A lot of OPC talk in the Automation blogs this week.  Reminders to get registered for the upcoming OPC UA DevCon 2007, the OPC security article continues to circulate and Walt Boyes (and friends) had several mentions of OPC on Matrikon Summit 2007 postings.

One post in particular that caught my attention was his recap of Sean Leonard’s presentation on OPC.  The topic of the presentation was the “Business Case for OPC”, and as always Sean had a lot of great things to say.  He sums it all up with the following key points:

“The future of OPC is going to be much bigger and go much farther than we can imagine,”

• The driving forces for the future
• The enterprise requires more data, more timely.
• A single vendor will not rule the world. You will have systems from different vendors working together.
• System communications failures will occur
• Process information will remain critical
• There will be a focus on security.

“This is a harsh competitive environment. Business leadership is challenging. Agility requires timely data. Which requires interoperability, which requires standards, and OPC is the only choice.”

At the end of his post, Walt added a couple of questions he didn’t get to ask at the talk: There are significant and well known security issues with OPC. Perhaps it is fair to say there are serious exploitable security holes in current OPC implementations. How are they going to be resolved?  

At the end of his post, Walt added a couple of questions he didn’t get to ask at the talk: The security issues reported in the news lately are not vulnerabilities with the OPC specifications, but rather with product implementation.  How they will be really rests with who performs the implementations, the End-users and Vendors.  The buck has to stop with them.   I’d view it in the same light as safety.  Who’s fault is it, when a guy gets tossed through his front windshield because he didn’t do up his seat belt?  Manufactures add bells and whistles to remind you to fasten the belts.  Governing bodies introduce laws to enforce compliance.  Safety groups campaign on the benefits of using them.  Ultimately it is promoting awareness and communicating what needs to be done to the guy sitting behind the wheel.

You could argue that the really serious ‘exploitable security hole’ is users are turning off their OPC security!  This will be only be resolved by vendors and users working together to communicate the right architectures.  Bells and whistles can be added to make security easier to use, for example OPC UA has security as an integral part of the design.  Governing bodies are and will continue to introduce laws that will affect software security in the automation industry.  But it still needs to be the vendors that change things and communicate how to configure systems.

The spotlight continues to shine on security, and things are happening; The OPC Security Whitepapers are a good step in the right direction (Part II is due out soon),  there is increasing security focus from OPC vendors and the OPC UA specification includes Security.  The changing world has prompted end users to begin demanding security, and committed vendors will listen.