Effective OPC Security for Control Systems - SCADAhacker

More documents

Recommendations

Info

Network-Focused SecurityTo understand network-focused security, it is important to know thatmost TCP/IP protocols, such as Modbus TCP, include an internationallyrecognized number (called a port number) in each message toidentify the message as being part of a specific upper layer protocol.This consistent protocol identification makes it easy for firewalls toblock specific protocol messages or to allow them to pass. Forexample, to block all Modbus TCP traffic, all a firewall needs to do issearch for and then block any message that contains the numberassigned to Modbus TCP (namely 502) in certain fields.An out-of-the-box OPC server does not use a fixed TCP port number.Instead the server dynamically assigns a new TCP port number toeach process that it uses to communicate with OPC clients. The OPCclients must then discover these associated port numbers by connectingto the OPC server and asking what TCP port number they shoulduse for the session. OPC Clients then make a new TCP connection tothe OPC server using the new port number. OPC servers may use anyport numbered between 1024 and 65535 which makes OPC Classic“firewall unfriendly”.On one hand, configuring a traditional IT firewall to leave such a widerange of ports open is like having a sleeping bank security guard watchthe front door. On the other hand, insisting on locking down theseports effectively ends up blocking OPC communications. Today, the OPCdynamic port allocation issues are no longer an excuse not to installfirewalls in front of OPC servers. New OPC-aware firewalls can nowautomatically track and manage OPC Classic’s dynamic port problem.These firewalls are designed to be dropped into existingnetworks without any changes to existing OPC clients and servers.A good example is the Byres Security’s Tofino Security Appliance withthe Tofino OPC Enforcer - a security appliance and OPC firewall. Suchdevices are designed to be installed in a live control network withno network changes and no plant downtime. They are a simple andcost-effective way to create zones of security in a control system, asrecommended by ANSI/ISA99, NERC CIP and IEC Standards.6
OPC ClientOPC ClientInfected ComputerRejectedInappropriateTrafficRejectedWormTrafficOPCServerPermittedOPC TrafficOPC-AwareFirewallOPCServerOPC ServerConnectingto Field DevicesOPCServerOPC ServerConnectingto PLCsOPC Server Embeddedin ControllersFigure 2 – An OPC-aware firewall safeguarding OPCclients and serversApplication-Focused SecurityReturning to the bank analogy, once visitors get past the front doorand the guard they approach a teller to take care of their transactions.The teller’s job is to both facilitate transactions and to ensure onlythose accounts the visitor has access to are affected. The OPC serversof virtually all OPC vendors simply rely on DCOM to address security(the guard at the door) and do not provide specific access controlsecurity (the tellers).Access control security, or application-focused security, must beaddressed through OPC-specific security measures and throughproperly designed OPC architectures. As connectivity continuesto expand throughout the enterprise, properly implementeddefense-in-depth is crucial. Without it, systems exposed to a growinglist of threats may not work within target parameters, potentiallycausing expensive safety, environmental and production incidents.7
Page 2 and 3: Systems are ChangingExample:Recent
Page 4 and 5: ‘behave’ within expected norms.
Page 8 and 9: While many OPC installations rely o
Page 10 and 11: Type of Security Bank IndustrialCon
Page 12: Next Step: Try These Solutions Your

Effective OPC Security for Control Systems - SCADAhacker

Create successful ePaper yourself

Delete template?

Save as template?