iam opc security wp3
TRANSCRIPT
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 1/54
intrinsica lly sec ure
po bo x 178
# 5 – 7217 Lantzville rd
lantzville, bc
c ana da v0r 2h0
office 250.390.1333
fa x 250.390.3899
www.byressecurity.com
Digital Bond
suite 130
1580 sawg rass c orp pkwy
sunrise, FL 33323
office 954.315.4633
www.digitalbond.com
OPC Security Whitepaper #3
Hardening Guidelines for OPC Hosts
PREPARED BY:
Digital Bond
British Co lumb ia Institute o f Tec hno logy
Byres Research
November 13, 2007
OPC Security WP 3 (Version 1-3c ).doc
OPC Security Whitepaper #3
Hardening Guidelines for OPC Hosts
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 2/54
OPC Sec urity WP 3 (Version 1-3c ).do c ii Novem ber 2007
Revision History
Revision Date Autho rs Details
0.7 Ma y 15, 2006 E. Byres, M Franz, Draft inte rnal review ve rsion
1.0 Ma y 31, 2006 E. Byres, J. Ca rter, MFranz
Draft for co ntrolled public review
1.1 Aug ust 31, 2006 E. Byres, M. Franz 2nd Draft for co ntrolled pub lic review
1.2 Februa ry 9, 2007 E. Byres, D. Peterson 3rd Draft for co ntrolled pub lic review
1.3 June 28, 2007 E. Byres, D. Peterson 4th Dra ft for co ntrolled pub lic review
1.3a August 31, 2007 E. Byres, D. Pete rson 5th Draft fo r fina l DHS review . Inc ludes
c om ments from the DHS
Rec omm ende d Prac tice s Group
1.3b Sep tem ber 9,
2007
E. Byres, D. Pete rson Co rrec tion of minor g ramm atica l
errors and added figures to Sec tion 3.6
1.3c Novem be r 13,
2007
E. Byres, D. Peterson Co rrec tion of minor ed itorial errors
Acknowledgements
The Group for Advanc ed Information Tec hno logy (GAIT) a t the British
Co lumb ia Institute of Techno logy (BCIT), Dig ita l Bond , and Byres Research
would like to thank all the vend ors and end users tha t generously supported
our efforts throug h numerous interview s and by p roviding us with d oc uments
that could only be described as extremely sensitive. Unfortunately we can
not name you fo r obvious sec urity reasons, but we apprec ia te your time , trust
and encourag ement.
Severa l peop le stoo d out in their c ontributions and advice for this doc ume nttha t we would like to a cknow led ge. First a re Bill Co tte r of MSMUG a nd Chip
Lee of ISA - we tha nk you for all your help in ma king the user surveys possible.
We would also like to thank Ralph Langner for providing the four example
scenarios for this rep ort a nd lots of usefu l information o n OPC vulnerab ilities.
Finally we would like to thank Evan Hand for his vision and support. Without
him, this projec t never would have b een possible.
Disclaimer
Deployment or application of any of the opinions, suggestions or
configuration included in this report are the sole responsibility of the reader
and are offered without wa rrantee o f any kind b y the authors.
Since OPC deployments can vary widely, it is essential that any of the
rec om menda tions in this report be tested on a non-c ritical test system be fore
be ing dep loyed in a live control system.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 3/54
OPC Sec urity WP 3 (Version 1-3c ).do c iii Novem ber 2007
Table of Contents
Executive Sum mary................................................................................................. 1
1 Introduc tion ....................................................................................................... 4
1.1 The Issue s........................................................................................................ 41.2 Organiza tion of OPC White Paper Series..................................................6
1.3 Study Methodolog y......................................................................................6
1.4 Limita tions of th is Study ................................................................................ 7
2 Hardening Strateg y for OPC Hosts .................................................................. 9
3 General Windows Hardening Rec om mendations ...................................... 11
3.1 Patc h Mana gement fo r OPC Hosts.........................................................11
3.2 Minimum Required Services......................................................................12
3.3 Limiting User Privileges................................................................................ 13
3.4 Limiting Netw ork Access............................................................................14
3.4.1 Crea ting the Filter Lists........................................................................143.4.2 Crea ting the Bloc k Ac tion .................................................................16
3.4.3 Crea ting the Security Policy .............................................................. 16
3.4.4 Assigning the Security Policy .............................................................17
3.5 Protec ting the Registry...............................................................................17
3.6 Some Spec ia l Considerations for XP Systems.........................................19
4 OPC/ DCOM/ RPC Hardening Rec om mendations ....................................... 21
4.1 OPC Hardening Recommend ations ....................................................... 21
4.2 DCOM Hardening Recommend a tions ...................................................22
4.2.1 Controlling the Authentica tion Leve l...............................................24
4.2.2 Controlling the Loc ation .................................................................... 254.2.3 Mana ging DCOM Permissions...........................................................25
4.2.4 Limiting RPC Ports and Protocols......................................................27
4.2.5 Set ting the OPC Ap plica tion’s Ac count ......................................... 29
4.3 RPC Hardening Recommend a tions........................................................29
4.3.1 Restric ting Transport Protocols to TCP..............................................29
4.3.2 Restric ting TCP Port Rang es...............................................................30
4.4 More Spec ia l Considerations for XP Syste ms..........................................32
5 OPC Host Hardening Verification.................................................................. 34
5.1 Wind ows Service and Open Port Determination ..................................34
5.2 Wind ows Eve nt Log Ana lysis.....................................................................355.3 Vulnerab ility Scanning ...............................................................................36
5.3.1 Mic rosoft Security Baseline Ana lyzer 2.0..........................................36
5.3.2 Nessus Vulnerability Scanner............................................................. 37
5.3.3 Aud it Files fo r Nessus Vulnerability Scanner.....................................39
6 A Summary of OPC Host Hardening Prac tises............................................. 40
6.1 An Ac tion Plan for Hardening OPC Hosts...............................................40
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 4/54
OPC Sec urity WP 3 (Version 1-3c ).do c iv Novem ber 2007
6.2 Summary of High Risk Vulnerab ilities and Mitiga ting Good Prac tices41
6.3 Some Fina l Tho ug hts...................................................................................43
7 Areas for Mo re Resea rch in OPC Sec urity.................................................... 44
7.1 Firewa ll and Netw ork Related Solutions for OPC Security....................44
7.2 OPC Tunne lling Solutions fo r Security Robustness..................................44
7.3 Network Intrusion Detec tion/ Intrusion Prevention Signatures..............44
7.4 Enhanc ements to Netw ork Vulne rab ility Scanners............................... 44
7.5 Resea rch Impleme nta tion Vulnerab ilities in OPC Components......... 44
7.6 Use of Domain Isolation in Control Environm ents..................................45
Glossary .................................................................................................................. 46
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 5/54
OPC Sec urity WP 3 (Version 1-3c ).do c 1 Novem ber 2007
Executive Summary
In rec ent years, Supervisory Co ntrol and Data Ac quisition (SCADA), proc ess
control and industrial manufacturing systems have increasingly relied on
commerc ial Information Techno log ies (IT) suc h a s Ethe rnet™, Transmission
Control Protoc ol/ Internet Protoc ol (TCP/ IP) and Window s® for bo th c ritica land non-c ritica l comm unic ations. This has made the interfac ing o f industria l
control equipment much easier, but has resulted in significantly less isolation
from the outside world , resulting in the increased risk of c ybe r-based a tta cks
imp ac ting industrial p rod uc tion a nd huma n sa fety.
Nowhere is this benefit/risk combination more pronounced than the wide-
spread adop tion o f OLE for Proc ess Co ntrol (OPC). OPC is increasingly being
used to interconnect Human Machine Interface (HMI) workstations, data
historians and other hosts on the control network with enterprise databases,
Enterprise Resource Planning (ERP) systems and other business oriented
softw are. Unfortunate ly, sec urely dep loying OPC app lica tions has p roven tobe a challenge for most engineers and technicians. While OPC is an open
protoc ol with spec ifica tions free ly ava ilab le, eng ineers must wade through a
large amount of very detailed information to answer even the most basic
OPC sec urity questions.
To address this need for sec urity guidance on OPC d ep loyment, a joint
research team with sta ff from BCIT, Byres Research and Digita l Bond were
commissioned by Kraft Foods Inc. to investigate current practices for OPC
sec urity. The results of this stud y we re then used to c rea te three white papers
that:
1. Provide an overview of OPC technology and how it is actually
dep loyed in industry
2. Outline the risks and vulnerabilities incurred in deploying OPC in a
control environment
3. Summ arizes current good prac tices for sec uring OPC app lica tions
running on Window s-ba sed hosts.
The w hite p aper you are now rea d ing is the last of the three , and outlines
how a server or workstation running OPC can be secured in a simple and
effec tive ma nner. Typica lly this “ hardening” must be cond uc ted in seve ra l
sta ges. First the op erating system (typica lly Window s) needs to be “ loc ked
dow n” in such a ma nner that w ill ma ke it less suscep tible to c om mo n O/ S-
based a tta cks. This involves five steps which a re:
1. Ensuring up-to-da te pa tching of the op erating system and app lications
on the OPC ho st;
2. Limiting services to the req uired minimum for OPC;
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 6/54
OPC Sec urity WP 3 (Version 1-3c ).do c 2 Novem ber 2007
3. Defining user ac counts and privileges;
4. Limiting network ac cess via the Window s Firew all;
5. Protec ting the Window s Reg istry.
Next, the specific OPC components must be hardened using the OPC and
DCOM configuration tools found in Windows. Unfortunately, completing thisstage successfully is more complex; our testing indicated that there are a
number of OPC applications that do not properly follow the DCOM
specifications for Windows software. As a result, several of the steps
sugg ested below ma y cause a ma lfunction of these OPC a pp lica tions. Thus
we suggest the OPC user consider the seven steps listed below as a menu to
choose from ra ther than a list o f una lterab le req uirem ents:
1. Controlling the authentica tion levels for various OPC a c tions;
2. Controlling the loc ation o f va rious OPC ac tions;
3. Ma naging the DCOM Permissions;
4. Limiting p rotoc ols used by DCOM/ RPC a nd set ting a Sta tic TCP port;
5. Set ting approp riate OPC servers ac counts;
6. Restric ting Transport Protocols for RPC;
7. Restric ting TCP Port Rang es fo r RPC.
Of these seven, perhaps the most unusual is step 4, as it gives the end-user
the op portunity to address one of the mo re vexing prob lem s in OPC sec urity,
name ly the prob lem o f dynam ic po rt alloc a tion. Unfortunate ly it was a lso
the solution most likely to cause issues with OPC software, since it wasapparent that not all vendors of OPC products respect the static setting of
port numbers. Thus we a lso p rovided step 7 as a lternative m ethod for po rt
restric tion, in c ase task 4 does not work co rrec tly on your OPC softwa re.
Next, the system needs to be tested to ensure these changes still allow all
OPC ap plications to function c orrec tly. Since we found a number of c ases
where OPC vendors were not respecting DCOM security settings and
requirements, this testing is critical before any security settings are deployed
on live p rod uc tion systems.
