OPC Security: More than the Sum of the Parts (plus White Paper)

When you hear the words “defense–in-depth” do you immediately think of layers of firewalls?

If so, you are not alone – most of us immediately think of security concepts in traditional physical security terms.  For example, we imagine “more defense” as being more moats and castle walls around the crown jewels.  But that is not the only way (or even the best way) to create secure ICS or SCADA systems.

Today we are releasing a White Paper with MatrikonOPC that shows how security layers can work in other ways.  The paper illustrates how security threats come in different flavors and how defensive layers can be optimized to deal with a specific range of threats:

“Defending against a standard computer worm needs different techniques compared to defending against a disgruntled employee. Thus a key to enhancing each defense in depth layer is ensuring that each layer of security considers the context of the information or system it is protecting.”

Optimize Each Defense Layer for Specific Types of Threats

This is an important concept – simply repeatedly layering the same technology is not cost effective security. Once the attacker or worm gets through the first defense, throwing up exactly the same defense at the next layer is a waste of money – the bad guys already know how to defeat that technology. The trick is to vary the defenses so that they protect not only at different physical locations, but also different network layers.

(Warning:  MatrikonOPC and Tofino Security product promotion coming)

MatrikonOPC has good application layer security technologies; their OPC Security Gateway product manages OPC account accesses in a very fine grained manner. After a user successfully connects to an OPC server, the Security Gateway configuration ensures that they only get access to the specific sets of data they are supposed to see. Attempts to access others’ data are blocked and logged.

Bullet-Proof OPC Security

Now what MatrikonOPC did was combine and test this application layer technology with the Tofino OPC Enforcer network layer technology.  Thus the Tofino technology protects the MatrikonOPC Gateway from 99.99% of all attacks – Denial of Service, unapproved clients, malformed DCOM connections and so on. Only once the OPC traffic has been scrubbed clean, does the MatrikonOPC solution need to step in and provide the final polish to the company security policy. The result is a very bullet-proof OPC security solution.

Given that OPC is the world’s most widely used industrial integration standard, it is important to understand how it can be used securely.  The White Paper released today shows that:

By layering defenses that are OPC- aware, high security solutions can be created that meet both the security and access expectations of a company, all without administrative overload on the network or controls team. The result is a standards-based solution that has been proven across numerous different control systems.

Download the White Paper

I encourage you to download this White Paper, even if you are not interested in OPC Security.  MatrikonOPC’s illustration of using diverse security technologies for different layers of defense is a great case study.

Note: you need to be a member of tofinosecurity.com and logged in to have access to the paper. Register here to become a member.

PDF "Effective OPC Security for Control Systems" (1.4 MB)

Related Links


RSS Feed Subscribe to the "Practical SCADA Security" news feed

Add new comment