MatrikonOPC OPC Exchange

Archive for the 'Security' Category

On Siemens, SCADA and Security

Tuesday, July 20th, 2010

Anyone following the usual Industrial Automation blogs and news will have heard about the cybersecurity threats against Siemens WinCC and PCS7 platform. Among others, Control Global has an article, and Gary Mintchell has been following it closely on his blog. While this doesn’t specifically apply to OPC, it definitely affects the overall industrial automation space. From the reports coming in, it appears to be an ‘industrial espionage’ attack targeting Siemens, but makes use of a Windows vulnerability that is present on systems from XP to Windows 7. This particular variation uses a default password to access the WinCC database. Since all major control system vendors have systems that run on Microsoft platforms, it would not be surprising to see different variations of this crop up. The good news is that work arounds are available and patches will be forthcoming.

This should serve as a warning and reminder that users MUST consider security as an essential part of their control system planning. This includes OPC data communications. There are many options available to ensure your OPC products work well within your overall security architecture: OPC Security 1.0 Specification aware products, OPC Security Gateways, OPC Tunneller, etc.

Check out the OPC Security information section or read a whitepaper for more details on creating secure OPC architectures.

Blogging, Business and OPC

Monday, April 26th, 2010

Boy, has it really been that long since I put up a post?  You get busy with the day to day grind, and say to yourself, ‘I’ll get one up by Tuesday, and realize it is Thursday already’.  I’m sure we all have something we know we should be making more time for during our work week; filing those overdue reports, re-certifying those work safety requirements, taking that on-line OPC training course you’ve been meaning to do.  If it is important than it’s important to find the time to get it done.


I took some time to catch up on some marketing reading, including this posting on ‘What’s working in marketing’.  It’s a great podcast featuring Gary Mintchell and Walt Boyes. If you listen to the section on blogging, you’ll of course hear Gary’s admonishment at my recent remiss in blogging.  He quoted me quite correctly as saying ‘There’s blogging and there’s business’, but it’s high time I get back to the ‘business of blogging’.


Walt and Gary talk about the power of blogs to get breaking news and information out.  There has been a lot of things happening in OPC these days, that is blog worthy including the next upcoming OPC Foundation Roadshow.


MatrikonOPC will be at the next OPC Technical Seminar , on April 29, 2010 at the Fremont Marriott Silicon Valley, in Fremont, CA .  There is still time to register, if you haven’t already, and you’re going to be in the area.  Feel free to drop by the MatrikonOPC booth, and learn more about OPC and how it can help your business.  For those on the other side of the globe, you can check out the Matrikon User Conference in Koln, Germany.  The OPC track includes talks on OPC UA StreamInsight, secure data architectures and much more.


I encourage everyone to take the opportunity to attend these events.  If you can’t find the time to make the trip, you might still want to read more on how OPC can be configured to limit access so that users can only see the tags they really need to: ‘OPC Access on a Need to Know Basis’

The New Threat to Oil Supplies

Wednesday, September 9th, 2009

Hackers.  That’s the headline for this recent article on possible vulnerabilities in the data communications to off-shore oil platforms.  It cites the fairly recent case of an IT contractor who was charged with sabotaging offshore oil rig computer systems. “Prosecutors say the contractor hacked into a shore-to-rig communications network that, among other functions, detected oil leaks.”  There are many, many offshore data communication systems out there that use OPC as a key part of their architecture.

Folks might be tempted to call articles like this sensationalism or fear mongering, but industrial professionals know the truth is all too real.  Too many systems still rely on security-by-obscurity or their firewall as their sole line of defense.

“Although the newest oil rigs, which cost upward of $1 billion apiece, might be loaded with cutting-edge robotics technology, the software that controls a rig’s basic functions is anything but. Most rely on the decades-old supervisory control and data acquisition (SCADA) software, written in an era when the “open source” tag was more important than security, said Jeff Vail, a former counterterrorism and intelligence analyst with the U.S. Interior Department. “It’s underappreciated how vulnerable some of these systems are,” he said. “It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail.”  