Lastly, verification of the fortifying effort is required to ensure no serious
sec urity holes have been left open. This inc ludes the follow ing steps:
1. Window s Service and Op en Port Determination
2. Wind ows Event Log Ana lysis
3. Vulnerab ility Scanning
These stage s a re expanded upon in a deta iled Ac tion Plan for Hardening
OPC Hosts within this rep ort. Spec ific examples are a lso prov ided for ea c h
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 7/54
OPC Sec urity WP 3 (Version 1-3c ).do c 3 Novem ber 2007
ta sk. In all, we b elieve by follow ing these guidelines, the typ ica l controls
tec hnic ian w ill be ab le to c rea te a mo re sec ure a nd robust OPC d ep loyment
on their plant floor and OPC can continue to grow as a valuable solution in
industria l da ta c om munications.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 8/54
OPC Sec urity WP 3 (Version 1-3c ).do c 4 Novem ber 2007
1 Introduction
This rep ort is the third of three white p apers outlining the findings from a stud y
on OPC security conducted by Byres Research, Digital Bond and the British
Co lumb ia Institute of Tec hno log y (BCIT). The ob jec tive of this stud y was to
c rea te a series of simp le, authorita tive white pape rs tha t summ arized currentgood practices for securing OPC client and server applications running on
Window s-ba sed hosts. The full stud y is d ivided into three Good Prac tice
Guide s for Sec uring OPC as follows:
• OPC Security White Paper #1 – Understanding OPC and How it is Used:
An introduction to what OPC is, its basic components and how it is
ac tually dep loyed in the real world .
• OPC Sec urity White Paper #2 – OPC Exposed : What are the risks and
vulnerab ilities incurred in de p loying OPC in a control environm ent?
• OPC Security White Paper #3 – Hardening Guidelines for OPC Hosts:
How can a server or workstation running OPC be secured in a simple
and effective ma nner?
All three white papers are intended to be read and understood by IT
administrators and control systems technicians who have no formal
background in either Windows programming or security analysis.
1.1 The Issues
In rec ent years, Supervisory Co ntrol and Data Ac quisition (SCADA), proc ess
control and industrial manufacturing systems have increasingly relied oncom merc ia l informa tion tec hnolog ies (IT) suc h a s Ethernet™, TCP/ IP and
Window s® for bo th c ritic a l and non-c ritica l co mm unic ations. The use of these
common protocols and operating systems has made the interfacing of
industrial control equipment much easier, but there is now significantly less
isolation from the outside world. Unless the controls engineer takes specific
steps to secure the control system, network security problems from the
Enterprise Network (EN) and the world at large will be passed onto the
SCADA and Proc ess Control Network (PCN), put ting industria l p rod uc tion and
human sa fety a t risk.
The wide-sprea d adop tion o f OLE for Proc ess Control (OPC) standards forinterfacing systems on both the plant floor and the business network is a
c lassic example of both the b ene fits and risks of a dop ting IT techno logies in
the control world. OPC is an industrial standard based on the Microsoft
Distributed Comp onent Ob jec t Model (DCOM) interfac e of the RPC (Rem ote
Procedure Call) service. Due to its vendor-neutral position in the industrial
controls market, OPC is being increasingly used to interconnect Human
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 9/54
OPC Sec urity WP 3 (Version 1-3c ).do c 5 Novem ber 2007
Machine Interface (HMI) workstations, data historians and other servers on
the control network with enterprise databases, ERP systems and other
business-oriented software. Furthermore, since most vendors support OPC, it is
often thought of a s one of the few universa l protoc ols in the industria l controls
world, ad ding to its widespread ap pea l.
Many readers will be aware that the OPC Foundation is developing a new
version of O PC (c a lled OPC Unified Architec ture or OPC-UA) tha t is based on
protocols other than DCOM1. This is in conjunc tion with Microsoft's goa l of
ret iring DCOM in favour of the more sec ure .NET and service-oriented
architectures. Once most OPC applications make this migration from the
DCOM -ba sed a rc hitec ture to a .NET-ba sed a rchitec ture, industry will have
the opportunity for much better security when it comes to OPC, but also a
new set of risks.
Unfortunately, based on our experience in the industry, it may be a number
of yea rs befo re many co mpanies ac tua lly c onvert their systems. So, since
DCOM-based OPC is wha t is on the p lant floo r tod ay and will c ontinue to see
use for years to come, we focused our investigation on how to secure this
type of OPC.
Our initial research showed two main areas of security concern for OPC
dep loyme nts. The first (and most often quoted in the pop ular press) is tha t the
underlying protocols DCOM and RPC can be very vulnerable to attack. In
fac t, viruses and wo rms from the IT world may be inc rea singly foc using on the
underlying RPC/ DCOM proto cols used by OPC, as note d in this a tta ck trend s
d iscussion:
“Over the past few months, the two attack vectors that we saw in volume were against the Windows DCOM (Distributed Component
Object Model) interface of the RPC (remote procedure call) service
and aga inst the Windo ws LSASS (Loc a l Sec urity Authority Sub system
Servic e). These see m to be the c urrent favorites for virus and worm
writers, and we expec t this trend to c ontinue.” 2
At the same time, news of the vulnerabilities in OPC are starting to reach the
mainstream press, as seen in the March 2007 eWeek article entitled “ Hole
Found in Protocol Handling Vital National Infrastructure ” 3. Thus, the use of
OPC connectivity in control systems and servers leads to the possibility of
DCOM-based p roto col a ttacks d isrupting c ontrol system s op erations.
1 See Whitep ap er #1, Sec tion 5.7: OPC Unified Architec ture for more informa tion on O PC-UA.2 Bruc e Sc hneier, “A tta c k Trends” QUEUE Ma gazine, Assoc iation o f Co mp uting M ac hinery,
June 20053 Lisa Va as, “ Hole Found in Protoc ol Hand ling Vita l Nat iona l Infrastructu re” eWee k,
http :// ww w.ew ee k.c om / a rticle2/ 0,1759,2107265,00.asp , Ma rch 23, 2007
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 10/54
OPC Sec urity WP 3 (Version 1-3c ).do c 6 Novem ber 2007
Despite these concerns, it is our belief that the most serious issue for OPC is
that configuring OPC applications securely has proven to be a major
cha lleng e fo r most engineers and tec hnicians. Even thoug h OPC is an op en
protocol with the specifications freely available, users must wade through a
large amount of very detailed information to answer even basic security
questions. There is little d irec t guida nce o n sec uring OPC, and our resea rchindicates that much of what is available may actually be ineffective or
misguided.
All things considered, there is little doubt that some clear advice would be
very useful for the control engineer on how best to secure currently
dep loyed , COM/ DCOM-based OPC systems. This series of white papers a ims
to he lp fill tha t gap for the end -user.
1.2 Organization of OPC White Paper Series
As noted earlier, this is the third of three white papers outlining the findings
and recommendations from a study on OPC security. In White Paper #1 we
reviewed the OPC spec ific a tions, foc using on d eta ils tha t a re releva nt from a
security point of view and might be useful to users wishing to understand the
risks of OPC deployments. We then described the real-world operation of
OPC applications, identifying components that need to be understood to
harden ho sts running OPC c lient a nd server ap p lica tions.
In White Paper #2 we d efined a set o f vulnerab ilities and possible threa ts to
OPC hosts, based on OPC’s current architecture (i.e. the use of DCOM). We
also looked a t c om mo n m isconfigura tion vulnerab ilities found in OPC server
or client c om pute rs, both a t the op era ting system and OPC a pp lica tion level.
Finally, since the typical OPC host configuration is strongly influenced by the
guidance provided by the software vendor, we looked at the quality of
configuration utilities and guidance provided to end-users by the OPC
vendor community.
In White Paper #3, we use this information to give the OPC end-user a series
of p rac tica l rec ommenda tions they c an d raw upon to sec ure the ir OPC host
machines.
1.3 Study Methodology
Developing the findings and recommendations for all three of the whitepapers req uired the follow ing four-phase approa ch to the study:
1. Data Ga thering
• Conducting user surveys and collecting information on OPC
de ployments in order to get a rep resenta tive sam ple of how ac tual
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 11/54
OPC Sec urity WP 3 (Version 1-3c ).do c 7 Novem ber 2007
OPC deployments were configured in the field by our target
audience.
• Reviewing OPC Found ation and vend or co nfiguration g uidelines.
• Conducting a literature search for OPC-related papers andguidelines.
2. Ascerta ining potential threa ts and vulnerab ilities in OPC systems
• Identifying what operating system configuration issues exist in
typical OPC deployments.
• Identifying w ha t OPC, RPC a nd DCOM issues exist in typ ica l OPC
deployments.
3.
Creating recommendations for mitigating potential threats andvulnerabilities
• Determining what could be done to secure the underlying
op eration system without impac ting the OPC func tionality.
• Determining what could be done to secure RPC/DCOM
com ponents in an OPC host.
• Dete rmining OPC-spec ific c lient a nd server sec urity co nfigurat ions.
4. Testing the sec urity recom me nda tions
• Lab testing a ll rec om mendations in a typica l OPC environm ent a nd
modifying our rec ommenda tions ac c ord ingly.
1.4 Limitations of this Study
It is important to understand that this report is not intended to be a formal
security analysis of OPC or DCOM, but instead is a set of observations and
prac tices tha t w ill help end -users sec ure their OPC systems. As well, this report
is focused only on securing the host computers that are running OPC.
Sec uring the netw ork OPC op erates over is an interesting and important a reaof research, but is beyond the scope of this report. A follow-on study is
p lanned to investiga te these netw ork sec urity aspec ts and consider solutions
for OPC/DCOM in the network infrastructure, including firewall rule-sets and
ana lysis of third p arty OPC tunne lling solutions.
It is also important to understand that this document details nearly every
security measure that could be used to harden OPC installations. In order to
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 12/54
OPC Sec urity WP 3 (Version 1-3c ).do c 8 Novem ber 2007
determine which of the mentioned countermeasures and strategies are
feasible and advisable for a specific OPC deployment, a risk assessment
should be conducted first. In addition, the industrial environment should be
checked to ensure all design elements will function flawlessly with the
prop osed sec urity counte rmea sures. Som e suggested countermea sures will
not work with -- or a re no t advisab le fo r -- every OPC insta llation.
Finally, we cannot guarantee that following our recommendations will result
in a completely secure configuration. Nor can we guarantee these
recommendations will work in all situations; some modifications may be
required for individual OPC client and server applications or Microsoft
Windows network deployments. However, we are confident that using these
guidelines will result in more secure systems as compared to the typical
default application and operating system settings we have seen in our
investigations.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 13/54
OPC Sec urity WP 3 (Version 1-3c ).do c 9 Novem ber 2007
2 Hardening Strategy for OPC Hosts
Build ing on the ma teria l from the previous white p apers, this rep ort at tem pts
to detail all security measures and good practises that could be used to
harden OPC hosts4. We suggest the OPC user consider the mitigations listed
in this reports as a menu to choose from rather than a list of unalterablerequirements.
Typ ica lly this “ ha rdening ” should be c onduc ted in four sta ges. First, the
Windows platform itself needs to be “locked down” to make it less
susceptible to common Windows-based attacks, yet still allow OPC
app lica tions to func tion. Then the spec ific OPC c om ponents need to be
hardened using the OPC c onfigura tion too ls found in the Window s op erating
system. Next the system needs to be tested to ensure these changes still
a llow a ll OPC app lica tions to func tion correc tly. We found a numb er of ca ses
where OPC vendors do not respect DCOM security settings and
requirements, so the test stage is critical before any security settings aredeployed on live production systems. Lastly, verification of the fortifying effort
is req uired to confirm no serious sec urity holes have b een left open.
