The S4 SCADA Security Scientific Symposium kicks off tomorrow.  It bears mentioning that there will be a couple of papers presented that discuss OPC specifically.   Here’s the excerpt from the agenda:
S4 SCADA Security Scientific Symposium 2007

OPC Exposed: Denial of Service Attacks
Ralph Langner, Langner Communications AG

It is well known that OPC does not include effective security controls and relies on DCOM.  Well, the problem is much larger than that. In this paper, several DoS attacks that have proven effective against OPC servers are discussed that could be carried out by attackers with no technical background or by malware. In addition, a man-in-the-middle attack is explained that could be used by an aggressive attacker to have a SCADA system assume normal operation while the process is running wild. Last but not least, suggestions for remedies are presented.

OPC Exposed: Protocol Analysis and Security Testing
Lluis Mora, Neutralbit

Although MSRPC services have been widely tested for security vulnerabilities, the tests have centered around the transport layer and not on the application layer that DCOM implements. In this paper, we present a security analysis of the Data Access specification with emphasis on the application layer, identifying theoretical weaknesses that implementers should take into consideration when developing OPC clients and servers. To validate our findings a vulnerability group test has been conducted against several OPC servers.

I think the work being done in this area and the increased focus on security in the SCADA and OPC worlds is a very good thing.   However, I would like to add a bit of context here.   These are not new, ground breaking concepts that have been dug out from under a rock somewhere.   These vulnerabilities have always existed, and many OPC users are very aware of them.   As with many other SCADA protocols/standards, the security and access control for systems was left to the operating system or external security setups.   Not saying that’s a good thing, that’s just the facts.   In these days of wireless access, globalization and increased security concerns, the ‘M&M’ model of a solid shell, and a mushy middle is no longer enough.   Defense in Depth is the new word of the day.   To that end, OPC UA have been designed with security in mind.  In addition, there are ways to increase the security of your existing OPC installations such as; proper use of DCOM settings, incorporating products like OPC Tunneller, and working with security aware OPC vendors.

What I hope many OPC users get from these papers (and what I believe the symposium hosts are trying to convey) is not that OPC is a scary communications choice, but rather when developing and implementing OPC architectures, Security should be a key consideration.

This is a completely unrelated side note, but it just jumped out at me from the agenda; 

Who should attend: Researchers, engineers and thought leaders in SCADA security.
Who should not attend: Those looking for best practices, standards overviews and case studies. Marketing, sales and managers.

Thought leaders should attend, but managers should not.  So, if you’re a Manger, but not a Thought Leader, does this mean most Managers neither Think nor Lead?   Maybe security is not the top of the list for things to worry about.