OPC Security WP3

Downloaded from www.PAControl.com www.PAControl.com

Re v isio ision n Histo istory ry Rev ision ision

Date

Autho rs

Details

0.7 1.0

Ma y 15, 2006 Ma y 31, 2006

Dra ft inte rna l rev iew ve rsion rsion Draft Draft for co ntroll ntrolled ed pub lic lic review

1.1 1.2 1.3 1.3a

A ug ust 31, 2006 Fe b rua ry 9, 2007 Jun e 28, 2007 Au g ust ust 31, 2007

E. Byres, M Fran z, E. Byres, yres, J. C a rter, M Franz E. Byre s, M . Fra nz E. Byre s, D. Pete Pet e rso rso n E. Byre s, D. Pete Pet e rso rso n E. Byres, D. Pete rso rso n

1.3b 1.3b

Sep tem b er 9, 2007 Novem be r 13, 13, 2007

1.3c 1.3c

E. Byres yres,, D. Pete rson E. Byres, yres, D. Pet erson erson

2 nd Draft Draft for co ntroll ntrolled ed pub lic lic review 3 rd Draft Draft for co ntroll ntrolled ed pub lic lic review th 4 Dra Dra ft for co ntroll ntrolled ed pub lic lic review th 5 Draft fo r fina l DH DHS S review . Inc Inc lud es c om me nts from from the DHS Rec omm ende d Prac tice tice s Group Co rrec tion of mino r g ra mm a tica l errors errors a nd a d d ed figures to S Sec ec tion 3.6 3.6 Co rrec rrec tion of mino r ed itorial errors

Acknowledgements The Group for Ad va nc ed Info rma tion Tec Tec hno log y (GA IT) a t the Britis itish Co lumb ia Institut Institute e o f Te c hno log y (BCIT (BCIT), Dig Dig ita l Bo Bo nd , an d Byres Re se a rch wo uld uld like ike to tha nk all the vend ors a nd end users users tha t g ene rousl ously sup sup p orted our efforts throug throug h num erous interview nterview s a nd b y p roviding us with d oc ume nts that could only be described as extremely sensitive. Unfortunately we can not na me you fo r obvious sec uri urity reasons reasons,, but we a p p rec ia te your time time , tr trus ustt and encourag encourag ement. Seve ra l p eo p le stoo stoo d out in their c ontrib ontrib utions a nd a d vice for this d oc ume nt tha t w e w ou ld like like to a c know led g e. Fir Firs st a re Bil Billl Co tte r of M SMU MUG G a nd Chip Lee o f IS ISA - w e t ha nk you for fo r all your help in ma king king the user user surveys surveys p o ssible. We would also like to thank Ralph Langner for providing the four example sc en a rios for this rep ort a nd lots of usefu usefu l info info rm a tion o n O PC vulnerab iliti ilities es.. Finally we would like to thank Evan Hand for his vision and support. Without him, him, this p rojec t ne ver would ha ve b ee n p oss ossible.

Disclaimer Deployment or application of any of the opinions, suggestions or configuration included in this report are the sole responsibility of the reader and are offered offered without wa rrante e o f any kind kind b y the a uthors uthors. Since OPC deployments can vary widely, it is essential that any of the rec om me nda tions in this this report be tested tested on a non-c ritic itic al test test sys system tem be fore fore be ing dep loyed in a live co ntrol ntrol sys system. tem.

OPC Sec uri urity ty WP 3 (Vers (Version ion 1-3 1-3c c ).do c

ii

Nov em b er 200 2007 7


Ta b le o off Co Contents ntents Exe c utiv e Sum m a ry.......................... ry ..................................................... ...................................................... ............................................ ................. 1 1

Intro d uc tio n .................................................. ............................................................................. ..................................................... .......................... 4 1.1 1.2 1.3 1.4

The Iss Issue s.................................................................................... s........................................................................................................ .................... 4 O rga rg a niza niza tio n o f O PC White Whit e Pa p e r Se ries....... ries............. ........... ........... ........... ........... ........... ........... .......... .... 6 Stu d y M e tho th o d o log y ..... ........... ........... ........... ........... ........... ............ ........... ........... ........... ........... ............ ........... ........... ........... ........ ... 6 Limita im ita tio ns o f th is Stud tu d y ..... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ............ ........... ........ ... 7

2

Ha rde ning Strateg trat eg y for OPC OPC Ho sts ..... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... ....... 9

3

Gene Ge neral ral Wind Wind ow s Ha rde ning Rec Rec om m en end d a tions ...... ......... ...... ...... ...... ...... ...... ...... ...... ...... ...... ..... .. 11 3.1 Pa tc h M a na g e m e nt fo r O PC Ho sts....... ts.......... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ..... .. 11 3.2 M inim um Re q uired uire d Se rvic e s......... s............... ........... ........... ............ ........... ........... ........... ........... ............ ........... .......... .....12 12 3.3 Limitin im iting g Use r Privileg rivile g e s.............................................................................. s................................................................................ .. 13 3.4 Limiting im iting Ne Netw tw o rk A c c e ss....... s............. ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........ ... 14 3.4.1 C rea ting tin g th e Filte r List ist s............. s.................. ........... ............ ........... ........... ........... ........... ........... ........... ........... ......... .... 14 3.4.2 3.4 .2 C rea ting the th e Bloc k Ac tio n ...... ......... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ..... .. 16 3.4.3 C rea ting tin g th e Se c urity Po licy lic y ..... ........... ........... ........... ........... ........... ............ ........... ........... ........... ........... ........ 16 3.4.4 A ssigning ig ning the th e Se c urity Po licy lic y ..... ........... ............ ........... ........... ........... ........... ........... ........... ........... ........... ......17 17 3.5 Prot e c ting tin g th e Re g istry istry ..... ........... ........... ........... ............ ........... ........... ........... ........... ........... ........... ........... ........... ........... ....... .. 17 3.6 So m e Sp e c ia l C o nsid nside e ratio ra tio ns fo r XP Syst yst e m s.......... s............... ........... ........... ........... ........... ......... .... 19

4

OPC/ OPC/ DCOM/ RPC Ha rde ning Rec om m en end d a tions ...... ......... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ... 21 4.1 O PC Hard e ning Re c o m m e nd a tio ns ...... ......... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ..... 21 4.2 DCO DC O M Ha rde ning Re c o m m e nd a tions tio ns ...... ......... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...22 22 4.2.1 4.2 .1 C o ntrolli nt rolling ng the th e Auth Au the e ntic nt ic a tion tio n Le ve l ...... ......... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ..... .. 24 4.2.2 C o nt rolling th e Lo c a tio n ...... ........... ........... ........... ........... ........... ........... ........... ........... ............ ........... ........... ........ 25 4.2.3 M a na g ing DC DCO O M Pe rmiss rmissions... io ns......... ............ ........... ........... ........... ........... ........... ........... ........... ........... ......25 25 4.2.4 Limiting im iting RPC Po rts a nd Prot o c o ls...... ls ........... .......... ........... ........... ........... ........... .......... ........... ........... .....27 27 4.2. 4.2.5 5 Set ting the OPC Ap p lic lic a tion ’ s Ac c o unt .... ...... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... 29 4.3 RPC Hard e ning Re c o m m e nd a tio ns ...... ......... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ..... .. 29 4.3.1 Re stric ting tin g Trans ra nsp p o rt Prot o c o ls t o TC P............... P.................... ........... ........... ........... ............ ......... ... 29 4.3.2 Re stric ting tin g TC P Po rt Ra ng e s............ s................. ........... ........... ........... ........... ........... ........... ........... ........... ....... .. 30 4.4 M o re Sp e c ia l C o nsid nside e ratio ra tio ns fo r XP Syste yste m s...... ............ ........... ........... ........... ........... ........... ........ ... 32

5

OPC OPC Ho st Ha rde ning Verific Ve rifica a tion tio n ..... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... ....... 34 5.1 5.1 Wind Wind o w s Servic e a nd Op e n Po rt Det erm ination ina tion .... ...... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .. 34 5.2 Wind o w s Eve nt Lo g A na lysis lysis...... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ............ ........ .. 35 5.3 Vulne Vu lne rab ra b ility ility Sc a nn nning ing ...... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ....... .. 36 5.3.1 M ic roso roso ft Se c urity Ba se line A na lyze lyze r 2.0 2.0...... ........... ........... ........... ........... ........... ........... ......... ... 36 5.3.2 Nes Ne ssus Vulne Vu lnera rab b ility ility Sc a nn nne e r ..... ........... ........... ........... ............ ........... ........... ........... .......... ........... ........... ....... 37 5.3.3 Au d it Files fo r Ne Nes ssus Vulne Vu lne rab ra b ility ility Sc a nn nne e r........... r................ ........... ........... .......... .......... .....39 39

6

A Sum Sum m a ry o f OPC OPC Host H Ha a rde ning Prac tise tise s.............. s................... .......... .......... .......... .......... .......... ....... 40 6.1

An Ac tio n Plan la n fo r Hard e ning OPC Hosts Hosts... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ..... .. 40


iiiiii

Nov em b er 200 2007 7


6.2 6.2 6.3 7

Sum m a ry of High Risk isk Vulnera Vulnera b iliti ilities es a nd Mitig Mitig a ting Go od Pr Pra c tic es41 So m e Fina l Tho ug ht s............................................................ s................................................................................... ....................... 43

Area Are a s for Mo re R Resea esea rc h in OPC OPC Sec urity..... urity .......... .......... .......... .......... .......... .......... .......... .......... .......... ....... .. 44 7.1 7.2 7.3 7.3 7.4 7.5 7.5 7.6

Fire ire w a ll a nd Netw o rk Re late la te d So lutions lutio ns fo r OPC Se c urity... urity ...... ...... ...... ...... ...... ..... .. 44 O PC Tun unne ne lling lling So lutio ns fo r Se c urity Ro b ust ust ne ss.......... s................ ........... ........... ........... ....... .. 44 Net w o rk Intrusion ntrusion Det e c tion / Intrusion ntrusion Preve ntion ntio n Signa ign a tures.... tures...... .... .... .... .... .. 44 Enh nha a nc e m e nts nt s to Ne Netw tw o rk Vulne rab ility ility Sc a nn nne e rs...... rs......... ...... ...... ...... ...... ...... ...... ...... ..... 44 Resea esea rc h Im p leme nta tion Vulne Vulne ra b iliti ilities es in OPC OPC Co m p on en ts.... ts...... .... .... 44 Use o f Do Dom m a in Iso latio la tio n in C o ntrol nt rol Envir nv iro o nm e nts..... nt s........ ...... ...... ...... ...... ...... ...... ...... ...... ..... .. 45