For the mo st p art these c onfigura tion guidelines will ap p ly to both c lients and
server hosts. The c a llbac k mechanism used by OPC essentia lly turns the OPC
client into a DCOM server and the OPC server into a DCOM Client. In our
examples we focus on OPC servers, but to take full advantage of these
recommendations they should be followed on all nodes that contain either
OPC servers or OPC c lients. Several sec tions d isc uss c lients spec ifica lly.
It is a lso imp ortant to note the exam p les show n below are p rimarily based onhosts running Windows XP/ SP2 or Windows Server 2003/SP1 (o r later). Earlier
versions of Windows can still take advantage of many (but not all) of these
suggestions, but will be c onsiderab ly more d iffic ult to c onfigure. Thus if at a ll
possible, a first step should be to upgrade any OPC host platforms to these
new er operating system versions.
Finally, these examples were performed and lab tested in a workgroup
setting; as a result, slight modifications may be required in domain-based
env ironments. In rea l-life industria l set tings dom a ins may be b enefic ial as they
provide the a bility to a pp ly these recom mendations uniformly ac ross a group
of hosts via group policy. In workgroup environments all recommendationswill have to be deployed individually on the host machines, increasing the
administrative effort and the chance for error. In addition, we are aware of
4 Please note that this report only focuses on OPC host security and does not attempt to
detail good practices for securing the network components (such as firewalls) for OPC
traffic. We hop e to offer this information in a fourth white pa per in 2008. In the m ea n time,
interested rea ders should c onsider the Mic rosoft Tec hnica l Article “ Using Distributed CO M
with Firew a lls” by Michael Nelson a t http://msdn2.microsoft.com/en-us/library/ms809327.aspx
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 14/54
OPC Sec urity WP 3 (Version 1-3c ).do c 10 Novem ber 2007
some possible domain specific security features that can be added, but
these were beyond the scope of this report and are not discussed in this
document.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 15/54
OPC Sec urity WP 3 (Version 1-3c ).do c 11 Novem ber 2007
3 General Windows Hardening Rec ommenda tions
Since OPC is dep loyed on the Window s op erat ing system in over 95% of the
cases, this section discusses the general hardening of OPC hosts using
sta ndard Window s-ba sed tools and techniques. Five sec urity mec hanisms a re
d iscussed:
1. Ensuring that operating system and application patches are at a
currently version level;
2. Configuring the minimum servic es running on the host for a typ ica l OPC
deployment;
3. Limiting o f user privileg es throug h account m anag em ent;
4. Limiting netw ork ac cess via the Windows IP Sec urity Polic ies;
5. Protec ting the Window s reg istry.
While none of these m ec hanisms a re p a rticularly revolutiona ry, the rea l tric k is
to sec ure the host in such a ma nner that ma kes it less suscep tible to com mo n
Windows-based attacks, yet will still allow all OPC applications to function.
This is often m ore d ifficult than it should be for two reasons. First, some
requirements for OPC operation are at odds with good Windows security
prac tices. Sec ond , a numb er of OPC vend ors app ea r to ignore a number of
Window s DCOM spec ifica tions and req uirem ents. Tha t sa id , based on o ur lab
testing of configurations listed in this section, we believe all will allow the
correc t op eration of most OPC systems.Since OPC deployments can vary widely, it is essential that any of these
settings be tested on a non-critical test system before being deployed in a
live control system.
All techniques discussed in this section are based on standard administrative
tools ava ilab le in the c urrent “ professiona l” versions of Windows5. Thus the
spec ific examples illustrated below a re intended for the Window s 2000/ SP4,
Windows Server 2003/SP1 and Windows XP/ SP2 operat ing systems. These
were chosen, since the survey results noted in White Paper #1 indicate these
are the versions of Window s most likely to be used in OPC d ep loym ents.
3.1 Patch Managem ent for OPC Hosts
As we noted in the introduction to this report, and expanded on in White
Paper #2, poor patching of OPC hosts is a significant contributing factor for
5 The Windo ws Vista op erat ing system wa s not tested as it was una va ilab le at the time the
lab testing was performed
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 16/54
OPC Sec urity WP 3 (Version 1-3c ).do c 12 Novem ber 2007
OPC sec urity issues. A number of the well-known w orms (suc h a s MSBlaster)
released in the past few yea rs have spec ifica lly ta rgeted the underlying RPC
and DCOM servic es for OPC. This has made users and vendors keenly aw are
of the need to patch operating systems and applications in industrial control
systems. Unfortunately, the difficulty with patch management is one cannot
automatically deploy new patches into the process control environmentwithout risking d isrup tion o f op erat ions. Thus ca reful polic y and p rac tice is
req uired tha t b a lances the need for system reliab ility w ith the need for system
security.
Based on our survey, it appears many users and vendors have developed
effec tive p a tc hing proc ed ures for PCs used in their co ntrol systems. For those
readers who do not currently have a good patch management process in
place, we suggest contacting your control system vendor or referencing the
GAO report “ Information Sec urity: Agenc ies Fac e Cha llenges in
Imp lementing Effec tive Softw are Pa tc h Ma nage me nt Proc esses ” 6, and the
Ed ison Elec tric Institute ’ s “ Patc h manage me nt Stra teg ies for the Elec tric Sec tor ” .7 Both provide excellent guidance for patch management in critical
system.
3.2 Minimum Required Services
In o rder to make Windows hosts more sec ure, it is c ritica l that a ll unnecessary
services be disabled. Based on lab testing, the following are the minimum set
of Windows 20008, Wind ows Server 2003 and Wind ow s XP9 services that are
typ ica lly req uired on sta nd-alone OPC c lients and servers. The name in
brackets follow ing the service na me is the rec om me nded Sta rtup Type :
• COM + Event System (Autom atic)
• COM + System App lica tion (Automa tic) (Req uired by XP)
• DNS Client (Automatic)
• Event Log (Autom atic )
• IPSEC Services (Automatic )
• Net Log on (Ma nual)
• NTLM Sec urity Support Provider (Autom atic )
• Plug a nd Play (Automatic)
6 “ Informa tion Sec urity: Ag enc ies Fac e Cha lleng es in Imp leme nting Effec tive Softw a re Pa tc h
Ma nage me nt Proc esses” , GAO Rep ort GAO -04-816T, US Ge nera l Acc ounting O ffic e, June
02, 20047 “ Pat ch mana gem ent Strateg ies for the Elec tric Sec to r” , White Paper, Ed ison Elec tric
Institute –IT Sec urity Working Group , Ma rch 20048 http://labmice.techtarget.com/articles/win2000services.htm9 http :// www .sysinternals.co m/ b log / 2005/ 07/ running-w indo ws-with-no-services.html
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 17/54
OPC Sec urity WP 3 (Version 1-3c ).do c 13 Novem ber 2007
• Protec ted Storage (Automa tic )
• Rem ote Proc ed ure Ca ll (RPC) (Autom atic)
• Sec urity Ac counts Ma nag er (Automa tic )
• Sec urity Center (Automatic) (Req uired by XP)
• Server (Automa tic )
As we ll, som e O PC a pp lica tions req uire add itiona l servic es to be e nab led to
remain functional. For example, if the OPC application does not use the
OPCEnum com ponent (and thus needs to rem ote ly b row se the reg istry10) the
follow ing servic es are a lso req uired :
• Comp uter Brow ser (Automa tic )
• Remote Registry (Automatic)
While not stric tly a service, File and Printe r Sha ring should be d isab led . This isdo ne via the netwo rk connec tions pane l.
Again, since OPC dep loyments can wide ly va ry, it is essential that the effec ts
of disabling any service be tested on a non-critical offline system before
be ing dep loyed in a live control system.
3.3 Limiting User Privileg es
In most control environments, the day-to-day operation of OPC-based
applications does not require a highly privileged account. On the other
hand, the configuration of OPC applications often does. Unfortunately, inma ny system s we see the highly privileg ed acc ount sett ings being the norm,
exposing the system to num erous sec urity issues.
To address this, we rec om mend OPC a dministra tors c rea te two a ccounts,
one for day-to-day operations and one for configuration.11 Configure these
accounts as follows:
• Crea te a n ac c ount (e.g. opc user) and set it to be a low privileg e
account - This will be used for the normal execution o f OPC c lient
and server app lica tions. When the op c user account is c rea ted it
should b e a dded as a memb er of the Users group .
• Crea te a n ac c ount (e.g. opc ad min) and set it to be a high
privileg e ac c ount – This ac count w ill only be used for infrequent
10 Rem ote ly b row sing the registry is no longer a reco mm end ed prac tice b y the OPC
Found at ion. How eve r som e olde r ap p lic at ions ma y still req uire rem ote browsing to function
correctly.11 http: / /www.opcconnect.com/dcomcnfg.php
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 18/54
OPC Sec urity WP 3 (Version 1-3c ).do c 14 Novem ber 2007
configuration c hange s and for the initial insta lla tion o f the OPC
softwa re. When the op cad min user is c rea ted it should be ad de d as
a m em ber of the Administrato rs group. It is often simp lest to rename
the existing ad ministrato r ac count to op c ad min.12
Finally the Guest a ccount should b e d isab led and rob ust p asswo rds (a mix ofletters, numbers and spec ial cha rac ters and not found in a d ictiona ry) should
be used for a ll accounts.
3.4 Limiting Network Access
In most control environments there is little reason to allow every device on
the c ontrol netwo rk to c om munica te to O PC hosts. Typica lly there a re only a
small number of ma chines com munica ting using OPC. Bec ause of this, it
makes good security sense that network access should only be allowed
betwe en these few trusted machines. Window s 2000, Server 2003 and XP
contain host-based firewall capabilities that can use IP filters and a securitypolicy to restric t ne twork tra ffic to O PC hosts.
Our recommendation is to add a simple host-based firewall rule allowing
traffic only to or from the IP addresses of other trusted OPC hosts. While this
might seem to be simple, we discovered that in practice, setting up such a
rule can be very cumbersome using the firewall configuration wizards
ava ilab le in Windows 2000, Server 2003 and XP. Thus these firewa ll wiza rds are
not used and the fo llow ing four-step proc ess is rec om me nded instea d .
It is wo rth not ing there a re o ther tec hnolog ies for controlling access betw een
hosts that can be even more robust. For example, Microsoft’s Domain
Isolation m od el13 is far more secure. However due to its complexity, detaileddirections for configuring it are beyond the scope of this report - it may be
cove red in subseq uent rep orts.
3.4.1 Creating the Filter Lists
Two filte r lists are required to properly sec ure a host. The first list m a tc hes a ll
tra ffic com ing to a nd from trusted ma chines. The sec ond list ma tc hes a ll
12 NOTE: For simp lic ity in this rep ort we refe r to user ac c ounts ra ther than acc ount g roup s.
How ever a be tter alternative is c rea ting an op c ad min group rather than just a dd ing an
op ca dm in user. Then within the opc ad min group an a cc ount ca n be ma de for everyone
who should have a dministrative p rivilege s to the OPC server. This will p rov ide c hange
ma nag em ent a c c ounta bility for the OPC host. The sam e a pplies to c rea ting op cuser group
ra ther tha n a single op cuser ac c ount tha t multiple users ac c ess. For more information on
ac c ount g roup s in dom ain environm ents see :
http:// ww w.microsoft.c om/ tec hnet/sec urity/g uida nce / networksec urity/sec _ad _ad min_grou
ps.mspx 13 http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 19/54
OPC Sec urity WP 3 (Version 1-3c ).do c 15 Novem ber 2007
othe r tra ffic . In the exam ples below there is only one trusted ma chine, but this
could easily be expand ed .
