The second part of the OPC Security Whitepaper from written by Byres Security, Digital Bond and BCIT has been available for download for the last couple of days.   Since this part talks about vulnerabilities in host systems and architecture, common configuration issues, and possible risk scenarios; OPC Exposed is most provocative of the three parts.    I’m actually a bit surprised there hasn’t been any “Run-For-Your-Life-Chicken-Little-The-Sky-Is-Falling” type press on this.   Not that it should, but the paper goes into more detail than OPC Security Whitepaper Part I, and even that generated some ‘ruffled feathers’

The report go into detail of the various situations, but the main thing that sticks out is a lot of the so-call OPC vulnerabilities are really the result of poor end-user configuration of their computers, not problems with OPC.   That in itself is a problem, but one that can be remedied by good communication and knowledge sharing.   The main conclusions are highlighted in the paper’s abstract namely:

• Attacking OPC deployments does not require special skills or esoteric process controls knowledge.
• The two core vulnerabilities, namely excessively open firewalls and overly permissive DCOM access rights, lay at the heart of many scenarios. If either vulnerability is addressed then the chance of these scenarios occurring is significantly reduced.
• The security of most OPC systems would be greatly enhanced if vendors improved the quality of configuration guidance to include recommended security settings and provided easy to use hardening scripts to automatically enable more reasonable security setting after installation.

Again this is a well written, and presents a nicely balanced message on securing OPC systems. The paper sticks to the facts, without any drama or finger pointing.  Actually the only time it mentions any vendors is to point out examples of those with good practices that make securing OPC easier.  (Hint:  one of the company names rhymes with ‘My Truck Run’)

These reports reinforce two key concepts;  any control system or SCADA application, including OPC, needs to take into account security.   And if the system end user does not have this knowledge, experience or time to obtain it, then they need to be talking with an experienced, committed vendor who does.

As I’ve said before, I think these whitepapers will go a long way to providing users with guidelines for improving the overall security of their networks and OPC architectures.  Anything that improves the overall adoption, usability and security of an open standard like OPC as a good thing.