Glo ssa ry ................................................... .............................................................................. ...................................................... .................................... ......... 46


iv

Nov em b er 200 2007 7


Exe c utive Sum Sum m a ry In rec en t ye a rs, Sup ervis ervisory Co ntrol a nd Dat a Ac q uisi uisition (SCA (SCA DA), proc ess ess control and industrial manufacturing systems have increasingly relied on c o m m erc ial Informa Inform a tion Te c hno log ies (IT (IT) suc suc h a s Ethe rne t™, Tr Tra nsm nsm iss ission Co ntrol Prot oc ol/ Inte rnet Pr Prot oc ol (TCP CP// IP) and Wind Wind ow s® for bo th c ritic itic a l a nd non-c ritica l co mm unic unic a tions. tions. This ha s m a d e t he interfac interfac ing o f in ind d ustr ustriia l control equipment much easier, but has resulted in significantly less isolation from from the outsi outsid e wo rld , res resul ulting ting in the increased increased risk of c ybe r-ba sed a tta c ks imp ac ting ting industr ndustriial p rod uction a nd huma n sa sa fety. Nowhere is this benefit/risk combination more pronounced than the widesp rea d a d op tion o f OLE OLE fo r Proc ess ess Co ntrol (OPC). OPC OPC is inc re a singly ing ly b eing used to interconnect Human Machine Interface (HMI) workstations, data historians and other hosts on the control network with enterprise databases, Ente nt e rprise rprise Re so urc e Plann la nning ing (ER (ERP) sys syste te m s a nd o the th e r bus bu sines ine ss o rie rie nte nt e d softw a re. Unfortunate Unfortunate ly, sec sec urely urely d ep loying OPC OPC a p p lica tions ha s p rove n t o be a challenge for most engineers and technicians. While OPC is an open p roto c ol with sp sp ec ific fic a tions free free ly av a ila b le, eng inee rs must must w a d e throug h a large amount of very detailed information to answer even the most basic OPC sec sec urity urity q ue stions tion s. To a d d ress ess this nee d for sec sec uri urity g uid uid a nc e on OPC OPC d ep loym ent, a joint re se a rch te a m w ith sta sta ff from BCIT, Byres Byres Re se a rch a nd Digita l Bo nd w e re commissioned by Kraft Foods Inc. to investigate current practices for OPC sec urity. urity. The results results of t his stud y we re t hen used used to c rea te three wh ite p a p ers that: 1. Provide an overview of OPC technology and how it is actually d ep loye d in industr industry y 2. Outline the risks and vulnerabilities incurred in deploying OPC in a control environment 3. Summ a rizes c urr urrent g oo d p ra c tice s for sec sec uri uring OPC OPC a p p lica tions running on Wind Wind ow s-ba sed ho sts. ts. The w hite hite p a p er you are now rea d ing is the last last of the three three , and outlines outlines how a server or workstation running OPC can be secured in a simple and effec tive ma nner. Typic a lly this “ ha rd ening” must must be c ond uc ted in seve ra l sta g es. es. Fir Firs st the op era ting sys syste te m (t yp ica lly lly Wind Wind ow s) nee d s to b e “ loc ked d ow n” in s suc uc h a ma nner that w ill ill ma ke itit less less susc usc ep tible to c om mo n O/ Sb a sed a tta c ks. ks. This involves invo lves five ste ste p s w hic h a re : 1. Ensur nsuriing up-to-da te pa tc hing hing of the op erating erating system ystem and a pp lic ations on the OPC OPC ho st; 2. Limiting imiting service s to the req uired uired m inim inim um for OPC; OPC;


1

Nov em b e r 200 2007 7


3. Defining Defining user user ac c ou nts a nd p rivileg ivileg es; es; 4. Limiting imiting net w ork ac c ess ess via the Wind Wind ow s Firew irew a ll; ll; 5. Prot ec ting the Wind Wind ow s Reg istry. istry. Next, the specific OPC components must be hardened using the OPC and DCOM configuration tools found in Windows. Unfortunately, completing this stage successfully is more complex; our testing indicated that there are a number of OPC applications that do not properly follow the DCOM specifications for Windows software. As a result, several of the steps sugg ested ested b elow ma y c a use use a ma lfunc tion of the se O PC a p p lica tions. tions. Thus we suggest the OPC user consider the seven steps listed below as a menu to c hoo se from from ra ther tha n a list o f una lterab le req uir uirem ents: ents: 1. Co ntrolling ntrolling the a uthe ntic a tion leve ls for variou variou s OPC OPC a c tions; tions; 2. Co ntroll ntrolliing the loc a tion o f va rious OPC OPC a c tions; tions; 3. Ma na g ing t he DCO M Permiss ermissions; ions; 4. Limiting imiting p rot oc ols used used b y DCO M/ RPC a nd set ting a Sta tic TCP p ort; 5. Set ting a p p rop riate OPC OPC s servers ervers a c c ou nts; nts; 6. Re stric ting Tran sp o rt Prot Proto o c o ls fo r RP RPC ; 7. Re stric ting tin g TC P Po rt Ra Ra ng e s fo r R RP PC . Of these seven, perhaps the most unusual is step 4, as it gives the end-user the op p ortunity ortunity to a d d ress ess one of the mo re v exing exing p rob lem s in OPC OPC s sec ec uri urity, na me ly the prob lem o f d ynam ic po rt alloc alloc a tion. Unfortunate ly it wa s a lso the solution most likely to cause issues with OPC software, since it was apparent that not all vendors of OPC products respect the static setting of p ort num b ers. ers. Thus w e a lso p rov ide d ste p 7 as a lternative m et ho d for po rt restri estric c tion, in in c a se t a sk 4 d oe s no t w ork co rrec tly on yo ur OPC OPC soft soft wa re. Next, the system needs to be tested to ensure these changes still allow all OPC OPC ap plic plic ations to function c orrec orrec tly. tly. Sinc e we found a numb er of c ases ases where OPC vendors were not respecting DCOM security settings and requirements, this testing is critical before any security settings are deployed on live p rod uc tion sys syste te ms. ms. Lastly, verification of the fortifying effort is required to ensure no serious sec urity urity holes ha ve b ee n left o p en. This inc lud es the follow follow ing ste ste p s: 1. Wind Wind ow s Servic ervic e a nd Op en Port Dete rmina tion tion 2. Wind Wind o w s Eve nt Lo g Ana An a lysis lysis 3. Vulnera b ility ility Sc a nning These hese sta sta ge s a re e xp a nd ed up on in a d eta iled Ac tion Pl Pla n for Ha Ha rd ening OPC OPC Hosts Hosts within this rep ort. Sp ec ific ific exa m p les a re a lso p rov ide d for ea c h OPC Sec uri urity ty WP 3 (Vers (Version ion 1-3 1-3c c ).do c

2

Nov em b e r 200 2007 7


ta sk. In all, all, we b eliev eliev e by follow follow ing these these guid elines elines,, the typ ica l c on trols tec hnic hnic ian w ill be ab le to c rea te a mo re sec sec ure ure a nd robust robust OPC OPC d ep loyme nt on their plant floor and OPC can continue to grow as a valuable solution in ind ustr ustriia l d a ta c om munic a tions. tions.


3

Nov em b e r 200 2007 7


1 Introduction This rep ort is the third third of t hree hree w hite p a p ers ou tlining tlining t he finding s from from a stud y on OPC security conducted by Byres Research, Digital Bond and the British Co lumb ia Institute Institute of Tec hno log y (BCIT (BCIT). The ob jec tive of this stud y w a s to c rea te a series eries of simp le, a uthorita uthorita tive tive white p a p ers tha t summ summ a rized c urr urrent good practices for securing OPC client and server applications running on Wind Wind ow s-ba sed ho sts. ts. The full stud y is d ivid ivid ed into three Go od Pra c tic e Guide Gu ide s fo r Sec uring uring OPC a s foll fo llo o w s: •

•

•

OPC Security White Paper #1 – Understanding OPC and How it is Used: An introduction to what OPC is, its basic components and how it is ac tually tually de p loyed in the real world world . OPC OPC Sec Sec urity White Pa p er #2 – OPC OPC Exp Exp osed : What are the risks and vulnerab vulnerab ili ilities incurred incurred in de p loying OPC OPC in a c ontrol environm environm ent? OPC Security White Paper #3 – Hardening Guidelines for OPC Hosts: How can a server or workstation running OPC be secured in a simple and effective effective ma nner? nner?

All three white papers are intended to be read and understood by IT administrators and control systems technicians who have no formal background in either Windows programming or security analysis.

1.1 The Issues In rec en t ye a rs, Sup ervis ervisory Co ntrol a nd Dat a Ac q uisi uisition (SCA (SCA DA), proc ess ess control and industrial manufacturing systems have increasingly relied on c om m erc ia l informa informa tion te c hno log ies (I (IT) suc suc h a s Ethe rne t™, TCP CP// IP a nd Wind Wind ow s® for bo th c ritic itic a l and non-c ritic tic a l co mm unic unic a tions. tions. The use use of these these common protocols and operating systems has made the interfacing of industrial control equipment much easier, but there is now significantly less isolation from the outside world. Unless the controls engineer takes specific steps to secure the control system, network security problems from the Enterprise Network (EN) and the world at large will be passed onto the SCA DA a nd Proc ess ess Co ntrol Net Net w ork (PCN), (PCN), put ting ind ustri ustria a l p rod uc tion a nd hum a n sa sa fet y a t ris risk. The wid e-sp e-sp rea d a d op tion o f OLE OLE for Pr Proc ess ess Co ntrol (OPC) (OPC) sta sta nd a rd s for interfacing systems on both the plant floor and the business network is a c lass lassic e xa m p le of b ot h the b ene fits a nd risks isks of a d op ting IT te c hno log ies in the control world. OPC is an industrial standard based on the Microsoft Dis Distri trib uted Co mp one nt Ob jec t Mo d el (DCOM (DCOM ) interfac interfac e of the RP RPC (R (Rem em ote Procedure Call) service. Due to its vendor-neutral position in the industrial controls market, OPC is being increasingly used to interconnect Human


4

Nov em b e r 200 2007 7


Machine Interface (HMI) workstations, data historians and other servers on the control network with enterprise databases, ERP systems and other business-oriented software. Furthermore, since most vendors support OPC, it is ofte n tho ught of a s one of t he fe w univers universa a l protoc ols in the industr industriia l co ntrols ntrols wo rld, ad ding to its widespread widespread ap p ea l. Many readers will be aware that the OPC Foundation is developing a new version version of O PC (c a lled lled OPC OPC Unifi Unified ed Arch itec ture or OPC-U OPC-UA) A) tha t is b a sed on 1 protocols other than DCOM . This is in c o njunc tion w ith M icr ic ro soft's of t's g o a l of ret iring iring DC OM in fav ou r of the m ore sec sec ure .NE .NET a nd servic ervic e-orient e-orient ed architectures. Once most OPC applications make this migration from the DCOM -ba sed a rc hitec ture to a .NE .NET-ba sed a rc hitec ture, industry industry w ill ha ve the opportunity for much better security when it comes to OPC, but also a new set of risks. Unfortunately, based on our experience in the industry, it may be a number of yea rs b efo re m a ny co m p a nies a c tua lly lly c on vert their syste yste m s. So, sinc sinc e DCOM -ba sed OPC OPC is wha t is on the p la nt floo floo r tod a y and will will c ontinue to see use for years to come, we focused our investigation on how to secure this type of OPC. OPC. Our initial research showed two main areas of security concern for OPC d ep loyme nts. nts. The firs first (a nd m ost ost o fte n q uo te d in the p op ular press press) is is tha t the underlying protocols DCOM and RPC can be very vulnerable to attack. In fa c t, vir viruses uses a nd wo rm s from from the IT wo rld m a y b e inc rea singly foc using using o n the und erlyi erlying ng RPC/ DCOM p roto c ols used used b y OPC, OPC, a s note d in this this a tta c k trend trend s d isc isc uss ussion: io n: “Over the past few months, the two attack vectors that we saw in volume were against the Windows DCOM (Distributed Component Object Model) interface of the RPC (remote procedure call) service a nd a g a inst inst the Windo w s LSASS ASS (Lo (Lo c a l Sec Sec urity urity Aut ho rity Sub Sub syste yste m Servic ervic e). The The se see m to b e the c urr urrent fa vo rites for virus virus a nd w orm writers writers,, and w e e xp ec t this trend trend to c ontinue.” 2 At the same time, news of the vulnerabilities in OPC are starting to reach the mainstream press, as seen in the March 2007 eWeek article entitled “ Hole Found in Protocol Handling Vital National Infrastructure ” Infrastructure ” 3. Thu hus s, the th e use use o f OPC connectivity in control systems and servers leads to the possibility of DCOM -ba sed p roto c ol a tta c ks d isrup ting c ontrol sys system tem s op erations. erations.