First, launch the Control Panel/Ad ministrative Tools/ Loc a l Sec urity Polic y
application. Next, while making sure the “ IP Sec urity Polic ies on Loc a l
Computer ” icon is selected, select “ Manage IP filter lists and filter actions ”
under the Actions menu.
Now select the Manage IP Filter Lists tab and add the filter lists. Figure 3-1
show s wha t to expec t while the filter list for tra ffic betw een trusted ma chines
is being c rea ted. The filter list tha t matc hes a ll other tra ffic is the same excep t
no destination IP address is specified.
Figure 3-1: Creating the Filter Lists
Two c onfigura tion set tings are ra the r sub tle; “ Mirrored ” should be selectedand Protocol should be ANY . Mirrored refers to matching traffic between
trusted machines in both directions. ANY refers to allowing any protocol
running on top of IP for trusted machines. It is possible the protocol could be
narrow ed dow n to only TCP, but c are is needed to ensure tha t this doesn’ t
imp ac t o ther c ritica l services you m ay req uire.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 20/54
OPC Sec urity WP 3 (Version 1-3c ).do c 16 Novem ber 2007
3.4.2 Crea ting the Block Ac tion
Once the lists are created, actions for these lists are needed. In this case two
ac tions a re required . The first is Permit, and it exists by default. The othe r is
Bloc k and it need s to be c rea ted . If a filter list ha s an ac tion of Bloc k, then a ll
tra ffic tha t ma tc hes the filter list gets drop ped .
Using the Loca l Sec urity Set tings Tool, under the Actions menu item, select
“ Ma nage IP filter lists and filte r ac tions ” . Now selec t the Ma nage Filter Ac tions
tab to c rea te the Bloc k ac tion. Figure 3-2 illustra tes the a c tion being c rea ted .
Figure 3-2: Creating the Block Action
3.4.3 Creating the Sec urity Polic y
After the Filter Lists and Block Action have been created, it is time to glue
them into a sec urity po lic y and ap ply them to a ll of the netw ork interfac es.
Selec t IP Sec urity Polic ies on Local and then under the Actions menu item o f
the Loca l Sec urity Set tings Tool, selec t “ Create IP Sec urity Polic y ”. Give the
polic y a m ea ningful nam e (such as OPC Hosts Polic y), dea c tivate the d efault
response rule and add filte r lists and ac tions. Set ac tion to Permit for traffic
be tween trusted ma chines and Bloc k otherwise.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 21/54
OPC Sec urity WP 3 (Version 1-3c ).do c 17 Novem ber 2007
Unfortunately this step is not quite this easy as it could be because these
policies have Internet Protoc ol Sec urity (IPsec ) fea tures tha t nee d to b e
addressed. To use our lists and ac tions to simp ly filter IP traffic , do not selec t
the default dynamic filter list, ignore the Authentication field, set Tunnel
Setting to None and Co nnec tion Type to All. Figure 3-3 shows what to expec t
while the p olic y is being c rea ted .
Figure 3-3: Creating the Sec urity Polic y
3.4.4 Assigning the Security Policy
The last step is to assign the polic y. Simp ly right c lic k on the policy a nd selec t
assign. Figure 3-4 shows wha t to expec t w hile the policy is being assigned.
Onc e these four step s a re c om plete , a rule that only allow s tra ffic to or from
the IP address of trusted OPC hosts should b e in plac e.
Again, since OPC deployments can widely vary, it is essential that the effect
of these rules be tested on a non-critical offline system before being
deployed in a live c ontrol system.
3.5 Protecting the Registry
The reg istry is the cent ra l rep ository for configura tion d ata in Window s. In
order to protect the registry as much as possible, regular users should not be
given “ Administrator ” rights, and “ Remote Registry Editing ” should be
disabled from the “ Services ” panel of “ Ad ministrative Tools ” on “ Control
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 22/54
OPC Sec urity WP 3 (Version 1-3c ).do c 18 Novem ber 2007
Panel ”. Note that restricting the ability to change values in the registry is not
the same as restricting read access. Read access is needed only for systems
that do not use OPCEnum for server browsing. If you have newer versions of
OPC a pp lica tions, there should b e little need for reg istry brow sing.
Figure 3-4: Assigning the Security Policy
When c hanging these settings there a re severa l imp ortant tips tha t should be
considered:
• Neve r cha ng e SYSTEM p ermissions from Full Control in the Registry.
Any c hanges to this permission w ill cause yo ur system to fa il upon
reboot.
• Co nside r removing permissions for the Power Users group if tha tgroup is not in use and rep lac e a ll permissions for Users and
Everyone group w ith Authentica ted Users.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 23/54
OPC Sec urity WP 3 (Version 1-3c ).do c 19 Novem ber 2007
Figure 3-5: Rem ote Reg istry Servic e
3.6 Som e Spec ial Conside rations for XP System s
After all this setup, you may find that remote access using the opcuser and
op cadmin does not work on your XP-ba sed server. The rea son is tha t fo r a ll
out-of-the-box installations of XP in workgroup architectures, the system
authenticates all remote users as "guest" regardless of the account name.The tric k is to te ll XP to use the "c lassic" authentica tion as shown in the
sc reenshot below.
To a c cess this sett ing launc h the Co ntrol Panel/ Ad ministrative Too ls/ Loc a l
Sec urity Polic y application. Next, select Loc a l Polic ies/ Sec urity Option as
sc roll dow n until you see the item Network Ac c ess:Sharing and sec urity mo del
for loc al ac c ounts . Right clic k and you c an ac cess the Properties option.
If you configure this policy setting to Classic, network logons that use local
account c red entials authentica te with those c red entials. This Classic model
provides precise control over access to resources, and allows you to grant
different types of access to different users for the same resource, which is
exac tly wha t is needed for OPC. Conversely, the Guest-only mod el trea ts a ll
users equally as the Guest user account, and all receive the same level of
access to a given resource , which c an be e ither Rea d Only or Modify. This
c lea rly do esn’ t work for the OPC sec urity mod el we are p rop osing.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 24/54
OPC Sec urity WP 3 (Version 1-3c ).do c 20 Novem ber 2007
Figure 3-6: Setting the XP Rem ote Ac cess to “ Classic ”
Note that this policy setting does not affect network logons that use domain
acc ounts. The d efault for Window s XP com puters tha t a re joined to a dom ain
and Wind ows Server 2003 compute rs is Classic. This sett ing a lso has no effec t
on Windows 2000 or Server 2003 compute rs.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 25/54
OPC Sec urity WP 3 (Version 1-3c ).do c 21 Novem ber 2007
4 OPC/ DCOM/ RPC Hardening Rec om mendations
Once the underlying Windows system is secure, it is time to address the
security of the OPC a pp lica tions. This involves carefully setting up user
accounts, putting in restrictions for DCOM objects and restricting RPC
beha vior. The configura tion required is d iscussed below in three parts; OPCHardening, DCOM Hardening and RPC Hardening.
It is important to note that this section is focused on guidance for the
Windows Server 2003/SP1 and Windows XP/ SP2 op erat ing systems. Mic rosoft
added a number of significant DCOM security enhancements to these
versions14 and the recommendations in this section are designed to take
advantage of these improvements. Users of older operating system versions
can still follow many of the guidelines below, but upgrading to the newer
versions is highly rec om mend ed .
Since OPC deployments can vary widely, it is essential that any of theserecommendations be tested on a non-critical test system before being
deployed in a live c ontrol system.
The rec om mendations in this sec tion require considerab le care and off-line
testing before they are deployed in critical systems. Our tests showed there
are a number of OPC applications that do not properly follow the DCOM
specifications for Windows software. For example, using the DCOM controls
to set a sta tic TCP port for an OPC a pp lica tion (as noted in Sec tion 4.2.4)
caused issues with the OPC softwa re from a number of vendors. In response,
we provided Sec tion 4.3.2 Restric ting TCP Port Rang es for RPC , as a lternative
method for port restric tion. Thus the OPC user should c onsider the suggestionslisted in this sec tion a s a menu o f sec urity op tions to choose from , ra ther tha n
a list of unalterab le req uirem ents.
4.1 OPC Hardening Rec ommendations
By utilizing separate opcuser and opcadmin accounts or groups as
suggested in Sec tion 3.3, we can limit the sec urity expo sure by restric ting
what actions the OPC server and authenticated users can perform. We
recommend the opcadmin account be used only when installing the OPC
server or client software and making configuration changes, since this
account can both launch and access OPC servers. Even then, theopcadmin account should be limited to a specific list of OPC servers or
clients.
For the actual running of the server the opcuser account (or opcuser group
ac c ount) should be used . As defined be low, opc user ca nnot launch an OPC
server, but c an access a running server.
14 http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 26/54
OPC Sec urity WP 3 (Version 1-3c ).do c 22 Novem ber 2007
Finally we suggest only running the OPCEnum service15 when it is necessary to
browse the O PC servers. When OPCEnum is run, limit its access to the
opcuser and opcadmin accounts. Left in its wide open state, OPCEnum can
present a considerable security risk and typically other users do not need to
access it.
4.2 DCOM Hardening Rec ommendations
There a re two m a in goa ls for suc cessful DCOM hardening . First, we nee d to
only give as much permission as is required for users per DCOM object. For
example, if a computer is running three OPC servers, but only one needs to
be accessed remotely, only allow remote access to that one server.16
Simila rly, if a ll OPC servers and c lients are on a single host, then d isab le
rem ote ac c ess and a llow only loc a l acc ess.
Sec ond , we need to use the d ifferent level user ac c ounts c rea ted ea rlier for
Launch and Access permissions. Again we suggest opcadmin be the only
user account used to launch or configure OPC servers and should have the
servers it c an c onfigure restric ted . The op cuser account can b e used by users
who need only to connec t and acc ess running OPC servers.17
To a c hieve these two goa ls we use the DCOM Configuration Too l tha t is
found unde r Co ntrol Panel/Ad ministra tive Too ls/ Co mp one nt Services 18 shown
in Figure 4-1. It can also be accessed by starting dcomcng.exe from the
Run… op tion in the Sta rt Menu.
Figure 4-1: Compo nent Servic es (DCOM) Configuration Too l
Once there, open up “ Comp onent Servic es ”. Within it, ignore COM+
Applications for now, and proceed to “Computers”. Click on Computers toget the sc reen shown in Figure 4-2.
15 http:/ / ww w.sentec h.co.nz/ ScenicHelp/ dc om sec urity.htm16 http:// ww w.opc ac tivex.co m/ Supp ort/DCO M_Config/ dc om_config.html17http:// itc ofe.web.ce rn.c h/ itco fe/Servic es/ OPC/ GettingStarted / DCOM/ RelatedDoc uments
/ ITCO DCO MSet tings.pd f18 http:// www .gefanuca utomation.co m/ opc hub/op cd co m.asp
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 27/54
OPC Sec urity WP 3 (Version 1-3c ).do c 23 Novem ber 2007
Figure 4-2: DCOM Configuration Sc reen
Open “ My Computer ”, open the “ DCOM Config ”, and see what DCOM
ob jec ts can b e configured. Figure 4-3 shows the DSxP Op c Server Simulator
which is the server used for this example. On the plant floor you are likely to
see the OPC servers you a re using, but you may have to d ig around for them.