Although the safety of these systems is paramount, another important factor to consider is the economic impacts and lost production costs if these communication systems are compromised.  There are many things that can be done to make these systems more secure.  This article Securing Integrated Scada Systems against cyber attacks mentions some of them:  Network design, firewalls, Intrusion detection, and encrypted networks.  So what can be done for OPC communications in particular?  First is a good OPC network design.  The whitepaper Creating Secure OPC Architectures walks through some secure configuration options.  Of course using OPC security aware products such as OPC Tunneller and the OPC Security Gateway brings huge security benefits to the communication layer.

Are your OPC communicates secure? If you’re not sure, maybe a network assessment is in order. I’m sure there is a trusted OPC vendor you can call to arrange one J

Free OPC Alarms and Events Tool

Friday, August 28th, 2009

The ever popular free OPC tool, the MatrikonOPC Explorer now has support of the OPC Alarms and Events specification.  Being able to test connections to OPC A&E servers from the familiar OPC Explorer tool has been something that people have been wanting for some time now, and it’s finally here.  You can download the MatrikonOPC A&E Explorer here.


There is support for all the expected OPC A&E client functionality:  Simple, Conditional and Tracking filtering, Severity and Category filtering as well as update throttling.  This is all in addition to all the other features that OPC Explorer already offers such as interface checking, support for OPC Security, launching server configurations, and all the other good stuff.


Now all those people out there using the MatrikonOPC Alarms and Events Server for Real Time Data, can monitor the generated OPC A&E Events, and the underlying OPC DA Server with the same tool J

OPC in SmartGrid Security and Building Automation

Friday, June 12th, 2009

Just got back from the OPC Expo at Connectivity Week in Santa Clara.  It was a good opportunity to have some good conversations on a wide range of topics.  Some great presentations on how OPC, in particular OPC UA, fits into the SmartGrid story and plays in the building automation space.  One of the hot topics around connecting the grid is of course security, and the presentation by Tyler Williams of Wurldtech on their Achilles Industrial Cyber Security Certification Program generated some good discussions.  This is the Achilles certification program that our MatrikonOPC products are following.  As SmartGrid rolls out, the focus on communications security will become increasingly important.

I spent a lot of time talking with folks on the exhibit floor.  MatrikonOPC shared a booth with Cimetrics, whom we partnered with for the development of our OPC Server for BACnet.  What I did find surprising at the conference, is how many folks in the building automation space are still unaware of OPC and all that it offers.  Many of the larger vendors certainly know of OPC, and anyone who’s business models span across industry verticals are on board, but the message needs better penetration at the ‘grass roots’ level.  I suspect this lack is mainly due to the image of OPC as a ‘Microsoft’ technology. As OPC UA continues to gain adoption, the cross-platform and web service aspects of the architecture will begin to resound more in this area.


In the meantime, those in the building automation space that ARE aware of OPC have a leg up in connecting their applications to the enterprise, using solutions like those outlined in Extending Building Automation Data Visibility Using OPC.  OPC awareness in this space is growing rapidly, and with more OPC UA products coming out every day, and increased focus on energy optimization expect the pace to get even quicker. 


If you are one of those folks standing still, you might want to think about getting a move on to OPC J

OPC Coffee Break – OPC in Downstream Oil Industry

Wednesday, May 20th, 2009

Here is the next installment of ‘Coffee Break OPC’.  OPC is used for system connectivity in many aspects of the Oil and Gas Industry.  Let’s take a look at how OPC can help in the downstream oil business. 02. Coffee Break OPC – Downstream Oil and Gas by MatrikonOPC

Hope you learned something new with your brew. Anyone who wants to follow up on the topics presented in a bit more detail might be interested in:

Look before You Leap: Implementing Successful OPC Projects

Creating Secure OPC Architectures

Get Closer To History With OPC: OPC Technology Helps Maximize Return on Process Historian Assets

It’s All About Security

Tuesday, April 21st, 2009

Lot’s of things happening on the OPC front this last little while, and they all relate to security in some way. 