See Whitep Whitep ap er #1, Sec tion 5.7: OPC Unifi informa tion on O PC-UA. C-UA. Unified ed Arc hitec ture for more informa Bruc e Sc Sc hneier, “A tta c k Trend s” QUEU QUEUE Ma g a zine, Ass Assoc iation o f Co mp uting M a c hinery, June 200 2005 5 3 Lisa isa Va a s, “ Hole Foun Foun d in Pr Prot oc ol Ha Ha nd ling ling Vita Vita l Nat iona l Infra nfra structu re” eWee k, http :// ww w.ew ee k. k.c c om / a rticle2/ 0, 0,17 1759 59,2 ,210 1072 7265 65,0 ,00. 0.a a sp , Ma rch 23, 200 2007 7 1 2


5

Nov em b e r 200 2007 7


Despite these concerns, it is our belief that the most serious issue for OPC is that configuring OPC applications securely has proven to be a major c ha lleng e fo r most most e nginee rs a nd tec hnicians. hnicians. Even Even thoug h OPC OPC is a n op en protocol with the specifications freely available, users must wade through a large amount of very detailed information to answer even basic security q uestions uestions.. The re is little ittle d irec irec t g uida nc e o n sec sec uring uring O PC, a nd our res resea ea rc h indicates that much of what is available may actually be ineffective or misguided. All things considered, there is little doubt that some clear advice would be very useful for the control engineer on how best to secure currently d ep loyed , CO M/ DCO M-b a sed OPC OPC syste yste m s. This series eries of white p a p ers a ims to he lp fil fill tha t g a p for the end -user. -user.

1.2 Orga niza niza tion of O PC White Pa Pa p er Series Series As noted earlier, this is the third of three white papers outlining the findings and recommendations from a study on OPC security. In White Paper #1 we review ed the OPC OPC sp sp ec ific fic a tions, tions, foc foc usi using on d eta ils ils tha t a re releva releva nt from from a security point of view and might be useful to users wishing to understand the risks of OPC deployments. We then described the real-world operation of OPC applications, identifying components that need to be understood to ha rd en ho sts running O PC c lient lient a nd server ap p lica tions. tions. In White White Pap er # 2 we d efined a set o f vulnerab iliti ilities es a nd p oss ossible threa ts to OPC hosts, based on OPC’s current architecture (i.e. the use of DCOM). We a lso loo ked a t c om mo n m isc onfigura onfigura tion tion vulnera vulnera b ilities found in OPC OPC server or client client c om pute rs, both a t the op era era ting ting system ystem and OPC OPC a pp lic a tion tion level. Finally, since the typical OPC host configuration is strongly influenced by the guidance provided by the software vendor, we looked at the quality of configuration utilities and guidance provided to end-users by the OPC vendor community. In White Paper #3, we use this information to give the OPC end-user a series of p ra c tic tic a l rec om me nda tions tions they c an d raw upo n to sec ure ure the ir OPC OPC host host machines.

1.3 Study M ethod olog y Developing the findings and recommendations for all three of the white p a p ers req uir uired the follow follow ing four-p four-p ha se a p p roa c h to the stud stud y: 1. Data Ga theri thering •

Conducting user surveys and collecting information on OPC de ployments in order to get a rep resenta esenta tive tive sa sa mp le o f how a c tual


6

Nov em b e r 200 2007 7


OPC deployments were configured in the field by our target audience. •

•

Review ing OPC OPC F Found ound a tion a nd vend or co nfiguration nfiguration g uid uid elines elines.. Conducting a literature search for OPC-related papers and guidelines.

2. Asc Asc erta ining ining p ot en tial threa ts a nd vulnerab ili ilities in OPC OPC sys syste te m s •

•

Identifying what operating system configuration issues exist in typical OPC deployments. Id en tifying w ha t O PC, RP RPC a nd DCO M iss issue s exist exist in typ ic a l OPC OPC deployments.

3. Creating recommendations for mitigating potential threats and vulnerabilities •

•

•

Determining what could be done to secure the underlying op eration sys system tem without imp a c ting the OPC OPC func tionality. tionality. Determining what could be c om p one nts in an OPC OPC ho st.

done

to

secure

RPC/DCOM

Dete rmining O PC-sp C-sp ec ific ific c lient a nd server sec sec urity urity co nfigurat ion s.

4. Testing esting t he sec uri urity rec om me nd a tions tions •

La b testing testing a ll rec om me nd a tions in a typic a l OPC OPC e nvironm nvironm ent a nd mo difyi difying o ur rec om me nda tions tions ac c ord ord ingly. ngly.

1.4 Lim ita tions tion s of this Stud Stud y It is important to understand that this report is not intended to be a formal security analysis of OPC or DCOM, but instead is a set of observations and p rac tic es tha t w ill ill help e nd -users -users sec ure th eir OPC OPC sys syste te m s. As w ell, this re p o rt is focused only on securing the host computers that are running OPC. Sec uring uring the netw ork OPC OPC op erate s ove r is is a n interes interestin ting g a nd im p ortant a rea of research, but is beyond the scope of this report. A follow-on study is p la nned to inves investiga tiga te these these netw ork sec sec urity urity asp asp ec ts a nd c onsider onsider soluti solutions ons for OPC/DCOM in the network infrastructure, including firewall rule-sets and a na lysis lysis o f third p a rty OPC OPC t unne lling lling so so lutions. lutions. It is also important to understand that this document details nearly every security measure that could be used to harden OPC installations. In order to


7

Nov em b e r 200 2007 7


determine which of the mentioned countermeasures and strategies are feasible and advisable for a specific OPC deployment, a risk assessment should be conducted first. In addition, the industrial environment should be checked to ensure all design elements will function flawlessly with the p rop osed osed sec urity urity co unte rm ea sures ures.. Som e sug sug g este este d c ou nte rm ea sures will no t w ork with --- or a re no t a d visa visa b le fo r -- ev ery OPC OPC insta insta llation. Finally, we cannot guarantee that following our recommendations will result in a completely secure configuration. Nor can we guarantee these recommendations will work in all situations; some modifications may be required for individual OPC client and server applications or Microsoft Windows network deployments. However, we are confident that using these guidelines will result in more secure systems as compared to the typical default application and operating system settings we have seen in our investigations.


8

Nov em b e r 200 2007 7


2 Ha rde ning Strate g y for OPC OPC Ho Ho sts Buil uild ing on the ma teria teria l from from the p revious white p a p ers, ers, this this rep ort at tem p ts to detail all security measures and good practises that could be used to harden OPC hosts4. We suggest the OPC user consider the mitigations listed in this reports as a menu to choose from rather than a list of unalterable requirements. Typ ica lly this “ ha rd ening ” sho uld b e c on d uc te d in four sta g es. es. Fir Firs st, the Windows platform itself needs to be “locked down” to make it less susceptible to common Windows-based attacks, yet still allow OPC a p p lica tions to func tion. Then the sp sp ec ific fic OPC OPC c om p one nts nee d to b e ha rd ene d usi using the OPC OPC c onfigura onfigura tion too ls found in the Wind Wind ow s op erating system. Next the system needs to be tested to ensure these changes still a llow a ll OPC OPC a p p lica tions tions to func tion c orrec orrec tly. tly. We found a numb er of ca ses where OPC vendors do not respect DCOM security settings and requirements, so the test stage is critical before any security settings are deployed on live production systems. Lastly, verification of the fortifying effort is req uired uired to c on firm firm no seri seriou ou s sec urity urity holes ha ve b ee n left o p en . For the mo st p a rt the se c onfigura onfigura tion g uid uid elines elines will will ap p ly to b oth c lients a nd se rve r ho sts. ts. The c a llb llb a c k me c ha nism nism use use d b y OPC ess esse ntia lly lly turns the OPC client into a DCOM server and the OPC server into a DCOM Client. In our examples we focus on OPC servers, but to take full advantage of these recommendations they should be followed on all nodes that contain either O PC se se rvers o r O PC c lie lie nts nt s. Se ve ral se se c tio ns d isc isc uss uss c lie lie nts nt s sp e c ifica ific a lly. lly. It is a lso imp ortant to note the exam p les show n b elow a re p rima rily b a sed on ho sts run running ning Wind o w s XP/ SP2 o r Wind o w s Se rver 2003/ SP1 (o r lat e r). Ea Ea rlier rlier versions of Windows can still take advantage of many (but not all) of these sug g estions estions,, but will b e c on side ra b ly more d iffic iffic ult to c on fig fig ure. ure. Thus Thus if at a ll possible, a first step should be to upgrade any OPC host platforms to these new er o p era ting syste yste m ve rsions. ions. Finally, these examples were performed and lab tested in a workgroup setting; as a result, slight modifications may be required in domain-based env iron iron m en ts. ts. In In rea rea l-li l-life fe ind ustri ustria a l set set tings d om a ins m a y b e b en efic ial as the y p rovide the a bili bility to a p p ly these these rec om me nd a tions uniforml uniformly y ac ross oss a g roup of hosts via group policy. In workgroup environments all recommendations will have to be deployed individually on the host machines, increasing the administrative effort and the chance for error. In addition, we are aware of Please note that this report only focuses on OPC host security and does not attempt to detail good practices for securing the network components (such as firewalls) for OPC traffic. traffic. We hop e to offer this this information information in a fourth white pa p er in in 2008 2008.. In the m ea n time, interested interested rea d ers sho uld c onside onside r the Mic rosoft osoft Tec Tec hnic a l Article Article “ Using Distri Distrib b ute d CO M with Fir Firew ew a lls lls” b y Mic ha el Nelson Nelson a t http://msdn2.microsoft.com/en-us/library/ms809327.aspx 4


9

Nov em b e r 200 2007 7


some possible domain specific security features that can be added, but these were beyond the scope of this report and are not discussed in this document.