Figure 4-3: The Configuration Properties for an OPC Serve r
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 28/54
OPC Sec urity WP 3 (Version 1-3c ).do c 24 Novem ber 2007
4.2.1 Controlling the Authentication Level
The first change to make is the Authent ica tion Level of the OPC server as
shown in Figure 4-4. These Authentic a tion leve ls are d efined as fo llows:
• Default - Ma y va ry dep end ing upon op erating system . Usua lly it is
effectively “ None” or “ Connec t” .
• None - No authentica tion.
• Connect - Authentica tion oc curs when a c onnec tion is ma de to the
server. Co nnec tionless protocols, like UDP, do not use this.
• Call - The a uthentica tion oc curs when a RPC c a ll is accep ted by the
server. Co nnec tionless p rotocols, like UDP do not use this.
• Packet - Authentica tes the d a ta on a per-packet b asis. All data is
authenticated.
• Packet Integrity - This authentica tes the d a ta tha t has com e from thec lient, and chec ks that the d a ta ha s not been mod ified .
• Packet Privacy - In ad dition to the checks ma de by the o ther
authent ica tion method s, this authentica tion leve l c auses the data to
be encrypted.
Figure 4-4: General Configuration Tab for an OPC Server
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 29/54
OPC Sec urity WP 3 (Version 1-3c ).do c 25 Novem ber 2007
Selec t the OPC server and in the General Tab , and c hange a uthentica tion to
either “ Packet Integrity ” . The “ Packet Privacy ” option can be used if data
confidentiality is required since it encrypts all traffic and is the most secure
option. However it is important to test this offline first as the encryption may
impact performance.
4.2.2 Controlling the Location
The “ Loc a tion” tab lets you c onfigure w here the DCOM server ca n run. Here
only the local computer is specified which is the typical situation in most
environm ents. Figure 4-5 illustra tes this.
Figure 4-5: Loc ation Configuration Tab for an OPC Server
4.2.3 Manag ing DCOM Permissions
From here we move to the “Sec urity ” tab which allows you to configure the
permissions for the different accounts. COM server applications have three
types of permissions, namely Launch permissions, Access permissions and
Configuration permissions. Configuration permissions control configurationchanges to a DCOM server, while Launch permissions control the
authorization to start a DCOM server if the server is not already running.
Finally Ac c ess permissions control autho riza tion to ca ll a running COM server,
and are the lea st dangerous. These p ermissions c an be further divided into
Loc a l and Rem ote permissions.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 30/54
OPC Sec urity WP 3 (Version 1-3c ).do c 26 Novem ber 2007
Figure 4-6: Sec urity Configuration Tab fo r an OPC Serve r
These p ermissions control wha t user ac counts can exec ute which ac tion on
an OPC server. For all three options choose Customize , then Ed it and adjust
the accounts as follow s:
• Launc h Permissions - Rem ove a ll existing entries and add the
op cadmin ac count c rea ted ea rlier. If a p articular OPC server ismeant only to b e used loc a lly, then remo te a ccess to tha t server
can also b e d isabled.
• Ac c ess Permissions - Rem ove a ll existing entries and add the
op cadm in and op c user ac counts. Aga in, if a particular OPC server
is meant only to b e used loc a lly, then remote ac cess to tha t server
can also b e d isabled.
• Configurat ion Permissions - Rem ove a ll existing entries other tha n
the Everyone ac c ount. Mod ify everyone to b e rea d-only, and ad d
op cad min with full control.
These set tings are shown in Figure 4-7. As noted above , if the server or client is
only to be used locally (i.e. the clients and servers are all on the same
ma chine) then Remote should b e turned off.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 31/54
OPC Sec urity WP 3 (Version 1-3c ).do c 27 Novem ber 2007
Figure 4-7: Launc h, Ac c ess, and Configuration Perm ission Tabs for an OPC Serve r
4.2.4 Limiting RPC Ports and Protocols
The “ Endpoints ” tab allows you to select what protocols and ports can be
used by th is server and is shown in Figure 4-8. This ta b g ives us the possibility to
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 32/54
OPC Sec urity WP 3 (Version 1-3c ).do c 28 Novem ber 2007
address one of the more vexing problems in OPC security, namely the
problem of d ynamic p ort a lloc ation.
Most o ther TCP server app lica tions use fixed port num bers to identify a ll
incoming pac kets. For example, MODBUS/ TCP uses port 502 and HTTP uses
port 80. This consistenc y makes firewa ll rule c rea tion relat ively simp le – if you
wa nt to b lock all MO DBUS traffic through the firew all, simply define a rule tha t
b loc ks a ll pa ckets conta ining 502 in the destination port field.
Figure 4-8: Endpoints Configuration Tab fo r an OPC Serve r
The defa ult setup for DCOM (a nd RPC) c om plica tes the situa tion by a llow ing
the OPC server to dynamica lly p ick its ow n p ort num bers. The rea son is tha t
while only one web server will typically exist on a given host, there can be
multiple DCOM servers on the same device and each needs its own port
number. It is certainly possible to have an administrator manually set these
port numbers for each server, but early design decisions dictated this might
not be a n idea l solution, so d ynamic alloc a tion bec am e the d efault.
Tod ay, with sec urity becom ing a priority over administrative simp licity, it is
worth considering the option of statically setting these ports for each OPC
server. Of course it is critical to make sure two OPC servers on the same hostdo not g et set up using the sam e p ort numbe r.
Unfortunately not all vendors of OPC products respect the static setting of
port numbers, so this technique must be tested carefully. Matrikon and
NETxEIB OPC softw are p roduc ts worked well with sta tic ports, but several
othe r p rod uc ts d id not. Undoc umented reg istry cha nge s d id g et sta tic setting
of p ort numb ers wo rking on a few othe r vend ors’ p rod uc ts, but this wa s very
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 33/54
OPC Sec urity WP 3 (Version 1-3c ).do c 29 Novem ber 2007
complex. Thus it is imp ortant is to c hec k w ith your OPC vendor before trying
this technique on a live system. If they do not support setting of static
end points, we offer an a lternative mitiga tion in Sec tion 4.3.2 - Restric ting TCP
Port Ranges .
If you want to use static port numbers for OPC traffic and your vendor
supports them, select “ Ad d ” on the “ Endpoints ” tab and the sc reen in Figure
4-9 should appea r. Then set the Protoc ol Seq uence to “ Connection-Oriented
TCP/ IP ” and enter a port value for the static endpoint. Be certain this port
number is not used by any other application in the host. In this example we
have configured the host so the O PC server ap p lica tion w ill use TCP port
7000.
Figure 4-9: Sec urity Configuration Tab fo r an OPC Serve r
4.2.5 Setting the OPC Ap plication’s Acc ount
Finally, the “ Identity ” tab lets you configure what user account the DCOM
application will run under. As shown in Figure 4-10, the OPC software should
set to run as the opcuser ac count.
4.3 RPC Hardening Rec om mendations
4.3.1 Restric ting Transport Protocols to TCP
To ma ke the Rem ote Proc ed ure Ca ll (RPC) m ec hanism mo re sec ure, it ma kes
sense to restric t the ava ilab le transport leve l protoc ols and to limit the range
of potential transport protocol ports. Forcing OPC clients and servers to use
only TCP (rather tha n UDP) will a llow intervening f irew alls to sta te fully police
TCP streams tha t c arry DCOM traffic . Henc e, it is rec om mend ed to only list
TCP in the list o f a va ilab le DCOM protoc ols. To do this, ed it the
“ HKEY_LOCAL_MAC HINE\ Softw are\ Microsoft\ Rpc \ DCOM Proto c ols ” registry
entry so that it only co nta ins the item “ ncacn_ip_tcp ” .
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 34/54
OPC Sec urity WP 3 (Version 1-3c ).do c 30 Novem ber 2007
Figure 4-10: Identity Configuration Tab for an OPC Serve r
4.3.2 Restric ting TCP Port Ranges
As an a lternative to defining a sta tic port for the OPC servers, one can make
changes to the Windows registry that will limit the range of potential RPC
ports used by an OPC server and allow simpler firewall rules. For example,
administrators can define a small range of ports for RPC to use on the OPC
host. This involves making reg istry changes and reb oo ting. To change theregistry, create an Internet key under the follow ing loc ation:
HKEY_LOC AL_MACHINE\ Software\ Mic rosoft \ Rpc \
Figure 4-11: Creating a New Registry Key
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 35/54
OPC Sec urity WP 3 (Version 1-3c ).do c 31 Novem ber 2007
Next create the following entries in this location:
• Ports (typ e REG_MULTI_SZ)
• PortsInternetAva ilab le (type REG_SZ)
• UseInternetPorts (typ e REG_SZ)
The va lue for Ports should b e the desired port range you wa nt to use fo r OPC
servers. For example, you c ould a lloca te 100 po rts by entering “ 7000-7100” in
Ports. We recommend you use a range of ports above port 5000 since port
numbers below 5000 may already be in use by other applications.
Furthermore, previous experience shows a minimum of 100 ports should be
opened, because several system services rely on these RPC ports to
comm unicate w ith eac h other.
The va lue of PortsInternetAvailable should be set to “ Y” for the Ports range to
be noted . The va lue o f UseInternetPorts should a lso be set to “ Y for the Portsrange to be noted. It is important to remember this will affect all RPC services
and not just OPC a pp lica tions so chec k with your vendor before trying this.
Figure 4-12: Add ing the Reg istry Va lues
Also note tha t since O PC uses c a llbacks, you m ust use TCP forcom munica tions throug h a firew all if you wa nt this mitiga tion to wo rk. The
reason for this is when the server makes a call to the client, the source port
will not b e w ithin the range spec ified about a nd thus when the c lient send s a
reply to the server's source port, it will not be able to penetrate the firewall.
This is not a prob lem with TCP bec ause m ost firewa lls keep track of TCP
connec tions and permit bidirec tional tra ffic on c onnec tions, reg ard less of the
source port, as long as they are opened from a machine on the inside. For
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 36/54
OPC Sec urity WP 3 (Version 1-3c ).do c 32 Novem ber 2007
guida nc e on forc ing O PC to use TCP, see Sec tion 4.3.1 Restricting Transport
Proto c ols to TCP .
4.4 More Spec ial Considerations for XP System s
One might assume these configurations are for OPC servers only.
Unfortuna te ly this is not the case; sta rting with Windows XP/ SP2, the DCOM
configurat ion must dea l with wha t Mic rosoft c a lls "Limits". This means the
accounts opcadmin and opcuser have to be added under "Limits" in the
global COM security settings for all clients and servers.
To d o this we aga in use the DCOM Configuration Too l found under Control
Panel/Ad ministra tive Too ls/ Co mp onent Services 19 shown in Figure 4-13 . It c an
a lso be accessed by sta rting dcomcng.exe from the Run… op tion in the Sta rt
Menu.
Figure 4-13: Comp onent Servic es (DCOM) Configuration Too l
Now select the COM Sec urity tab and an option to edit the Access
Permissions and Launch Permissions will appear (see Figure 4-14). Each of
these needs to be ed ited to add the ac counts op cad min and opc user. This
ed iting is identica l to tha t desc ribed in Sec tion 4.2.3.
