With the recent airline scares, security is once on everyone’s mind.  Incidents such as the Heathrow plot renew focus on the possible vulnerabilities of critical infrastructure, such as those in the power, oil and gas, manufacturing and other industries.    One key area of concern deals with SCADA infrastructures and communication protocols, including OPC.

So the million dollar question is “How secure are our SCADA infrastructures and OPC installations?”.   The answer you get depends on who you ask.   Most company spokespeople will assure you their critical systems are secure, besides ‘control systems aren’t connected to the Internet, and are running, rare proprietary protocols’.    If you ask folks in the IT security world, the answer is more like “Danger, Will Robinson! Danger!”.   Since OPC is used extensively in the control industry, and allows open access to a myriad of proprietary protocols, it becomes a natural focus for security concerns.  

So is this all just fear mongering and scare tactics by the cyber-security industry?   Personally, I’ve been in many plants, in many industries, in many countries, and can believe a lot of what they say to be true.   On the other hand, I’ve also seen many sites that are doing things right.   With a proper security assessment, architecture and some thought to the right configuration settings, anyone can have a reasonably hardened OPC communications system.   However too many installations are content with a firewall, and default configuration settings.

Here’s my two cents.  I don’t think there is any reason for immediate panic.  Just because it’s possible, doesn’t make it probable.   Still, it’s better safe than sorry.   A few changes in policy, architecture and product choice would go along way to shoring up the defenses.

Let’s Exchange.  I’d like to hear some opinions or experiences.  I’m doing a presentation on this topic at the OPCUG, and it’s nice to have some new, interesting anecdotes.