10

Nov em b er 200 2007 7


3 Gene ra l Window Window s Ha rd ening Rec om m end ations Sinc e O PC is d ep loye d on the Wind Wind ow s op erat ing sys syste te m in o ve r 95 95% % of t he cases, this section discusses the general hardening of OPC hosts using sta nd a rd Wind Wind ow s-ba sed to ols a nd te c hniqu es. es. Five sec sec urity urity mec ha nism nism s a re d isc isc uss usse d : 1. Ensuring that operating system and application patches are at a currently version level; 2. Co nfiguring nfiguring the m inim inim um servic ervic es running o n the host host for a typ ica l OPC OPC deployment; 3. Limiti imiting ng o f user user pri privil vileg es throug throug h a c c ount m a nag em ent; 4. Limiting ne tw o rk ac a c c ess ess via the Wind Wind o w s IP Sec urity urity Po Po lic lic ies; ies; 5. Prot ec ting the Wind Wind ow s reg istry. istry. While While none of t hese hese m ec ha nism nism s a re p a rtic ularly ularly rev rev olutiona ry, the rea l tric tric k is is to sec ure ure the host host in suc suc h a ma nner that ma kes it less less susc usc ep tible to c om mo n Windows-based attacks, yet will still allow all OPC applications to function. This is ofte of te n m o re d iffic iffic ult tha th a n it sho sho uld b e for fo r two tw o re a so ns. ns. Fir Firs st, so so m e requirements for OPC operation are at odds with good Windows security prac tic tic es. es. Sec ond , a numb er of OPC OPC vend ors ors a pp ea r to ignore a numb er of Wind Wind ow s DCO M sp sp ec ific ific a tions a nd req uirem uirem en ts. ts. Tha t s sa a id , b a sed on o ur la b testing of configurations listed in this section, we believe all will allow the c orrec orrec t op era tion o f mo st OPC OPC sys syste te m s. Since OPC deployments can vary widely, it is essential that any of these settings be tested on a non-critical test system before being deployed in a live c ontrol sys system tem . All techniques discussed in this section are based on standard administrative to ols a va ilab le in in the c urren urren t “ p rofe ssiona l” ve rsion s of Windo w s 5. Thus the sp ec ific ific exa m p les ill illustrate ustrate d b elow a re inte nd ed for the Wind Wind ow s 20 2000 00// SP4, Wind o w s Se rver rve r 2003/ 2003/ SP1 a nd Wind o w s XP/ SP2 o p e rat ing syste yste m s. The The se were chosen, since the survey results noted in White Paper #1 indicate these a re t he ve rsions of Wind Wind ow s m ost ost likely likely to b e u sed in OPC OPC d ep loym ent s.

3.1 Pa tc h Ma na g em ent for OPC OPC Hos Hosts ts As we noted in the introduction to this report, and expanded on in White Paper #2, poor patching of OPC hosts is a significant contributing factor for The Windo w s Vista Vista op erat ing sys system tem wa s not t ested ested a s it wa s una va ila ila b le at the time the lab testing testing w as performe performe d 5


11

Nov em b er 200 2007 7


OPC sec sec urity urity iss issue s. A nu m b e r of t he w e ll-know ll-know n w o rms (suc (suc h a s M SBlaste laste r) relea sed in the p a st fe w yea rs ha ve sp ec ific fic a lly ta rg ete d the und erlyi erlying ng RPC a nd DCO M servic ervic es for OPC. OPC. This This ha s m a d e users users a nd ve nd ors keen ly aw a re of the need to patch operating systems and applications in industrial control systems. Unfortunately, the difficulty with patch management is one cannot automatically deploy new patches into the process control environment witho ut ris risking king d isr isrup tion o f op erat ions. ions. Thus c a reful p olicy a nd p ra c tic e is req uired uired tha t b a la nc es the nee d for sys system tem relia elia b ility w ith the nee d for sys system tem security. Based on our survey, it appears many users and vendors have developed effe c tive p a tc hing p roc ed ures ures for PCs PCs used used in their co ntrol sys syste te m s. For For tho se readers who do not currently have a good patch management process in place, we suggest contacting your control system vendor or referencing the GAO report “ Info rm a tion Sec Sec urity: urity: Ag enc ies Fa c e C ha llen llen g es in Imp lem enting Effec Effec tive Softw Softw a re Pa Pa tc h Ma na ge me nt Pr Proc ess esses ” 6, and the Ed iso iso n Elec Elec tric Institu nstitute te ’ s “ Pa tc h m a na ge me nt Str Stra a teg ies for the El Elec tri tric Sec to r ” .7 Both provide excellent guidance for patch management in critical system.

3.2 Minimum Req uired uired Servic es In o rd er to m a ke Windo w s hosts hosts m ore sec sec ure, ure, it is c ritic itic a l tha t a ll unne c ess essa ry services be disabled. Based on lab testing, the following are the minimum set of Windows 2000 8, Wind Wind o w s Se rve r 200 2003 3 a nd Wind Wind ow s XP9 services that are typ ica lly req req uired uired on sta nd -alone OPC OPC c lients a nd servers. ervers. The na m e in b ra c kets follow follow ing ing the servi servic c e na me is the rec om me nd ed Sta rtup Type : •

COM + E Event vent System ystem (Autom a tic)

•

COM + Sys System tem Ap p lic a tion (Auto ma tic) (Req (Req uir uired b y XP XP)

•

DNS Client Client (A uto m a tic )

•

Event Log Log (Autom a tic tic )

•

IPSEC Se Se rvice rvic e s (Aut (A uto o m a tic )

•

Net Log Log on (Ma nual)

•

NTLM Sec Sec urity urity Sup Sup p o rt Pr Pro vid er (Aut om a tic )

•

Plug a nd Pl Pla y (Autom a tic)

“ Informa tion Sec Sec urity: urity: Ag enc ies Fa c e Cha lleng lleng es in Imp leme nting Effec Effec tive Softw Softw a re Pa Pa tc h Ma na ge me nt Pr Proc ess esses” es” , GAO Rep Rep ort GAO -04-04-81 816T 6T, US US Ge ne ra l Ac c oun ting O ffic ffic e, June 02, 2004 7 “ Pat c h m a na g em ent Strate g ies for the Elec Elec tric tric Sec to r” , White White Pap er, Ed ison ison E Elec lec tric tric Institute nstitute –ITSec urity urity Working Working Gro up , Ma rch 200 2004 4 8 http://labmice.techtarget.com/articles/win2000services.htm 9 http://www.sysinternals.com/blog/2005/07/running-windows-with-no-services.html 6


12

Nov em b er 200 2007 7


•

Protec ted Stora tora ge (Automa tic tic )

•

Rem ote Proc ed ure ure Ca ll (RP (RPC) (Autom a tic)

•

Sec uri urity Ac c ounts Ma nag er (Automa tic tic )

•

Sec urity urity Cent er (Auto m a tic ) (Req (Req uired uired b y XP XP)

•

Server (Auto ma tic tic )

As we ll, som som e O PC a p p lic a tions req uir uire a d d itiona tiona l servi servic c es to b e e na b led to remain functional. For example, if the OPC application does not use the OPCE OPCEnum num c om p one nt (a nd thus nee d s to rem ote ly b row se t he reg istr istry y 10) the follow follow ing servi servic c es a re a lso req uired uired : •

Co mp uter Br Brow ser (Auto (Auto ma tic tic )

•

Remote Registry (Automatic)

While While no t stri stric c tly a servic e , Fil File e a nd Printe rinte r Sha ring sho uld b e d isa isa b led . This is do ne via via the netwo rk c onnec tions tions p ane l. Ag ain, since since OPC OPC d ep loym ents c an wide ly va ry, itit is ess essential that the eff effec ec ts of disabling any service be tested on a non-critical offline system before be ing dep loyed in a live co ntrol ntrol sys system. tem.

3.3 Lim iting Use r Privileg Privileg e s In most control environments, the day-to-day operation of OPC-based applications does not require a highly privileged account. On the other hand, the configuration of OPC applications often does. Unfortunately, in ma ny sys system tem s we see the highly highly p rivil vileg ed a c c ount sett ing s b eing the norm, exp o sing the syste yste m to num e ro us sec urity urity iss issue s. To a d d ress ess this this, we rec om me nd OPC OPC a d minis ministra tra tors c rea te tw o a c c ounts, ounts, one for day-to-day operations and one for configuration. 11 Configure these accounts as follows: •

•

Crea Crea te a n ac c ount (e.g. opc user user)) and set it to be a low privi privilleg e account account - This will b e used used for the no rm a l exec ution o f OPC OPC c lient a nd server server a p p lic a tions tions.. When the op c user user a c c ount is c rea ted it should b e a d d ed a s a me mb er of the Us Users group . Crea Crea te a n ac c ount (e.g. (e.g. opc ad min) min) and set set itit to be a high privi privilleg e ac c ount – ount – This a c c oun t w ill ill only be used used for infreq infreq ue nt

Rem ote ly b row sing the registr registry y is is no long er a reco mm end ed prac tice b y the OPC Found at ion. How How eve r som som e olde r ap p lic lic at ions ma y stil stilll req req uir uire rem ote browsi browsing to function correctly. 11 http://www.opcconnect.com/dcomcnfg.php 10


13

Nov em b er 200 2007 7


c onfiguration c ha nge s a nd for the initial initial ins insta ta lla tion tion o f the OPC OPC softwa re. When When the op c ad min user user is is c rea ted it shoul should d be ad de d a s a m em b er of the A d m inis inistrato rs g rou p . ItIt is oft en s simp imp lest lest to ren a m e 12 the e xisting ting ad minis ministrato trato r ac c ount to op c ad min. Finally inally the Gue st a c c ount should b e d isa b led a nd rob ust ust p a sswo rd s (a mix of lett ers, ers, numb ers a nd sp ec ial cha ra c ters a nd not fo und in a d ictiona ry) should should b e used used for a ll a c c ounts. ounts.

