Security technology for OPC-based industrial automation

Deep packet inspecting firewall helps secure any system using OPC industrial integration protocol.

September 22, 2010

Byres Security has released its new Tofino OPC Enforcer firewall, part of the Tofino industrial security solution. This new module locks down any industrial network using classic OPC, which has been hard to secure up to now. Using deep packet inspection firewall technology, Byres says the Tofino OPC Enforcer provides superior security over what can be achieved with conventional firewall solutions. The result is improved network reliability, availability, and security for any process control or SCADA system using OPC.

OPC is widely used in control systems as an interoperability solution, interfacing control applications from multiple vendors. Unfortunately, as numerous studies show, the technologies underlying it were designed before network security issues were widely understood.  As a result, OPC Classic has been almost impossible to secure until now.

Thomas J. Burke, president of the OPC Foundation, notes, “The Tofino OPC Enforcer is an important innovation and a great solution for all the systems that currently use OPC Classic – approximately 90% of all industrial networks”.

While the OPC Foundation is working hard to get its new and more secure OPC-UA technology into the market place, it will be years, if not decades, before all legacy OPC DA, HAD, and A&E installations are replaced. In the meantime, the Tofino product addresses the security gap by providing a plug-n-protect solution that can be deployed in minutes without changes to existing OPC systems.

The company says the platform provides two important benefits to control systems users:

• Robust security and stability for any system using OPC DA , HAD, or A&E, thus preventing industrial network attacks and accidents. This product inspects, tracks, and secures every connection made by an OPC application, opening only the exact TCP port required for a connection between an OPC client and server.

• Simple implementation without any control system changes. The Tofino hardware is simply installed into the live network and configured using a drag-and-drop editor to select permitted clients and servers. Once installed, network security is assured, with all OPC traffic managed behind the scenes.

Byres contends that the recent Stuxnet worm attacks against Siemens HMIs and PLC systems has highlighted the need for better security on the plant floor. At the same time, many incidents result from internal network problems. “Past industrial shutdowns, for example, haven’t been caused by hackers. Instead they were the result of badly configured software causing traffic storms that impacted critical controllers and other systems,” said Eric Byres, security expert and chief technical officer at Byres Security. “The Tofino OPC Enforcer LSM does much more than block hackers and viruses from accessing automation systems. Its dynamic port management techniques prevent many basic network problems from spreading throughout a plant or SCADA system.”

The Tofino OPC Enforcer is available now from Byres Security and from MTL Instruments and Belden / Hirschmann. It requires the Tofino security appliance, central management platform, and Tofino Firewall LSM.

Byres offers a free downloadable white paper “Securing Your OPC Classic Control System”, co-authored by Eric Byres and Thomas J. Burke.

Robust security for systems using OPC | Tofino Industrial Security Solution

Edited by Peter Welander, pwelander@cfemedia.com

Visit the Control Engineering Process Control channel.

Visit the Control Engineering Information Control channel.