThe Tofino Industrial Security Solution from Byres Security Inc. providespractical and effective Industrial Control System and SCADA security that issimple to implement and that does not require plant shutdowns.The Tofino OPC Enforcer module provides robust security and stability for anysystem using OPC Classic. Unlike other firewalls, this product inspects, tracksand secures every connection made by an OPC application, opening only theexact TCP port required for a connection between an OPC client and server.For more information, please visit www.tofinosecurity.com.“Tofino” is a registered trademark of Byres Security Inc.ABOUT MATRIKONOPCMatrikonOPC provides equipment data connectivity software based on theOPC standard. The MatrikonOPC promise is to empower customers withreliable data access to all major automation vendors’ systems, providepractical OPC training and deliver superior client care. MatrikonOPC buildsclose relationships with its customers to best address their business andtechnical needs. With offices in North America, Europe, Asia-Pacific andthe Middle East, MatrikonOPC provides local presence on a global scale.MatrikonOPC is a vendor neutral connectivity supplier.Copyright © Matrikon Inc. 2011Toll Free: +1 (877) 628-7456Ph: +1 (780) 945-4099Email: info@MatrikonOPC.comWeb: www.MatrikonOPC.comAmericas Asia-Pacific Europe Middle East Africa