3.4 Limiting Network Access In most control environments there is little reason to allow every device on the c ontrol netwo rk to c om munic a te t o O PC ho sts. ts. Typic a lly there a re o nly nly a sm a ll num b er of ma c hines c om m unica ting using using OPC. OPC. Bec a use use of this, this, it makes good security sense that network access should only be allowed b et we en the se few truste truste d m a c hines. hines. Wind Wind ow s 20 2000 00,, Server 2003 2003 a nd XP contain host-based firewall capabilities that can use IP filters and a security p olicy t o restri restric c t ne tw ork tra tra ffic t o O PC ho sts. ts. Our recommendation is to add a simple host-based firewall rule allowing traffic only to or from the IP addresses of other trusted OPC hosts. While this might seem to be simple, we discovered that in practice, setting up such a rule can be very cumbersome using the firewall configuration wizards a va ila ila b le in Wind o w s 200 2000, 0, Se rver 2003 2003 a and nd XP. Thu hus s the th e se fire fire w a ll w iza iza rds a re not used used a nd the fo llow ing four-s four-step p roc ess ess is rec om me nd ed instea instea d . It is wo rth not ing there a re o ther tec hnolog ies for co ntroll ntrollin ing g a c c ess ess b etw ee n hosts that can be even more robust. For example, Microsoft’s Domain Isolation m od el 13 is far more secure. However due to its complexity, detailed directions for configuring it are beyond the scope of this report - it may be c ove red in s sub ub seq uent rep orts. orts. 3.4.1 Creating the Filter Lists Tw o filte filte r lis lists ts a re req uired uired to p ro p erly sec sec ure a ho st. The The firs first list list m a tc he s a ll tra tra ffic ffic c om ing ing to a nd from from trus trusted ted ma c hines hines.. The sec sec ond list m a tc hes a ll

NOTE NOTE: For For simp simp lic lic ity in in this rep ort w e refe r to user user a c c oun ts ra the r than a c c oun t g roup s. How ever a be tter alter alternative native is is c rea ting ting an op c ad min group group rather than just just a dd ing an op ca dm in us user er.. Then withi within n the opc ad min group an a cc ount ca n be ma de for everyone everyone wh o should should ha ve a d ministrative ministrative p rivilege ivilege s to the OPC server. server. This will p rov ide c ha ng e ma nag em ent a c c ounta bility bility for the OPC host. host. The sam sam e a p plies to c rea ting op c user user group group ra the r tha n a single single op c user user ac c ount t ha t multiple users users a c c ess ess. For more informa tion on ac c ount g roup s in d om ain environm environm ents see : http:// ww w.mi w.micros crosoft. oft.c c om/ tec hnet/s hnet/sec ec ur uriity/g ui uida da nce / network networks sec ur uriity/s ty/sec ec _ad _ad min_ min_grou grou ps.mspx 13 http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx 12


14

Nov em b er 200 2007 7


othe r tra tra ffic ffic . In In the exam p les b elow there is only one trus trusted ted ma c hine, hine, b ut this c ould ould e asi asily be expand ed . Firs irst, laun la unc c h tthe he C o ntrol ntro l Pa ne l/ Ad m inis inistra tive To To ols/ ols/ Lo c a l Se c urity urity Po Po lic lic y application. Next, while making sure the “ IP Se c urity Po Po lic lic ies o n Lo Lo c a l Computer ” icon is selected, select “ Manage IP filter lists and filter actions ” und er the Actions menu. m enu. Now select the Manage IP Filter Lists tab and add the filter lists. Figure 3-1 show s wha t to expe c t w hile hile t he filter filter lilist for tra tra ffic ffic b etw ee n trus trusted ma c hines is b eing c rea te d . The filter list ist tha t m a tc he s a ll ot her tra tra ffic is the sa m e e xc ep t no destination IP address is specified.

Fig ure 3-1: Cre a ting the Filter Lis Lists ts

Two c on fig fig ura ura tion set set tings a re ra the r sub sub tle; “ Mirrored ” should be selected and Protocol should be AN ANY Y . Mirrored refers to matching traffic between trusted machines in both directions. ANY refers to allowing any protocol running on top of IP for trusted machines. It is possible the protocol could be na rrow ed d ow n to only TCP CP,, but c a re is nee d ed to ensur ensure e tha t this d oe sn’ t imp a c t o ther c ritica l servi servic c es you m a y req req uire. uire.


15

Nov em b er 200 2007 7


3.4.2 Crea Crea ting ting the Bloc Bloc k Ac tion Once the lists are created, actions for these lists are needed. In this case two a c tions tio ns a re re q uired uired . The firs first is Pe rm it, and an d it exists exists b y d e fa ult. The o the r is is Bloc k and it need s to b e c rea ted . IfIf a fil filter lis listt ha s a n a c tion of Bl Bloc k, then a ll tra tra ffic ffic tha t m a tc hes the filter filter lilist g ets d rop p ed . Using the Lo c a l Sec urity urity Set ting s To o l, und er th e Actions menu Actions menu item, select “ Ma na g e IP filter filter lilists a nd filte filte r ac tions ” . Now selec selec t the Ma na g e Fi Filter Ac tions ta b to c rea te t he B Blloc k ac tion. Fi Figure 3-2 3-2 ilillustr ustra a tes the a c tion b eing c rea ted .

Figure 3-2: Creating the Block Action

3.4.3 Creating the Sec Sec urity urity Polic Polic y After the Filter Lists and Block Action have been created, it is time to glue them into a sec uri urity po lic y and ap ply them to a ll of the netw ork interfac nterfac es. es. Selec ele c t IP Se c urity Polic ies o ies o n Local and Local and then under the the Actions menu Actions menu item item o f the Lo c a l Sec urity urity Set Set ting s To o l, sele c t “ C rea te IP Se c urity urity Polic Polic y ”. ” . Give the p olic olic y a m ea ningful ningful nam e (suc (suc h a s OPC OPC Hosts Hosts Polic olic y), d ea c tivate the d efa ult ult resp esp on se rule a nd a d d filte filte r lists ists a nd a c tions. tions. Set a c tion t o Permit for traffic be twe en trus trusted ma c hines hines and Bloc k otherwise. k otherwise.


16

Nov em b er 200 2007 7


Unfortunately this step is not quite this easy as it could be because these p olicies ha ve Internet Pr Prot oc ol Sec urity urity (IP (IPsec ) fea tures tha t nee d t o b e a d d ress resse d . To u se o ur lis lists ts a nd a c tion s to simp ly filter filter IP IP traffic tra ffic , do no t s se e lec t the default dynamic filter list, ignore the Authentication field, set Tunnel Setting to None and Co nnec tion Type to All. All. Fi Fig ure ure 3-3 sho sho ws wh a t to exp ec t while while the p olic olic y is b eing c rea ted .

Figure 3-3: Crea ting the Sec urity urity Polic y

3.4.4 Assigning the Security Policy The la st s ste te p is to a ssign t he p olic olic y. Simp ly rig rig ht c lic lic k on t he p olicy a nd selec t a ssign. Figure Figure 3-4 3-4 sho sho w s w ha t to exp ec t w hile hile t he p olicy is b eing a ssigne d . Onc e t hese hese fo ur step s a re c om p lete , a rule rule t ha t only allow allow s tra tra ffic ffic to or from from the IP a d d ress ess of truste truste d OPC OPC ho sts shou ld b e in pla c e. Again, since OPC deployments can widely vary, it is essential that the effect of these rules be tested on a non-critical offline system before being de ploy ed in a live live c ontrol ontrol sys system. tem.

3.5 Protecting the Registry The reg istry istry is is the c ent ra l rep rep ository ository for c onfig ura ura tion d a ta in Wind Wind ow s. In In order to protect the registry as much as possible, regular users should not be given “ Administrator ” rights, and “ Remote Registry Editing ” Editing ” should be disabled from the “ Se rvice rvic e s ” panel of “ Ad m inis inistra tive To o ls ” on “ Control


17

Nov em b er 200 2007 7


Panel ”. ” . Note that restricting the ability to change values in the registry is not the same as restricting read access. Read access is needed only for systems that do not use OPCEnum for server browsing. If you have newer versions of OPC OPC a p p lic lic a tions, tions, there sho sho uld b e little little ne ed for reg reg istry istry b row sing.

Figure 3-4: Assigning the Security Policy

When c ha nging these these settings there a re seve ra l imp imp ortant tips tha t should should b e considered: •

•

Ne ve r cha Neve c ha ng e SY SYSTEM p e rmis rm iss sion s from fro m Full Co ntr nt ro l in l in the Registry. Any c ha ng es to this p ermiss ermission w ill ill c a use use yo ur sys syste te m to fa il up on reboot. Co nside nside r rem o ving p erm iss issions fo r the Po w e r Use rs g roup if tha t g roup is no t in use use a nd rep lac e a ll p erm iss issions fo r Us Use rs a nd Eve ryone g rou p w ith Authe ntic a te d Users. ers.


18

Nov em b er 200 2007 7


Fig ure 3-5: Rem Rem ote Reg istry istry Servic Servic e

3.6 Som e Sp ec ial ia l Co nsid nsidera era tions for XP System ystem s After all this setup, you may find that remote access using the opcuser and op c a d m in do es no t w ork on you r XP-ba sed server. The rea son is tha t fo r a ll out-of-the-box installations of XP in workgroup architectures, the system authenticates all remote users as "guest" regardless of the account name. The tric tric k is is to te ll XP to use use t he "c lass lassic" a uth en tic a tion a s sho w n in the sc ree nshot nshot b elow . To a c c e ss this se tting tt ing la unc h the Co ntrol Pa Pa ne l/ Ad ministrative ministrative Too Too ls/ Loc a l Se c urity Po Po lic lic y application. Next, select Loc a l Poli Polic c ies/ ies/ Sec urity urity O p tion a s sc roll d ow n until you see see the item Net w ork Ac c ess ess:Sha ring a nd sec sec uri urity mo d el for loc al ac c ounts . ounts . Right clic clic k a nd you c a n ac c ess ess the Properties option. Properties option. If you configure this policy setting to Classic, network logons that use local a c c ount c red entials a uthentic a te with tho se c red entials. entials. This his Class Classic mo d el provides precise control over access to resources, and allows you to grant different types of access to different users for the same resource, which is exac tly wha t is nee d ed for OPC. OPC. Co nversely, nversely, the Gue st-only t-only m od el trea trea ts a ll users equally as the Guest user account, and all receive the same level of a c c ess ess to a given resource resource , which c a n b e e ither Rea d Only or Mo d ify. ify. This his c lea rly do esn’ esn’ t w ork for the OPC OPC sec sec urity urity mod el we a re p rop osing. osing.


19

Nov em b er 200 2007 7


Figure 3-6: Setting Setting the XP Rem ote Ac c ess to “ Classic Classic ”

Note that this policy setting does not affect network logons that use domain a c c ounts. ounts. The d efa ult ult for Window Window s XP c om p uters tha t a re joined t o a d om a in a nd Wind Wind o w s Se rve r 200 2003 3 c o m p ute rs is Cla ssic. ic . This se tting tt ing a lso lso ha s no e ffe c t o n Wind o w s 20 2000 00 or Serve r 200 2003 3 c o m p ute rs.


