This presentation decribes what OPC Classic (aka OLE for Process Control) is and why it can be a challenge to secure using traditional firewall technology. It then describes how to use Tofino OPC Enforcer's deep packet inspection technology to easily secure PLC and other control systems.

1. Eric Byres, Chief Technology Officer,
Byres Security Inc.
Tofino OPC Enforcer Technology
Securing OPC Classic Control
Systems

2. Why is OPC Classic So Hard to
Secure?

3. • OPC Classic is the world’s leading technology for
integrating different automation products.
• Formerly known as OLE for Process Control, (where
OLE stood for Object Linking and Embedding)
• Includes all OPC standards that are based on
Microsoft's DCOM Technology (i.e. all but OPC-UA)
• Unfortunately OPC is famous for its poor security…
OPC Classic

4. • Most protocols use Fixed Port Numbers to identify
the application to handle an incoming packet
• Similar to an extension for “accounts payable” on a
company phone system
• Example: Most Modbus TCP slaves use port 502
Typical TCP/IP Protocols
Modbus Slave
PLC
Modbus Master
Operator Station
Modbus Command (Dst Port = 502)
Modbus Reply (Src Port = 502)

5. • OPC Classic dynamically assigns TCP ports to
each executable process serving objects on a server
• Clients discover port associated with an object by
connecting to the server and sending messages like:
“find COM object XXX for me and tell me what port it is on“
OPC Classic (aka OPC DCOM)
OPC
ServerOPC Connection Request (Port 135)
OPC DA Connection (Port 12345)
Server Response: Use Port 12345
OPC DA Data (Port 12345)
OPC
Client

6. 2222 Rockwell-CSP
• Because OPC is free to use any port between 1024
and 65535 it is “IT firewall unfriendly”
• You don’t know in advance what port the server will use
• So you can’t define the firewall rule
• You have to leave all ports open on your firewall
• Configuring your firewall to leave such a wide range
of ports open creates a serious security hole
Until Now - An “Unfirewallable” Protocol
2404 IEC 60870-5-104
5000 Mitsibishi MELSCQNA
5450 PI Data Historian
9100 Omron FINS
And 1000’s more!

7. • DCOM callbacks in OPC are not handled on the
same connection that is used for client/server calls
• Some OPC servers reject the first few connection
attempts after they tell the client to use a specific
port, completely breaking most firewall state
engines!
• All this has made the industry consider OPC
Firewalls virtually impossible
It Gets Worse! OPC/DCOM in the Real World

8. The Tofino OPC Classic Enforcer

9. • Loadable security module that makes the Tofino
Firewall “OPC-aware”
• Uses deep packet inspection technology to manage
OPC traffic behind the scenes
What is the Tofino OPC Classic Enforcer?

10. • Enforcer intercepts connection requests from the
OPC client and checks:
• Is it to an approved server?
• Is it from client approved to talk to that server?
• Is it a properly formed OPC connection request message?
How OPC Enforcer Works
OPC
Server
OPC
Client
OPC Conn Req
Invalid Request
OPC Conn Req

11. • Next Enforcer intercepts connection reply from the
OPC server and checks:
• Is it a properly formed OPC connection reply message?
• Is it to the client that made the request?
• What TCP port is the server telling the client to use?
How OPC Enforcer Works
OPC
Server
OPC
Client
OPC Conn ReplyOPC Conn Reply
It’s a good reply and
Server wants Client to
use TCP port 5555

12. • Enforcer momentarily opens the TCP port it found in
the message, with the following restrictions:
• Only for communications between that client and server
• Only if the client uses the specified port
• Only if proper TCP session occurs within X seconds
How OPC Enforcer Works
OPC
Server
OPC
Client
OPC Data Req
Invalid Client/Port
Data Req (5555)
OPC DataOPC Data

13. • Is not from approved clients and servers
• Tries to use other TCP port numbers
• Tries to “borrow” port numbers from other clients or servers
• Is not well formed RPC connection requests
OPC Enforcer Blocks Dangerous Traffic
OPC
Server
OPC
Client
Invalid Port #
OPC DataOPC Data
Invalid Client
Invalid Server
Malformed Msg

14. • First-ever application of connection tracking
technology to industrial protocols
• Automatically tracks TCP ports assigned by OPC
servers for data connections
• Dynamically opens tracked ports in firewall only
when they are needed
• Tofino ‘Sanity Check’ blocks any OPC requests not
conforming to the DCE/RPC standard
• Supports multiple OPC clients and servers
Why Tofino OPC Enforcer is Unique

15. • Manage all traffic on systems that use OPC DA,
HDA or A&E
• Secure data transfers to and from data historians
and supervisory applications
• Protect safety instrumentation systems
• Combine with Tofino VPN LSM for ultra secure
remote OPC connections
Typical Applications

16. • Simple to use – no changes needed to any OPC
servers or clients
• Just install on the network and configure which
servers and clients you want to communicate
• Works with OPC DA, HDA and A&E standards
• Secures against both accidental and malicious traffic
• Endorsed by the OPC Foundation
Benefits of Tofino OPC Enforcer

17. • Tofino OPC Enforcer LSM
• Available Now
• Requirements:
• Tofino Security Appliance
• Tofino Central Management Platform version 1.6 or better
• Tofino Firewall LSM
• Additional Resources:
• www.tofinosecurity.com/opc
• OPC Foundation Endorsed White Paper, “Securing Your
OPC Classic Control System”
Ordering the Tofino OPC Enforcer