  • First off is Digital Bond has released the Bandolier security audit files for the MatrikonOPC Security Gateway and Tunneller servers. These products can add some important security features to an OPC installation including granular tag permissions and better DCOM handling. The Bandolier files verify that these applications themselves and the underlying OS are in an optimal security configuration. Like all the other releases, there is one file for the OS-level checks and one for the application checks.
  • Jason Holcomb of Digital Bond presented on Bandolier at the recent OPC North American User Group in Houston. This was one of several OPC security themed talks that were presented at the user group.  The message many attendees voiced was “Security is very important to us”.   This message has been coming across for quite some time know, which is why OPC products like Security Gateway and Tunneller exist to meet the need for security technology that connects the process world to the business world.  For those who missed the user group, there will be an opportunity to view the presentations on-line.  I’ll be blogging on when that’s available.
  • And of course any discussion on OPC and security has to talk about DCOM.  In case anyone missed it, there is now a free DCOM Analyzer tool available. You can download MatrikonOPC Analyzer for free from this link.

It’s good to see that in spite of the economic pressures everyone is facing these days, that security is still a priority.  This article show that Homeland Security is doing both, saving money on security J

OPC UA on display at OPC User Group

Wednesday, March 25th, 2009

One of the presentations at the MatrikonOPC User Group on April 16, 2009 in Houston will be a multi-vendor demonstration of OPCUA-based products. In addition to showing new OPC UA functionality, the demonstration will also showcase how legacy-based products fit right in to the OPC UA-based technology, through the OPC generic wrapper and/or services offered by the MatrikonOPC products.


If you haven’t registered for the OPC User Group yet, there is still time.  It’s shaping up to be an impressive lineup, with speaker topics such as “Collective Intelligence Down to the Machine Level” and “Extending the Value of Your OPC-HDA Data from the Production Line to the Bottom Line”.  There will also be presentations on Security topics from Jason Holcomb of Digital Bond and Rick Kaun, Matrikon’s Director of Network Security Solutions.  Michael Toecker of Burns & McDonnell Engineering will be talking about Compliance & Infrastructure Protection, and Tom Burke will be chatting about OPC UA.  All in all, a full day of OPC fun!


If you’re looking to fill in some background information on OPC UA, Security or Compliance topics before the conference, here are some titles that might be of interest:


OPC Security Better Safe than Sorry

OPC UA Security: Do You Have Reservations?

Complacent with Compliance?

OPC UA – How Deep Does Interface Standardization Go?

Protected: More SCADA Security News

Friday, February 6th, 2009

This post is password protected. To view it please enter your password below:

Security Gateway and OPC UA

Monday, February 2nd, 2009

Some news on the MatrikonOPC security and OPC UA fronts.  The latest version of the MatrikonOPC Security Gateway now supports the OPC UA specifications.  This means that users can now control who can browse, add, read and/or write on a per-user-per tag basis between classic OPC and OPC UA clients to any OPC DA server from any vendor.  Users get the functionality of secure, certificate based OPC UA security in addition per-item level access and OPC security to the underlying classic OPC server. Plus the Gateway also has built-in support for OPC Tunneller connections which adds an additional layer of security and encryption. 


Security in the automation world and OPC connectivity is gaining more notice on many fronts.  Why just today I got a comment on a previous OPC Security blog posting from someone connected to a BlackHat user forum, looking for more information on OPC Security and the OPC Security Gateway.  If people are looking at how secure a system is that probably means someone else is looking to get in…


Here are a few links for anyone wanting more details on OPC Security and the Security Gateway:


OPC Security Gateway Manual

Hardening OPC Server Permissions

OPC Security 1.0 Specification

Security Gateway Configuration

Creating Secure OPC Architectures

Hardening Guidelines for OPC Hosts