20

Nov em b er 200 2007 7


4 OPC/ OPC/ DCOM/ COM / RPC Ha Ha rd ening Rec Rec om m end a tions tions Once the underlying Windows system is secure, it is time to address the se c urity urity o f the OPC OPC a p p lic lic a tion s. This involves invo lves c a refully se tting up user user accounts, putting in restrictions for DCOM objects and restricting RPC b eha vior. The c on fig fig ura ura tion req uired uired is d isc isc uss ussed b elow in three three p a rts; ts; OPC OPC Ha rd ening, DCOM Ha rd ening a nd RPC Ha rd ening. It is important to note that this section is focused on guidance for the Wind o w s Se rver rve r 200 2003/ 3/ SP1 a and nd Wind o w s XP/ SP2 op e rat ing syste yste m s. Mic roso roso ft added a number of significant DCOM security enhancements to these versions14 and the recommendations in this section are designed to take advantage of these improvements. Users of older operating system versions can still follow many of the guidelines below, but upgrading to the newer ve rsion s is highly rec rec om m end ed . Since OPC deployments can vary widely, it is essential that any of these recommendations be tested on a non-critical test system before being de ploy ed in a live live c ontrol ontrol sys system. tem. The rec om me nd a tions in this this sec tion require require c onsi onsid erab le c a re a nd off-line off-line testing before they are deployed in critical systems. Our tests showed there are a number of OPC applications that do not properly follow the DCOM specifications for Windows software. For example, using the DCOM controls to set a sta tic TCP TCP p ort for a n OPC OPC a p p lica tion (a s no te d in Sec tion 4.2. 4.2.4) 4) c a used used iss issue s with t he OPC OPC soft wa re from from a num b er of ve nd ors. ors. In In resp resp on se, we p rovide d Sec tion 4.3. 4.3.2 2 Re st ric ric t ing TC P Po rt Ra Ra ng e s fo r RP RPC , C , as a lternative m et ho d for p ort restri restric c tion. Thus Thus the OPC OPC user user sho sho uld c on side r the sug g estions estions liste iste d in this this sec tion a s a m enu o f s sec ec urity urity op tions to c ho ose ose from , ra ra the r tha n a list list o f una lterab le req req uirem uirem ent s.

4.1 OPC OPC Harde Harde ning Rec Rec om me nda tions tions By utilizing separate opcuser and opcadmin accounts or groups as sug g este este d in Sec tion 3.3, 3.3, we c a n lim lim it the sec urity urity expo sure ure b y res restri tric c ting what actions the OPC server and authenticated users can perform. We recommend the opcadmin account be used only when installing the OPC server or client software and making configuration changes, since this account can both launch and access OPC servers. Even then, the opcadmin account should be limited to a specific list of OPC servers or clients. For the actual running of the server the opcuser account (or opcuser group ac c ount) shoul should d b e used used . As d efined efined be low , opc user user ca nnot launc h a n OPC OPC server, b ut c a n a c c ess ess a running server. 14

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx


21

Nov em b er 200 2007 7


Finally we suggest only running the OPCEnum service 15 w he n it is ne c ess essa ry to b row se the t he O PC serve serve rs. When Whe n OPCEnum OPCEnum is run, lim lim it its its a c c e ss to the opcuser and opcadmin accounts. Left in its wide open state, OPCEnum can present a considerable security risk and typically other users do not need to a c c ess ess it.

4.2 DCOM Harde Harde ning Rec Rec om me nda tions tions There a re t w o m a in g oa ls for suc suc c ess essful DCO DCO M h a rd ening . Fir Firs st, we nee d to only give as much permission as is required for users per DCOM object. For example, if a computer is running three OPC servers, but only one needs to be accessed remotely, only allow remote access to that one server. 16 Simila imila rly, rly, ifif a ll OPC se se rve rs a nd c lie lie nts a re o n a single ing le ho st, the th e n d isa isa b le rem ote ac c ess ess a nd a llow only loc a l ac c ess ess. Sec ond , we nee d to use use the d ifferent fferent level user user ac c ounts c rea ted ea rlier for for Launch and Access permissions. Again we suggest opcadmin be the only user account used to launch or configure OPC servers and should have the servers ervers it c a n c onfigure res restr triic ted . The op c user user ac c ount c a n b e used used b y users users who nee d only to c onne c t a nd a c c ess ess running unning O PC server servers s. 17 To a c hieve hieve these these t wo g oa ls we use use the DCOM Co nfiguration nfiguration Too Too l tha t is found found unde r Co ntrol ntrol Pa Pa nel/ Ad minis ministra tra tive tive Too ls/ Co mp one nt Se rvice rvic e s 18 shown in Figure 4-1. It can also be accessed by starting dcomcng.exe from the Run… op tion in in the Sta rt M enu.

Figure 4- 1: Com po nent Servic Servic es (DCOM) (DCOM) Con figuration Too Too l

Once there, open up “ Co mp onent Servi ervic c es ”. ” . Within it, ignore COM+ Applications for now, and proceed to “Computers”. Click on Computers to g et the sc ree n sho sho w n in Fi Fig ure ure 4-2. 4-2. http:/ / ww w.sente w.sente c h.co.nz/ h.co.nz/ Sc enicHelp/ dc om sec uri urity.htm ty.htm http:// ww w.opc ac tivex. tivex.co co m/ Supp ort/DCO ort/DCO M_ M_Confi Config/ g/ dc om_config.html om_config.html 17http:// itc ofe.web.ce rn.c n.c h/ itco fe/Ser fe/Servi vic c es/ es/ OPC/ OPC/ GettingStart GettingStarted ed / DCOM/ RelatedDoc uments / ITCO DCO MSet MSet ting s.pd f 18 http:// http:// www .gefanuca utomation. utomation.co co m/ opc hub/op cd co m.as m.asp p 15 16


22

Nov em b er 200 2007 7


Figure 4-2: DCOM DCOM Con figuration Sc reen

Open “ My Computer ”, open the “ DCOM Config ”, ” , and see what DCOM ob jec ts c a n b e c on figured . F Figure igure 4-3 sho sho ws the DSxP Op c Server Simulat Simulat or which is the server used for this example. On the plant floor you are likely to see the OPC OPC s server ervers s you a re usi using , but yo u m a y ha ve t o d ig a round for them .

Fig ure 4- 3: The Co nfigu ratio n Prop Prop erties for an OPC OPC Serve Serve r


23

Nov em b er 200 2007 7


4.2.1 Controlling the Authentication Level The firs first c ha ng e to m a ke is is the Auth ent ica tion Lev Lev el of the OPC OPC server server as sho w n in Figure Figure 4-4. The se A uth e ntic a tion leve le ve ls a re d e fined a s fo llo llo w s: •

•

•

•

•

•

•

Default Default - Ma y va ry d ep end ing up on op erating sys system tem . Us Usua lly it is is effectivel effectively y “None” o r “ Connec t” . None None - No authentic authentic a tion. tion. Connect Connect - Authentic Authentic a tion tion oc c urs urs when a c onnec tion tion iis s ma de to the se rve r. Co nne c tion less less p roto c o ls, ls, lik like e UDP DP,, d o no t us u se this. this. Call Call - The a uthentic a tion oc c urs urs whe n a RP RPC c a ll is a c c ep ted b y the se rve r. Co nne c tionles tio nless s p ro to c o ls, ls, lik like e UDP d o no t us u se this. this. Packet Packet - Authentic Authentic a tes the d a ta on a p er-pa er-pa c ket b asi asis. All All d ata is authenticated. Packet Integrity Integrity - This his a uthentic a tes the d a ta tha t ha s c om e from from the c lient, and c hec ks that the d a ta ha s not be en mo dified dified . Packet Privacy Privacy - In ad dition dition to the c hec ks ma de by the o ther a uthent ic a tion met hod s, this a uthentic a tion leve leve l c a uses uses the d a ta t o be encrypted. encrypted.

Figure 4-4: Gen eral Con figuration Tab for an OPC OPC Server Server


24

Nov em b er 200 2007 7


Selec t the O PC s server erver a nd in the Ge neral Ta b , a nd c ha ng e a uthentic a tion to either “ Packet Integrity ” . The “ Packet Privacy ” option can be used if data confidentiality is required since it encrypts all traffic and is the most secure option. However it is important to test this offline first as the encryption may impact performance. 4.2.2 Controlling the Location The “ Loc a tion” ta b lets you c onfigure onfigure w here the DCOM server ca n rrun. un. Here Here only the local computer is specified which is the typical situation in most e nvir nv iro o nm e nts nt s. Fig Figure ure 4-5 ill illus ustra tra te s this th is..

Figure 4-5: Loc Loc atio n Co nfiguration Ta b for an OPC OPC Server Server

4.2.3 Ma nag ing DCOM Permiss ermissions From here we move to the “ Se c urity ” tab which allows you to configure the permissions for the different accounts. COM server applications have three types of permissions, namely Launch permissions, Access permissions and Configuration permissions. Configuration permissions control configuration changes to a DCOM server, while Launch permissions control the authorization to start a DCOM server if the server is not already running. Finally inally Ac c ess ess p ermiss ermissions c on trol a utho riza tion to c a ll a running CO M server, a nd a re t he lea st d a ng erous. erous. The se p ermiss ermissions c a n b e further divide d into Loc a l and Rem ot e p ermiss ermissions. ions.


25

Nov em b er 200 2007 7


Fig ure 4- 6: Sec urity Co nfig uratio n Ta Ta b fo r an OPC OPC Serve Serve r

These hese p ermiss ermissions c ontrol wha t us user er ac c ounts c a n exec ute whic h a c tion on an OPC server. For all three options choose Customize , then Ed it and a djust djust the a c c ounts a s follow follow s: •

•

•

La un unc c h Pe Pe rmiss rmissions ion s -- Rem ov e a ll exis existing e ntries ntries a nd a d d the op c a d min ac c ount c rea ted ea rlier. ier. If a p a rticular OPC OPC s server erver is me a nt only to b e used used loc a lly, then remo te a c c ess ess to tha t s server erver c an also also b e d isa bled. Ac c e ss Pe Pe rmiss rmissions ion s -- Rem ov e a ll exis existing e ntries ntries a nd a d d the op c a dm in a nd op c user user ac c ounts. ounts. Aga in, ifif a p artic artic ular ular OPC OPC ser server ver is me a nt only to b e used used loc a lly, then rem ote a c c ess ess to tha t server server c an also also b e d isa bled. C on figurat figu ration ion Permiss Permissions ions - Rem ov e a ll exis existing en tries tries ot her tha n the Eve ryone ac c ount. Mod ify everyone everyone to b e rea rea d-only, d-only, and ad d op c ad min with with full full control. control.

The se set set ting s a re sho sho w n in Figure Figure 4-7. As no te d a b o ve , ifif the se rve r or cli c lie e nt is only to be used locally (i.e. the clients and servers are all on the same ma c hine) hine) then Remote s Remote should b e turned off.


26

Nov em b er 200 2007 7


Fig ure 4- 7: La La unc h, Ac c ess, ess, and Co nfigu ratio n Perm Perm iss ission Ta Ta b s for an O PC S Serve erve r

4.2.4 Lim iting RPC Ports Ports and an d Proto c o ls The “ Endpoints ” tab allows you to select what protocols and ports can be use use d b y th is se rver a nd is sho w n in Figu Figu re 4-8. This ta b g ives ive s us the th e p o ssibil ib ility ity to to


27

Nov em b er 200 2007 7


address one of the more vexing problems in OPC security, namely the problem problem of d ynamic p ort ort a lloc ation. Mo st o the r TCP server a p p lica tions use use fixed fixed p ort num b ers to ide ntify a ll inc o m ing p a c ket s. Fo Fo r exam exa m p le, MO M O DB DBU US/ TC P use use s p o rt 502 a nd HTTP use use s p o rt 80. This c on siste iste nc y m a kes fire fire w a ll rule c rea tion re lat ively simp simp le – if you wa nt to b loc k all MO DB DBU US traffic throug h the firew firew a ll, ll, sim p ly d efine a rule tha t b loc ks a ll pa c kets c onta ining ning 50 502 2 in in the d estination estination p ort field. field.