19 http:// www .gefanuca utomation.co m/ opc hub/op cd co m.asp
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 37/54
OPC Sec urity WP 3 (Version 1-3c ).do c 33 Novem ber 2007
Figure 4-14: COM Sec urity Tab
Figure 4-15: Adding o pc user to the Ac c ess Permission
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 38/54
OPC Sec urity WP 3 (Version 1-3c ).do c 34 Novem ber 2007
5 OPC Host Hardening Verification
Even a fter ap p lying the tec hniques for hardening Window s, OPC, DCOM and
RPC described in the previous chapter, we are still left with a number of
unanswered questions with regard to our OPC server:
• Have the ha rde ning techniques be en p rop erly ap plied ?
• What other spec ific exposures should be a ddressed ?
• When is the system under attack and wha t kinds of a ttac ks are
being used?
To help answer these q uestions, som e a c tive and passive verifica tion
techniques can be used . These invo lve vulnerability scanning using freely
available tools and the enabling and monitoring of Windows auditing
features. Note, it is difficult to completely automate this verification process
so a manua l proc ess is used in the fo llow ing examples.
5.1 Windows Service and Open Port Determination
The first ta sk is to determine if the configurat ion o f the OPC servers has
resulted in the c orrec t servers sta rting, a nd if using sta tic ports, if the ports are
set c orrec tly. There a re many tools to do this, but one o f the simp lest is the
built-in Windows ut ility “ NETSTAT” .
Netsta t d isp lays a ll ac tive TCP connec tions, the ports on w hich the com puter
is listening and a num ber of useful Ethernet , IP and TCP sta tistic s. To use
Netstat , simp ly op en c omma nd line w indo w a nd type “ netstat –o” . The “ -o”
pa rameter disp lays a ll ac tive TCP c onnec tions and inc ludes the p roc ess ID(PID) for ea ch connec tion. You c an find the app lica tion ba sed on the PID on
the Proc esses ta b in Windows Task Manager. Othe r simila r tools inc lude
“ fport” from www.foundstone.com.
Figure 5-1: Typic a l NETSTAT Output
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 39/54
OPC Sec urity WP 3 (Version 1-3c ).do c 35 Novem ber 2007
5.2 Windows Event Log Ana lysis
Windows 2000, Server 2003 and XP provide a rich set o f fea tures for
identifying malicious activity and policy violations. Unfortunately, many are
not enab led by de fault. Furthermore, typica lly the c ha lleng e is not in ge tting
the data, but in deciding which information is most valuable whenmonitoring OPC based app lica tions.
The first step is to ena b le Aud iting to ident ify and log m a licious ac tivity
aga inst OPC Servers. On sta nda lone systems, aud iting is configured using the
Loc a l Sec urity Polic y . Although we identify a minimal set of Audit Policy
recommendations, changes are often required. However in general the
set tings in the ta b le below will work we ll.
Polic y Rec omm ended
Sec urity Setting
Disc ussion
Audit Acc ount
Logon Events
Suc c ess and Fa ilure Sinc e we are d ifferentia ting betw een the
user ac c ount ne c essary to remo telyac c ess the OPC/ DCOM c omp onents
(opc user) a nd the a pp lica tion
administrator (opcadmin), it makes sense
to log both suc c essful and failed eve nts.
Note tha t interac tive log ins on the OPC
server should b e a relatively unc om mo n.
Audit Logon
Events
Suc c ess and Fa ilure
Audit Ob jec t
Access
Fa ilure Enab ling ob jec t ac c ess aud iting
ge nerates a signific ant am ount o f
ac tivity; so only failed a ttem pts to a c c essOPC ob jec ts should be enab led .
Audit Policy
Change
Suc c ess
Tab le 5-1: Gene ral Aud iting Settings
Since log in events are limited to interac tive c onsole logons, we must enab le
per object auditing on core OPC components. In Sec urity Options , enable
"Audit: Audit the access of global system objects.” The ob jec t a ud it settings
should b e a s listed in the tab le b elow.
Objec t Settings
OPC Server Browser (OPCEnum .exe) Traverse Folding / Exec ute File: Fa iled
Opc_aeps.dll, opcbc_ps.dll,
op c c om n_ps.dll, OPCDAAuto .dll
Trave rse Folding / Exec ute File: Fa iled
OPC Server Ap p lic a tion Traverse Folding / Exec ute File: Fa iled
Tab le 5-2: Objec t Aud iting DCOM/ OPC files
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 40/54
OPC Sec urity WP 3 (Version 1-3c ).do c 36 Novem ber 2007
It is imp ortant to remem be r that in order to ge t the m ost accurate picture of
hostile activity across the network and on multiple clients and servers, we
must be able to integrate data from a variety of sources, including routers,
firewalls, intrusion detection/prevention systems, Windows event logs, and
app lica tion spec ific log s ge nerated by OPC servers. This can be a cha lleng e
given the different terminology, different message formats and differenttypes of da ta (suc h a s IP addresses, po rt numbers, GUIDs, app lica tion names,
etc ) genera ted by a ll these systems. This is a non-trivial ta sk whe re more
resea rch and p rod uc t deve lop ment is need ed .
5.3 Vulnerability Scanning
Apart from enabling and analyzing security logs on OPC client and server
systems, we recommend that active methods be used to assess hosts for
sec urity de ficienc ies. The too ls and technique s desc ribed in this sec tion c an
identify a number of sec urity ga ps.
The foc us of this sec tion is only scanning for misconfigurat ion vulnerab ilities in
DCOM and OPC Servers and not identifying other vulnerab le services or
components that need to be upgraded. When evaluating existing
techniques, we discovered that existing tools fall short when it comes to
providing information about the state of DCOM and OPC security and at
times they p rovide conflic ting information. Two pop ula r too ls we used to
chec k the security of OPC ho sts are Mic rosoft’ s Security Baseline Ana lyzer
and Tenab le Netw ork Sec urity’s Nessus Scanner. Other sc anners can b e used
as well.
5.3.1 Microsoft Security Baseline Analyzer 2.0The Microsoft Baseline Security Ana lyzer (MBSA) is a free tool useful for
checking systems to ensure they are set up in accordance with Microsoft
best practices and to ensure the basic Windows hardening techniques
described above are followed. It also helps to identify gaps in Microsoft
system and application updates. July 2005, Microsoft released version 2.0 of
this tool, which, according to the Microsoft web site, is now used in many
com merc ia l sec urity prod uc ts.
We recom mend using MBSA to scan the OPC server loc a lly since it p rov ides
the most usefu l information a nd is the least intrusive. Scans c an a lso be
conducted remotely if proper domain/local user credentials are available,remote registry browsing is enabled and access to the well known Microsoft
TCP and UDP ports is ava ilab le. Unfortuna tely this would involve p rac tices
that we specifically advise against for OPC hosts, thus we can not
rec om mend rem ote MBSA sc ans.
MBSA p rovides an ea sy-to-rea d rep ort using simp le p ass/ fa il c riteria and can
be sorted according to severity. Althoug h MBSA is by no means
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 41/54
OPC Sec urity WP 3 (Version 1-3c ).do c 37 Novem ber 2007
comprehensive, we were disappointed to see it contains no analysis of
DCOM configuration weaknesses. However it is still a useful tool.
As a test, we scanned our OPC server running a completely patched
Window s 2000/ SP4 in the defa ult sta te without any of our ha rdening
recommendations applied. It provided us with a report that included the
follow ing vulnerab ilities:
1. Ad ministrative Vulnerab ilities
• Loc a l Ac c ount Password Test – MSBA d ete rmined tha t we w ere
using w ea k passwo rds for our opc admin, and o pcuser ac counts.
• Restric t Anonym ous – MSBA detec ted that we had
Restric tAnonym ous set to 0, which a llowed null sessions to be
established.
• Password Expira tion – MSBA determined tha t passwo rd expira tionwa s not e nab led . How ever pa sswo rd expiration m ay not b e
approp ria te for control system environm ents.
• Wind ows Firewall – MSBA ide ntified tha t the built-in Window s
2000/ XP firewa ll was not in use.
• Upd ate Com plianc e - MSBA p rovided an exhaustive list o f sec urity
upda tes and hotfixes.
2. Ad ditiona l System Informa tion
• Services – identified a number of unnecessary services running on
the server.
• Shares – identified old share names and permissions tha t w ere no t
required.
Although M BSA c hec ked fo r com mo n op erating system leve l hardening
issues, MBSA p rovided no DCOM -spec ific information and only provided
information on Mic rosoft sec urity upd a tes. It d id no t list any 3rd party softwa re
in the reports. Still it is a very useful tool.
5.3.2 Nessus Vulnerability Scanner
Nessus is one of the most popular vulnerability scanning tools on the market.
Although Nessus is a gene ra l-purpose sc anner, it inc ludes chec ks for multip le
network layers and different types of devices. It features a large number of
vulnerab ility chec ks for Window s and Window s-ba sed app lica tions. This is
especially true if Administrator level credentials are provided.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 42/54
OPC Sec urity WP 3 (Version 1-3c ).do c 38 Novem ber 2007
One word of caution - Nessus has a track record of crashing embedded
devices suc h as PLCs and RTUs and even som e p oo rly imp lem ented Window s
applica tions. Som etimes the o perating system can bec om e unresponsive
and unreliable during Nessus scans. Thus we rec om mend these scans only be
run on o ffline systems.
Our scans of a defa ult OPC Server configura tion o n a pa rtially-patc hed
Window s 2000 SP4 Worksta tion p rod uc ed a la rge amount of informa tion
(a fter we provided Ad ministrato r level c red ent ials to Nessus).
1. Port Sc ans – Given the use of multiple non-standard ports, port-scans
against OPC are not very useful, but do help identify unnecessary
system services (IIS etc ) tha t may be running on an OPC host. They a lso
help confirm if the TCP port number restric tions in suggested in Sec tion
4.2 and 4.3.2 are e ffec tive.
2. SMB Sha re Enum erat ion – If anonymous brow sing is enab led (or log in
c red ent ials are provided) Nessus identifies rem otely accessible shares.
3. RPC Enumeration – The RPC scanning mod ule p rovides output
gathered from prob es to RPC/ DCE. No useful information about OPC
applica tions could be ga ined from the RPC scans during our tests.
4. Password Polic y & Histo ry – For this module, passwords that have
chang ed and o ther enforcem ent me chanisms such minimum leng th,
streng th, force logoff time , and numb er of logins until loc kout a re
rep orted . Som e o f these m ay not b e a pprop riate fo r control system
environments.
5. Rem ote Reg istry Ac c ess – Nessus determined whether or not rem ote
reg istry b rowsing is possible.
6. User Enumeration – Nessus rem otely d etermined the Sec urity Identifiers
(SIDs) and names of ide ntified privileg ed and unprivileged user
accounts.
7. Known Vulnerabilities in Windows and 3rd Party Components – Using
“ loc a l” and rem ote c hec ks, Nessus ident ified potentially vulnerab le
softw are versions.
8. Rem ote Servic e Enumerat ion – In addition to standard services
(Computer Browser, DHCP Client, etc.) Nessus identified the OPC
Server Browser and OPC Server when run a s a service.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 43/54
OPC Sec urity WP 3 (Version 1-3c ).do c 39 Novem ber 2007
9. Installed Software – Nessus p rovided the name a nd version informa tion
on insta lled OPC c lient and server ap p lica tions, in a dd ition to othe r 3rd
party softw are.
5.3.3 Aud it Files for Nessus Vulnerab ility Scanner
Tena ble Netw ork Sec urity has develop ed Nessus p lug ins tha t w ill aud it theconfiguration of a device under test to an estab lished c onfiguration. Dig ita l
Bond has created an audit file based on the security recommendations in
white paper. The a ud it file, ava ilab le as Dig itia l Bond subsc riber content, will
a llow an OPC user to dete rmine if their OPC imp lem enta tion meets the g ood
prac tice sec urity rec om mendations in Part 3 of the OPC w hite paper series.
