Sunday, December 5, 2010

General Windows Hardening Recommendations for OPC

Since OPC (OLE For Process Control) is deployed on the Windows operating system in over 95% of the cases, the general hardening of OPC hosts using standard Widows based techniques and tools. Five security mechanisms are discussed as below:
1. Ensuring that application patches and operating system are at a currently version level.
2. Configuring the services of minimum running on the host for a typical OPC deployment.
3. User privileges limiting through account management.
4. Network access limiting via the Windows IP Security Policies.
5. The Windows registry protecting.
While none of these mechanisms are revolutionary particularly, the real trick is to secure the host in such a manner that makes it less susceptible to common Windows-based attacks, yet will still allow all OPC applications to function. This is often more difficult than it should be for two reasons. First, some requirements of OPC operations are at odds with good Windows security practices. Second, an OPC number of vendors appear to ignore a number of Windows DCOM requirements and specifications. That said, based on the lab testing of configurations listed, we believe all will allow the correct operation most OPC systems.

Since deployments of OPC can vary widely, it is essential that any of these settings be tested n a non-critical test system before being deployed in a live control system. All techniques discussed are based on standard administrative tools available in the current professional versions of Windows. The specific examples are intended for the Windows 2000/SP4, Windows server 2003/SP1 and Windows XP/SP2 operating systems. These were chosen because the survey results indicate these are the versions of Windows most likely to be used in OPC deployments.

OPC security issues, on of them is a number of the well known worms released in the past few years have specifically targeted underlying DCOM services and RPC for OPC. This has made users and vendors keenly aware of the need to patch applications and operating systems in industrial control systems.


Newer Post Older Post Home

You may also like these ebook:

Get Free PLC eBook directly sent to your email,
and email subscription to

We hate SPAM. Your information is never sold or shared with anyone.

Your Email Will Be 100% Secured !