Fig ure 4- 8: End p oin ts Co nfigu ratio n Ta b fo r an OPC Serve Serve r

The d efa ult ult setup setup for DCO DCO M (a nd RPC) c om p lic a tes the situa tion b y a llow ing the OPC OPC s server erver to d yna m ica lly lly p ick its ow n p ort num b ers. ers. The rea son is tha t while only one web server will typically exist on a given host, there can be multiple DCOM servers on the same device and each needs its own port number. It is certainly possible to have an administrator manually set these port numbers for each server, but early design decisions dictated this might not b e a n iid d ea l soluti olution, on, so so d ynam ic alloc alloc a tion tion b ec am e the d efault. Tod a y, with sec sec urity urity be c om ing a p riority iority ove r a d m inis inistrative simp simp licity, itit is worth considering the option of statically setting these ports for each OPC server. Of course it is critical to make sure two OPC servers on the same host do not g et set set up usi using the sam sam e p ort numbe r. Unfortunately not all vendors of OPC products respect the static setting of port numbers, so this technique must be tested carefully. Matrikon and NET NE TxEI xEIB O PC s so o ftw a re p rod uc ts w o rked w e ll w ith sta sta tic p o rts, rts, but bu t s se e ve ral othe r p rod uc ts d id not. Und Und oc ume nted reg istry try cha nge s d id g et sta sta tic setting setting of p ort numb ers wo rking king on a few othe r vend ors’ ors’ p rod uc ts, ts, but this wa s very


28

Nov em b er 200 2007 7


complex. Thus it is imp ortant is to c hec k w ith your OPC OPC ve nd or b efore trying this technique on a live system. If they do not support setting of static end p oints, oints, we offer an a lternative m itiga tion in in S Sec ec tion 4.3.2 - Re Re st ric ric t ing TC P Port Ra Ra ng es . If you want to use static port numbers for OPC traffic and your vendor supports them, select “ Ad d ” d ” on the the “ Endpoints ” ta b a nd the sc sc ree n in Fi Fig ure ure 4-9 4-9 sho sho uld a p p ea r. Then set set t he Pr Prot oc ol Seq Seq uen c e t o “ Connection-Oriented TC P/ IP ” and enter a port value for the static endpoint. Be certain this port number is not used by any other application in the host. In this example we ha ve c on fig fig ured ured the ho st so so t he O PC server server ap p lic lic a tion w ill ill use use TCP TCP p ort 7000.

Fig ure 4- 9: Sec urity Co nfig uratio n Ta Ta b fo r an OPC OPC Serve Serve r

4.2.5 Setting etting the OPC OPC Ap plic ation’s Acc ount Finally, the “ Identity ” tab lets you configure what user account the DCOM application will run under. As shown in Figure 4-10, the OPC software should set to run as the o p c user user a c c ount.

4.3 RPC Ha Ha rd ening Rec om m end a tions 4.3.1 Re stric ting Trans ran sp ort Proto c o ls to TCP TCP To ma ke the Rem ote Proc ed ure ure Ca ll (R (RPC) m ec ha nis nism mo re sec sec ure, ure, it ma kes sense ense to restr estriic t the a va ila b le tra tra nsp nsp ort leve leve l protoc ols a nd to limit the ra nge of potential transport protocol ports. Forcing OPC clients and servers to use o nly TCP (rat he r tha n UDP UDP)) will a llo llo w inte int e rve ning fir f irew ew a lls lls to sta te fully fully p o lic lic e TCP strea m s tha t c a rry DCOM traffic . Henc Henc e, it is is rec om m end ed to on ly lis listt TCP in in th e lis list o f a va ila b le DCO M p rot oc ols. ols. To d o this, this, ed it the “ HKEY_LOC AL_ AL_MAC HINE NE\\ Softw a re\ Microsoft\ Microsoft\ Rp c \ DCO M Proto c ols ” reg istry istry entry so so t ha t it only co nta ins the item “ ncacn_ip_tcp ” ncacn_ip_tcp ” .


29

Nov em b er 200 2007 7


Figu re 4-10: Id Id en tity Co nfigu ratio n Ta b fo r an OPC OPC S Serve erve r

4.3.2 Re stric ting tin g TCP Po rt Ra Ra ng e s As a n a lternative to d efining efining a sta tic tic p ort for the OPC OPC s server ervers s, one c a n m a ke changes to the Windows registry that will limit the range of potential RPC ports used by an OPC server and allow simpler firewall rules. For example, administrators can define a small range of ports for RPC to use on the OPC ho st. This involves m a king king reg istry istry ch a ng es a nd reb oo ting. To To c ha ng e the registry, create an Internet key Internet key und und er the follow follow ing loc loc a tion: HKEY_LOC AL_ AL_MA CHI CHINE NE\\ Soft w a re\ Mic rosoft osoft \ Rp c \

Figure 4-11: Creating a New Registry Key


30

Nov em b er 200 2007 7


Next create the following entries in this location: •

Port Po rts s ( t yp e REG _M _MUL ULT TI_SZ)

•

Po rtsI rtsInte nt e rnet Av a ila ila b le (t yp e REG _SZ)

•

Use Inte Int e rne t Po rts (t yp e RE REG _SZ)

The va lue for Ports s Ports should b e the d esi esired p ort ra ra ng e yo u wa nt to use use fo r OPC OPC servers. ervers. For For exa m p le, you c ou ld a lloc a te 10 100 0 po rts b y en te ring “ 70 7000 00-7 -710 100” 0” in Ports. We recommend you use a range of ports above port 5000 since port numbers below 5000 may already be in use by other applications. Furthermore, previous experience shows a minimum of 100 ports should be opened, because several system services rely on these RPC ports to c omm unic unic ate w ith eac h other. other. The va lue o f PortsInternetAvailable sho uld b e s set et t o “ Y” for the Ports Ports ra ng e t o be noted . The va lue o f UseInternetPorts s UseInternetPorts sho uld a lso b e set set to “ Y for the Ports range to be noted. It is important to remember this will affect all RPC services a nd not just ust O PC a p p lica tions so c hec k with your vend or b efo re tryi trying ng this. this.

Figure 4-12: Add ing the Reg Reg istr istry y Va lues

Also Also no te tha t s sinc inc e O PC us u ses c a llb llb a c ks, ks, you m ust ust us use e TCP TCP fo r c om munic a tions throug throug h a fir firew a ll ifif you wa nt this mitig mitig a tion to wo rk. The reason for this is when the server makes a call to the client, the source port will will not b e w ithin ithin the rang e sp sp ec ified fied a b out a nd thus whe n the c lient send send s a reply to the server's source port, it will not be able to penetrate the firewall. This is no t a p ro b lem w ith TCP TCP b ec a use use m o st fire fire w a lls lls kee p trac tra c k of TCP TCP c onne c tions a nd p ermit bidirec bidirec tional tra tra ffic ffic on c onne c tions, tions, reg a rd less ess of the source port, as long as they are opened from a machine on the inside. For


31

Nov em b er 200 2007 7


g uida nc e on forc ing O PC to use use TCP CP,, s see ee Sec tion 4.3.1 4.3.1 Re stricting tric ting Trans ran sp o rt Proto c o ls to TC P .

4.4 Mo re Sp Sp ec ial Co nsid nsidera era tions for for XP System ystem s One might assume these configurations are for OPC servers only. Unfo rtuna te ly this is no t the t he c a se; sta sta rting rting w ith Windo Wind o w s XP/ SP2, the DCO M c o nfigurat nfig urat ion m ust ust d ea l w ith wh a t Mic M icros roso o ft c a lls lls "Limits" imits". This m ea ns the accounts opcadmin and opcuser have to be added under "Limits" in the global COM security settings for all clients and servers. To d o t his his we a g a in use use the DCOM Co nfiguration nfiguration Too Too l found found und er Control Pa nel/ Ad minis ministra tra tive tive Too ls/ Co mp one nt Se rvice rvic e s 19 sho w n in Figu Figurre 4-13 4-13 . It c a n a lso b e a c c ess essed b y sta sta rting dcomcng.exe fr dcomcng.exe from om the Run… op tion in the Sta Sta rt Menu.

Figure 4-13: Comp one nt Servic Servic es (DCOM (DCOM ) Co nfiguration Too l

Now select the C O M Se c urity tab and an option to edit the Access Pe rmiss rmissions ion s a nd La un unc c h Pe Pe rmiss rmissions ion s w ill ill a p p e a r (se (se e Fig Figure ure 4-14). Ea c h o f these these nee ds to b e ed ited to a dd the ac c ounts op c ad min and o pc user user.. This his ed iting iting is ide ntic a l to t ha t d esc esc ribe d in Sec Sec tion 4.2. 4.2.3. 3.

19

http:// http:// www .gefanuca utomation. utomation.co co m/ opc hub/op cd co m.as m.asp p


32

Nov em b er 200 2007 7


Fig ure 4-14: CO M Sec urity Ta Ta b

Figure 4- 15: Ad d ing o p c user user to the Ac c ess Permission ermission


33

Nov em b er 200 2007 7


5 OPC OPC Hos Hostt Ha Ha rd e ning Ver Ve rific ific a tion Even a fter ap p lying ying the tec hniq hniq ues for harde ning ning Wind Wind ow s, OPC, OPC, DCOM a nd RPC described in the previous chapter, we are still left with a number of una nsw nsw ered q uestions uestions with reg a rd to ou r OPC OPC server: server: •

Have the ha rde ning ning te c hnique hnique s be en p rop erl erly ap plied plied ?

•

Wha t ot her sp sp ec ific ific exp osur osures es sho uld b e a d d ress essed ?

•

When is the system ystem und er att a c k and wha t kind kind s of a tta c ks a re being used?

To h elp a nsw nsw er these these q ue stions, tions, som som e a c tive a nd p a ssive verifi verific c a tion te c hniqu es c a n b e used used . The se invo lve v ulnera ulnera b ility ility sc sc a nning using using freely available tools and the enabling and monitoring of Windows auditing features. Note, it is difficult to completely automate this verification process so a m a nua l proc ess ess is used used in the fo llow llow ing e xa m p les. les.