The aud it c apab ility is ava ilab le in Nessus 3 to Tena b le Direc t Feed
subsc ribers and Sec urity Center users. The “ Policy Com p lianc e” p lug ins (ID’s
21156 and 21157) must be enabled the credentials for an account with
Windows Ad ministrato r privileg es must be ente red into Nessus. The aud it file
for OPC servers is added via the c om pliance ta b.
Som e of the set tings req uire customization p er OPC server. For example,
auditing the DCOM permissions requires the CLSID of the OPC server be
entered into the a ud it file. This va ries by vendor and prod uc t, but it is ea sily
determined on the OPC server and Dig ital Bond has a large list o f CLSID’s.
Additional instructions on the use and results from the OPC security audit file
are a va ilab le a t Digita l Bond ’s website.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 44/54
OPC Sec urity WP 3 (Version 1-3c ).do c 40 Novem ber 2007
6 A Summary of OPC Host Hardening Prac tises
6.1 An Ac tion Plan for Hardening OPC Hosts
In earlier sections of this white paper we pointed out the best way to harden
an OPC host is to do it in stage s. One b eg ins by loc king dow n the op eratingsystem tha t the OPC server or client resides on, which in most c ases is some
version of Windows. Next, one should tackle the OPC applications by
restricting the O PC a ccounts, limiting DCOM ob jec t a cc ess and constra ining
RPC protoc ol options. Lastly, to verify the ha rdening has been suc c essful, it is
important to check for remaining security vulnerabilities using security
analyzer tools.
While it seems like a lot of effort, it is important to remember that effective
sec urity does not sta rt o r stop with these three steps. Sec urity is an ongoing
process and thus we recommend the following overall process for users of
OPC tec hnology:
1. Determine whether OPC or DCOM is in use in your facility: This ma y
seem like a trivial task, but some applications may not adequately
document what lower level API is used. We located at least one
company that was unaware that DCOM was in use on its control
system because it wa s bundled into a control produc t w ith a different
name.
2. Doc ument how OPC or DCOM is deployed in your fac ility: This inc ludes
determining what systems and devices communicate using OPC and
how critical this communications is for your operation. List all OPCservers and c lient app lica tions on ea ch host in your fac ility.
3. Evaluate possible operating system hardening practices: Sec tions 3
and Sec tion 6.2 (be low ) highlight c om mon areas of c onc ern and go od
practices for operating system hardening. Also investigate guidelines
from your IT department a nd othe r bod ies suc h as NIST and US-DoD20.
4. Selec t the app ropriate operating system hardening practices for your
environment: Chose the hardening practices effective for your facility
from the results of step 3.
5. Evaluate possible OPC/ DCOM ha rdening p rac tices: Review the
guideline listed in Sec tions 4 and 6.2 of th is report. Also rev iew the
recommendations of your OPC vendor and other bodies such as the
OPC Foundation, for security settings.
20 For examp le see http :/ / c src.nist.gov / itsec / SP800-68-20051102.pd f and
http :/ / iase.d isa .mil/stigs/ chec klist/ W2K3_Chec klist_V5-1-10_20070525.zip
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 45/54
OPC Sec urity WP 3 (Version 1-3c ).do c 41 Novem ber 2007
6. Selec t appropriate OPC/ DCOM hardening prac tices for your
environment: Chose the OPC/ DCOM ha rde ning p rac tices effec tive for
your facility from the results of step 5.
7. Test hardening prac tises on offline test systems: Make sure that you
have tested any hardening techniques on non-critical systems andconduct functional testing to ensure OPC servers are operating
prop erly. Only a fter you are sure that they will not imp ac t your process
should you dep loy them on c ritica l systems.
8. Consult with your vend or/ system integrator to ad dress possible sec urity
incompatibility issues: Unfortunately some applications may not
func tion p rop erly when either OS or OPC/ DCOM ha rdening prac tices
are applied. Work with your vendor/integrator to determine and
resolve these issues.
9. Implement hardening practises on operational systems: Once allhardening techniques have been confirmed on offline test systems,
dep loy them o n online system . Then c ond uc t func tiona l testing to
ensure a ll OPC servers a re op erat ing p rop erly.
10. Verify the dep loyed OPC/ DCOM and OS hardening p rac tices: After
implementing hardening practices, make sure they are operating as
expec ted using tec hniques desc ribed in Sec tion 5.
11. Implement other security countermeasures: The host ha rdening
guidelines desc ribed in this doc ument a re not suffic ient on their ow n - it
is prudent to have a defense-in-depth a pproa ch to sec urity. This will
include other solutions such as patch management, firewalls, antivirus
deployment a nd so on.
12. Monitor OPC hosts for intrusions or unusual activities: This c an be d one
using host and network based monitoring tools as well as Windows
Aud iting and Log ging too ls as d iscussed in Sec tion 5.
6.2 Summary of High Risk Vulnerabilities and Mitiga ting Good
Practices
Using the results from White Paper # 2, we have summarized the key findings
relating to common operating system vulnerabilities that are most critical for
OPC deployments. We have then added the recommended practices for
mitiga ting them based on the g uide lines in this rep ort. Please remem ber this is
only a summary and is by no means a complete list of vulnerabilities or
mitigations.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 46/54
OPC Sec urity WP 3 (Version 1-3c ).do c 42 Novem ber 2007
Vulnerab ility Good Prac tice
Inadeq ua te Pa tc hing of Host Follow gu idanc e from OPC vend or and existing
orga niza tiona l g uidelines.
(Sec tion 3.1)
Unne c essary Servic es Disab le unnec essary servic es and ensure OPC
hosts a re single purpo se p lat forms. (Sec tion 3.2)Unne c essary Acc ess to Host from
Other Devic es
Use Windows IP Filtering (Sec tion 3.4)
System Enum era tion & Profiling Disab le Unne c essary Services (Sec tion 3.2) and
Co nfirm w ith Vulnerab ility Sc anning (Sec tion
5.3)
Wea k Passwo rds Beyo nd the sc op e of this doc ument . Follow
esta b lished industry or orga nizationa l best
practices.
Rem ote Reg istry Ac c ess Harden reg istry and d isab le rem ote ed iting
(Sec tion 3.5). If p ossible d isab le remote
browsing.
Inadeq uate Sec urity Log ging Enab le system aud iting for OPC and DCOM
objects to identify unauthorized access
a ttemp ts. (Sec tion 5.3)
Table 6-1: High Risk O/ S Vulnerab ilities and Possible Mitiga ting Prac tice s
Vulnerab ility Good Prac tice
Lac k of Authentic a tion for OPC
Server Browser
Disab le OPC Server Brow ser and Ano nymous
Log in afte r initial configuration (Sec tion 4.1)
OPC Serve r Exec ute s w ith
Excessive Permissions
Configure OPC Server co mp one nts to run w ith
restricted permissions (Sec tion 4.2)
Ove rly Permissive Sett ings fo r OPCServer Browser
Rem ove Everyone ac c ess to OPCEnum andreq uire a uthentic a ted users and / or follow
vend or rec om mende d p rac tic es. (Sec tion
4.2)
Unnec essary Protoc ol Support for
OPC Server
Force RPC to only use TCP for transport and
either use sta tic ports or restric t p ort rang es
(Sec tion 4.3.1)
Excessive Open TCP ports on OPC
Server
Force RPC to e ither use sta tic ports (Sec tion
4.2) or restric t p ort ranges (Sec tion 4.3.2)
Lack of Confidentiality in OPC
Communications
Ena b le “ Pac ket Privac y” if possible (Sec tion
4.2)
Lac k of Integ rity in OPCCommunications
Ena b le “ Pac ket Integ rity” if po ssible. (Sec tion4.2)
Use of Histo ric a lly Insec ure
Transport
Ensure p a tc hing and upgrad e to OPC-UA
when ava ilab le.
OPC Sec urity Configuration Lac ks
Fine Grained Ac c ess Control
Ca n not b e a dd ressed a t this time
Tab le 6-2: High Risk DCOM/ OPC Vulnerab ilities and Possible Mitiga ting Prac tice s
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 47/54
OPC Sec urity WP 3 (Version 1-3c ).do c 43 Novem ber 2007
6.3 Some Fina l Thoughts
Based on our research, the challenges of securing OPC deployments are
c lea r. The inhe rent a rchitec tura l issues with the current versions of OPC, the
default security posture and poor compliance to DCOM security settings of
ma ny OPC p rod uc ts, and the lack of unam biguous guidance w ith regard tosecurity, all contribute to the difficulties of securing OPC deployments in most
companies.
This does not m ea n OPC users should throw up the ir hands in despa ir. OPC’ s
reliance upon the Microsoft platform is both a blessing and a curse - while
Windows has flaws, we were able to uncover a wealth of practices for
hardening Windows servers that can be applied to OPC clients and servers.
Furthermore, the fact that a few OPC vendors are providing good security
guidance and a degree of hardening during the installation process shows
tha t it is possible to red uc e the pa in of sec urity that many users are feeling .
What is needed from the vendor community is an immediate and focused
effo rt towa rds improving OPC/ DCOM insta lla tion p roc esses and sec urity
guida nce. Waiting for the da y when there is widesprea d ava ilab ility and
deployment of the more secure OPC-UA is not a solution – that is simply too
far in the future to help tod ay’s OPC end-users.
End-users can also do much to improve their security posture with regards to
OPC. First, many o f the vulnerab ilities in OPC hosts tha t w e d isc ussed in White
Paper #2 are well within the control of the knowledge ab le end -user. Using a
well-defined security plan, such as the one supplied in this document, the
end -user can significantly red uce their OPC sec urity risk. Sec ond , the end -
user community can start demanding better OPC guidance from their
vendors – as we noted in White Paper #2, a few vendors already do an
excellent job, so the challenge is to move the remaining vendors in this
d irec tion. Only end -users wielding the powe r of the purcha se order can
ma ke this happen in a timely fashion.
Finally, it is critical the OPC end-user keep both operating systems and OPC
app lica tions as current a s possible. The sec urity of most softwa re p rod uc ts
have improved significantly in the past five years. This is espec ially true for
Mic rosoft Window s and va rious OPC p rod uc ts. The eventua l relea se o f OPC-
UA based software is likely to significantly help reduce the security effort and
risk currently fac ed by industry tod ay. This can only happen if the com munity
em brac es the new UA tec hnolog ies over the next few yea rs.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 48/54
OPC Sec urity WP 3 (Version 1-3c ).do c 44 Novem ber 2007
7 Areas for More Research in OPC Sec urity
Since the foc us in this p rojec t w as on the hardening o f OPC hosts, a numb er
of other interesting sec urity possibilities were not pursued during our resea rch.
We feel that these are worth investigating in future studies and have listed
them below.
7.1 Firewall and Network Rela ted Solutions for OPC Sec urity
Readers may have noted that there is no discussion in this white paper on
best p rac tises for firewa ll configurat ion fo r OPC systems. This was conside red
out of scope for this project focusing on OPC hosts, but is an area urgently
need ing further resea rch.
7.2 OPC Tunnelling Solutions for Security Robustness
Given the difficulty in developing firewall rule sets for DCOM-basedapplications (and the challenges of OPC use across multiple Windows
domains), there are a number of 3rd party products or built-in techniques to
tunnel OPC/ DCOM tra ffic ove r a sing le p ort. Although these techniques ma y
make the life of the systems administrator simpler, it is not clear if they
improve security. Detailed analysis of these tunnelling solutions is urgently
required.
7.3 Network Intrusion Detec tion/ Intrusion Prevention Signatures
In the past few yea rs intrusion d etec tion signa tures for SCADA protoc ols suc h
as DNP3 and MODBUS have been develop ed based on likely misuse o f va lidprotocol patterns. We believe that a similar approach could be conducted
for OPC to a lert on una uthorized a ttempts to access OPC Server GUIDs,
Program IDs, or othe r c lient o r server messages.
7.4 Enhancem ents to Network Vulnerab ility Scanners
Although scanning tools suc h as Nessus and MBSA p roved useful for
identifying Window s OS vulnerab ilities, very little DCOM / OPC spec ific
information wa s p rovide d by these too ls.
7.5 Resea rch Implementa tion Vulnerabilities in OPC Com ponents
Over the past several years, a number of tools have been released that
attempt to find implementation flaws in ActiveX and COM components.
Althoug h Inte rnet Sec urity Systems Inc orporated ’s Sc anner/ Intrusion
Detec tion System (IDS) has a signa ture fo r an OPC Buffe r overflow21, to our
21 http:/ / xforce.iss.net/ xforc e/ xfdb / 13393
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 49/54
OPC Sec urity WP 3 (Version 1-3c ).do c 45 Novem ber 2007
knowledge no implementation flaws have been disclosed in the OPC
Foundation C om ponents such a s Proxy/Stub DLL’ s or OPC Ap plica tions.
7.6 Use o f Dom ain Isola tion in Control Environments
Domain Isolation is tec hnique based on IPSec and Group Polic y to prevent
access from untrusted devices to trusted devices on a corporate network.
While very promising on the surfac e, just how effec tively this tec hnology c an
be used in the industria l c ont rols env ironment req uires add itiona l resea rch.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 50/54
OPC Sec urity WP 3 (Version 1-3c ).do c 46 Novem ber 2007
Glossary
ACL - Access Control List: List of rules in a router or firewall specifying access
privileg es to network resources.
API - Application Programming Interface: The spec ifica tion of the interfac ean a pp lica tion must invoke to use certain system fea tures.
CATID - Ca tegory Identifier: Spec ifies the a c tive OPC spec ifica tions.
CCM - Component Category Manager: A utility that creates categories,
places components in specified categories, and retrieves information about
categories.
CERN - Conseil Européen Recherche Nucleaire: European Laboratory for
Partic le Physics.
CIFS - Common Internet File System: Updated version of Server Message
Block application-level protocol used for file management between nodeson a LAN.
CIP - Common Industrial Protocol: CIP is an open standard for industrial
network technologies. It is supported by an organization called Open
Devic eNet Vend or Assoc ia tion (ODVA).
COM – Component Object Model: Microsoft’s architecture for software
com ponents. It is used for interprocess and interapp lica tion c om munica tions.
It lets com ponents built b y different vendo rs be c ombined in an app lication.
CLSID - Class Identifier: An identifier for COM ob jec ts.
CORBA - Common Object Request Broker Architecture: Architecture thatenables objects, to communicate with one another regardless of the
programm ing langua ge and op erating system being used .
CSP - Client Server Protocol: An Allen-Bradley protocol used to communicate
to PLCs over TCP/ IP.
DDE – Dynamic Data Exchange: A mechanism to exchange data on a
Microsoft Windows system.
DCOM – Distributed Component Object Model: This is an extension to the
Component Object Model to support communication among objects
loc ate d on different c om pute rs ac ross a netwo rk.
DCS – Distributed Control System: A Distribute d Co ntrol System a llows for
remote human monitoring and control of field devices from one or more
operation centers.
DDE - Dynamic Data Exchange: An interprocess communication system built
into Windows systems. DDE enables two running applications to share the
common data.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 51/54
OPC Sec urity WP 3 (Version 1-3c ).do c 47 Novem ber 2007
DLL - Dynamic Link Libraries: A file containing executable code and data
bo und to a program at the a pp lication’s loa d or run time , ra ther than linking
during the com pilation of the ap p lication’s cod e.
DMZ - Demilitarized Zone: A small network inserted as a "neutral zone"
betw een a trusted priva te netwo rk and the o utside untrusted netw ork.
DNP3 - Distributed Network Protoc ol 3: A protoco l used betw een c omp onents
in SCADA systems (p rima rily in the power and wate r industries).
DNS – Domain Name System: A distributed database system for resolving
huma n rea dab le na mes to Internet Proto col ad dresses.
EN - Enterprise Network: The corpora tion-wide business com munication
netw ork of a firm.
ERP - Ente rprise Resourc e Planning : Set o f ac tivities a business uses to
manage its key resources.
GUI - Graphical User Interfac e: Graphica l, as op po sed to textual, interfac e toa c omp uter.
GUID - Globally Unique Identifier: A unique 128-bit number that is produced
by the Windows operating system and applications to identify a particular
com po nent, ap p lication, file, data ba se entry or user.
HMI - Human Machine Interface: A softw are o r hardwa re system tha t ena b les
the interac tion of ma n and ma chine.
HTML - Hypertext Markup Lang uag e: The authoring softw are language used
on the Internet's World Wide Web .
HTTP - HyperText Transfer Protocol: The protoc ol used to transfer Web
doc uments from a server to a brow ser.
HTTPS - HyperText Transfer Protocol over SSL: A secure protocol used to
transfer Web doc uments from a server to a b row ser.
IIS - Internet Informa tion Serve r: Microsoft’ s web server app lica tion.
IDL - Interfac e Definition Langua ge : Lang uag e for desc ribing the interfac e of
a software comp onent.
IDS - Intrusion Detec tion System : A system to detect suspicious patterns of
netw ork tra ffic .IPX - Internetwork Packet Exchange: A networking protocol used by the
Novell Incorporated.
IPSEC – Internet Protocol SECurity: An Internet standard providing sec urity at
the ne twork layer.
IP - Internet Protocol: The standard p roto col used on the Internet tha t defines
the da tag ram format and a best effort pac ket de livery service.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 52/54
OPC Sec urity WP 3 (Version 1-3c ).do c 48 Novem ber 2007
I/O - Input/ Output: An interfac e for the input a nd output of informa tion.
ISA - Instrumentation, Automation and Systems Society: ISA is a nonprofit
organization that helps automation and control professionals to solve
tec hnica l instrumenta tion prob lem s.
IT - Information Tec hnology: The deve lop ment, insta lla tion andimp lem enta tion o f ap p lica tions on c om puter system s.
LAN - Loc al Area Network: A com puter network that c overs a sma ll area .
LM - LAN Manager: A now obsolete Microsoft Windows networking system
and authentication protoc ol.
LDAP - Lightweight Directory Access Protocol: A protocol for accessing
directory services.
MBSA - Microsoft Baseline Security Analyzer: A tool from Microsoft used to
test a system to see if Mic rosoft best p rac tices are b eing used .
MIB - Management Information Base: The da tabase that a system running an
SNMP agent maintains.
MODBUS - A communications protocol designed by Modicon Incorporated
fo r use with its PLCs.
NETBEUI - Ne tBIOS Extend ed User Interface: An enhanced version of the
NetBIOS protocol.
NetBIOS - Network Basic Input Output System: A de facto IBM standard for
ap p lications to use to com munica te over a LAN.
NTLM - New Tec hnology LAN Manager: A challenge - responseauthentication protocol that was the default for network authentication for
Mic rosoft Window s New Tec hno logy (NT) operat ing systems.
OLE - Object Linking and Embedding : A precursor to COM, allowing
ap plica tions to share da ta a nd manipulate shared d ata .
OPC - OLE for Proc ess Contro l: An industrial API standard based on OLE, COM
and DCOM for accessing process control information on Microsoft Windows
systems.
OPC-A&E - OPC Alarms & Events: Standards c rea ted by the OPC Found a tion
for a larm monitoring and ac know led gement.OPC-DA - OPC Data Access OPC-DA: Standards c rea ted by the OPC
Foundation for accessing real time data from data acquisition devices such
as PLCs.
OPC-DX - OPC Data Exchange: Standards c rea ted by the OPC Found a tion
to a llow OPC-DA servers to excha nge data without using an OPC c lient.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 53/54
OPC Sec urity WP 3 (Version 1-3c ).do c 49 Novem ber 2007
OPC-HDA - OPC Historical Data Access: Standards c rea ted by the OPC
Foundation for com munica ting d ata from de vices and app lica tions that
provide historica l data .
OPC-UA - OPC Unified Architecture: Standards c rea ted by the OPC
Foundation for integ ra ting the existing OPC standards.
OPC XML-DA - OPC XML Data Access: Standards c rea ted by the OPC
Found ation for accessing rea l time da ta , carried in XML me ssages, from da ta
acquisition d ev ices suc h a s PLCs.
OPCENUM – OPC ENUMerator: A service for discovering and listing OPC
servers.
OPC Unified Architecture - OPC UA: Standard to tie together a ll existing OPC
tec hnology and rep lace the underlying DCOM p roto cols in OPC with SOAP
ba sed protoc ols.
PLC – Programma ble Log ic Controller: A PLC is a small dedicated computerused for controlling industria l machinery and proc esses.
PCN - Process Control Network : A communications network used to transmit
instruc tions and data to c ontrol devices and othe r industria l eq uipment.
PROGID - Program Identifier: A string that identifies the manufacturer of an
OPC server and the name of the server.
RPC – Remote Procedure Call: A comm unications protoc ol for invoking c od e
residing on a nothe r c om puter ac ross a netw ork.
SAP - Systems, Applications and Products: A German company that
prod uc es client/ server b usiness software.
SCADA – Supervisory Control And Data Acquisition : A system for industrial
control consisting of multiple Remote Terminal Units (RTUs), a c ommunica tions
infrastruc ture, and one or more c entral host c om puters.
SID – Security Identifier: A unique name that is used to identify a Microsoft
Windows ob jec t.
SP - Service pack: A bundle of softwa re up dates.
SPX - Sequenced Packet Exchange: A transport Layer protocol used by
Novell Incorporated.
SMB - Server Message Block: A Microsoft netwo rk ap p lication-level p rotoc ol
used between nodes on a LAN.
SNMP - Simple Network Management Protocol: A protocol used to manage
devices suc h as route rs, switches and hosts.
SOAP - Simple Object Access Protocol: A protocol for exchanging XML-
based messages using HTTP.
Downloaded from www.IAMechatronics.com
8/3/2019 Iam Opc Security Wp3
http://slidepdf.com/reader/full/iam-opc-security-wp3 54/54
SSL - Secure Socket Layer: A de facto standard for secure communications
c rea ted by Netscap e Inco rpo rated .
TCP - Transmission Control Protocol: The standard transport leve l proto col tha t
provides a reliab le stream service.
UDP - User Data gram Protoc ol: Connec tionless netw ork transport p roto col.URL - Uniform Resource Locator: The address of a resource o n the Internet .
WS-Security - Web Services Security: A c om munica tions p rotocol providing a
mea ns for ap p lying sec urity to Web Services.
XML - eXtensible Markup Language: A general-purpose markup language
for creating special purpose markup languages that are capable of
desc ribing ma ny different kinds of d ata .
Downloaded from www.IAMechatronics.com