5.1 Windo ws Servic Servic e a nd Op en Port Dete Dete rm ination The firs first ta sk is is to d e te rmine if the c o nfigurat nfig urat ion o f the OPC se se rve rs ha s resulted esulted in the c orrec orrec t s servers ervers sta rting, a nd if using using sta sta tic p orts, orts, if the p orts a re set c orrec orrec tly. There a re m a ny to ols to d o t his, his, but on e o f the sim p lest lest is the b uilt-in Wind o w s ut ility ility “ NE NET TSTA T” . Netsta Netsta t d isp la ys a ll ac tive TCP TCP c onne c tions, tions, the p orts on w hic hic h the c om p uter is lis liste ning a nd a num b e r of us u se ful Eth Ethe e rnet , IP IP a nd TC P sta tistic tistic s. To use use Netstat Netstat , s siimp ly op en c om ma nd line w indo w a nd type “ netstat netstat –o” . The “ -o” p a ra m et er disp disp la ys a ll a c tive TCP c onn ec tions a nd inc lude s the p roc ess ess ID (PI (PID) for ea c h c onne c tion. You c a n fi find nd the a p p lic a tion ba sed on the PI PID on the Proc e sse s ta b in Wind Wind o w s Ta sk Ma na g er. Othe r simila imila r to o ls inc lud e “ fport” fport” from from www.foundstone.com .

Fig ure 5- 1: Ty Ty p ic a l NET NETSTAT Ou tp ut


34

Nov em b er 200 2007 7


5.2 Wind ow s Eve nt Log Log Ana lysis lysis Wind Wind o w s 20 2000 00,, Se rve r 20 2003 03 a nd XP p rovid e a rich ic h se se t o f fe a tures fo r identifying malicious activity and policy violations. Unfortunately, many are not e na b led b y de fault. Fur Furthermo thermo re, typic a lly the c ha lleng e is not in ge tting the data, but in deciding which information is most valuable when mo nitori nitoring ng O PC b a sed a p p lic a tions. tions. The firs first ste ste p is to ena b le Aud iting iting to id ent ify ify a nd log m a licious a c tivity tivity a g a inst inst OP O PC Serve Serve rs. On sta sta nd a lone syste yste m s, a ud iting iting is c o nfigured nfig ured using using the t he Lo c a l Se c urity urity Polic Polic y . Although we identify a minimal set of Audit Policy recommendations, changes are often required. However in general the set tings in the ta b le b elow will w ork we ll. Polic olic y Audit Audit Acc ount Logon Events

Audit Logon Events Audit Audit Ob jec t Access

Audit Policy Change

Rec omm ende d Se c urity Se Se tting Suc c ess ess a nd Fa Fa ilur ilure e

Disc Disc ussio ussio n Sinc e we are d ifferenti ifferentia a ting b etw ee n the user user ac c ount ne c ess essa ry to remo tely ac c ess ess the OPC/ OPC/ DCOM c omp onents (opc user user)) a nd the a pp lica tion tion administrator (opcadmin), it makes sense to log b oth suc suc c ess essful a nd failed failed eve nts. nts. Note t ha t interac interac tive log log ins on the OPC OPC server should b e a relatively unc om mo n.

Suc c e ss a nd Fa ilure ilure Fa ilure lure

Ena b ling ob jec t a c c ess ess a ud iting iting ge nerates a signific gnific ant am ount o f a c tivity; tivity; so o nly failed failed a ttem p ts to a c c ess ess OPC OPC ob jec ts should b e e nab led .

Suc c e ss

Tab le 5-1: Gene ral Aud iting Setting Setting s

Sinc e log in ev ents a re limited to intera intera c tive c onsole onsole log ons, ons, we must must e na b le per object auditing on core OPC components. In Sec urity urity O p tions , enable "Audit: Audit the access of global system objects.” The ob jec t a ud it settings settings should b e a s listed in the ta b le b elow . Obje c t OPC Se rver Brow ser (O PCE CEnum num .exe) Opc_aeps.dll, opcbc_ps.dll, op c c om n_p n_p s.dll, .dll, OPCDAAuto OPCDAAuto .dll OPC Se rver Ap p lic lic a tion

Settings S ettings Trav erse erse Fo lding / Exec ute File: ile: Fa iled iled Trave ra ve rse rse F Fo o ld ing / Exec ut e F File: ile: Fa Fa iled Trav erse erse Fo lding / Exec ute File: ile: Fa ile ile d

Tab le 5-2: Obje c t Aud iting iting DCOM/ OPC OPC files


35

Nov em b er 200 2007 7


It is is imp ortant ortant to remem be r that in order to ge t the m ost ost a c c urate urate picture of hostile activity across the network and on multiple clients and servers, we must be able to integrate data from a variety of sources, including routers, firewalls, intrusion detection/prevention systems, Windows event logs, and a p p lica tion sp sp ec ific fic log s ge nerate d b y OPC OPC server servers s. This c a n b e a c ha lleng e given the different terminology, different message formats and different typ es of d a ta (suc (suc h a s IP a d d ress esses, es, po rt n um b ers, ers, GU GUIIDs, Ds, a p p lica tion n a m es, es, et c ) g en e ra te d b y a ll the se sys syste te m s. This is a no n-trivia n-triviall ta sk whe re mo m o re resea esea rc h and p rod uc t deve lop me nt is is need ed .

5.3 Vulnera Vulnera b ility ility Sc Sc a nning Apart from enabling and analyzing security logs on OPC client and server systems, we recommend that active methods be used to assess hosts for sec urity urity de ficienc ies. ies. The t oo ls a nd te c hnique s d esc esc ribe d in this this sec tion c a n id entify a num b er of sec sec uri urity ga p s. The foc fo c us o f this se c tion is o nly sc sc a nning fo r m isc isc o nfigurat nfig urat ion vulnera vu lnerab b ilities ilities in DCOM a nd OPC OPC Servers Servers a nd no t ide ntifying ntifying ot he r vulnerab le servi servic c es or components that need to be upgraded. When evaluating existing techniques, we discovered that existing tools fall short when it comes to providing information about the state of DCOM and OPC security and at tim tim es they p rovide c onflic onflic ting ting informa tion. Two p op ula ula r too ls we used used to c he c k the se se c urity urity o f OPC OPC ho sts a re Mic ro so ft’ s Se c urity urity Ba Ba se line line A na lyzer lyzer a nd Ten a b le Netw ork Sec urity’s urity’s Ness Nessus Sc a nne r. Ot he r sc sc a nne rs c a n b e used used a s w e ll. ll. 5.3.1 Microsoft Security Baseline Analyzer 2.0 The M ic roso roso ft B Ba a se line line Se c urity Ana An a lyze lyze r (M BSA) is a free to o l use use ful fo r checking systems to ensure they are set up in accordance with Microsoft best practices and to ensure the basic Windows hardening techniques described above are followed. It also helps to identify gaps in Microsoft system and application updates. July 2005, Microsoft released version 2.0 of this tool, which, according to the Microsoft web site, is now used in many c om me rc ia l sec urity urity p rod uc ts. ts. We rec om m end using using M BSA to sc a n the OPC OPC s server erver loc loc a lly lly sinc sinc e it p rov id es the m ost ost usefu usefu l info info rm a tion a nd is the lea st intrusive. intrusive. Sc Sc a ns c a n a lso lso b e conducted remotely if proper domain/local user credentials are available, remote registry browsing is enabled and access to the well known Microsoft TCP and UDP p orts is a va ila ila b le. Unfortuna Unfortuna te ly this this w ould involve p ra c tic es that we specifically advise against for OPC hosts, thus we can not rec om me nd rem ote MBS MBSA sc sc a ns. ns. MBS MBSA p rov ide s a n ea sy-to-rea y-to-rea d rep ort using using simp simp le p a ss/ fa il c riteria iteria a nd c a n b e sorted a c c ording t o seve rity. Althoug Althoug h MBS MBSA is b y no me a ns


36

Nov em b er 200 2007 7


comprehensive, we were disappointed to see it contains no analysis of DCOM configuration weaknesses. However it is still a useful tool. As a test, we scanned our OPC server running a completely patched Wind Wind ow s 20 2000 00// SP4 in in the d efa ult sta sta te witho ut a ny of o ur ha rd ening recommendations applied. It provided us with a report that included the follow follow ing vulnerab iliti ilities es:: 1. Ad ministrative ministrative Vulnera Vulnera b iliti ilities es •

•

•

•

•

Loc a l Ac c o unt Pass Passw o rd Test est – MSB MSBA d ete rmined tha t w e w ere usi using w ea k p a sswo rd s for our opc a d min, a nd o p c user user a c c ounts. ounts. Restri estric c t An onym ou s – s – MSB MSBA d etec ted that w e ha d Re stric tric tA no nym ou s se t to 0, w hic h a llo llo w ed null se se ssions to b e established. Pa ssw o rd Expir xp ira a tio n – MS – MSB BA d et ermined tha t p a sswo rd e xpira xpira tion wa s not e nab led . How How ever pa sswo rd expir expiration m a y not b e a p p rop ria te for c ontrol sys system tem environm environm ents. ents. Wind Wind o w s Fire ire w a ll – ll – MSB MSBA ide ntified ntified tha t the b uilt-i uilt-in n Wind Wind ow s 2000 20 00// XP fire fire w a ll w a s no t in use use . Upd ate Com plianc plianc e e - MSB MSBA p ro vid ed a n exha e xha ustive ustive lis list o f s sec ec urity urity up d a tes a nd hotfixes hotfixes..

2. Ad d itiona itiona l Syste yste m Informa tion •

•

Se rvice rvic e s – s – ide ide ntified ntified a n um b er of unne c ess essa ry servi servic c es running o n the serve r. Shares – Shares – iid entified entified old sha re na me s a nd p ermiss ermissions tha t w ere no t required.

Although M BSA c hec ked fo r c om mo n op erating sys system tem leve l ha rd ening iss issues, ues, MBS MBSA p rov ide d no DC OM -sp -sp ec ific ific info rm a tion a nd on ly p rov ide d info rm a tion o n Mic rosoft osoft sec urity urity upd a te s. ItIt d id no t lis list a ny 3rd 3rd p a rty soft soft wa re in the rep o rts. rts. Still it is is a ve ry use use ful to o l. 5.3.2 Nessus Vulnerability Scanner Nessus is one of the most popular vulnerability scanning tools on the market. Althou g h Ne ssus is a g ene ra l-purp ose ose sc a nne r, itit inc lude s c hec ks for m ultip ultip le network layers and different types of devices. It features a large number of vulnerab ility ility c hec ks for Wind Wind ow s a nd Wind Wind ow s-ba sed a p p lica tions. tions. This is especially true if Administrator level credentials are provided.


37

Nov em b er 200 2007 7


One word of caution - Nessus has a track record of crashing embedded d evic es suc h a s PLCs a nd RTUs a nd ev en som som e p oo rly imp lem ent ed Wind Wind ow s a p p lic a tions. tions. Som etime s the o p erating sys system tem c a n b ec om e unresp unresp onsi onsive and unreliable during Nessus scans. Thus we rec om m end these these sc sc a ns only b e run on o ffline ffline system s. Our sc sc a ns of a d efa ult ult OPC OPC S Server erver c onfigura onfigura tion tion o n a p a rtiallytially-p p a tc hed Wind Wind ow s 20 2000 00 SP4 Works Worksta tion p rod uc ed a la rg e a m ou nt o f informa informa tion (a fte r we p rov ide d Ad m inis inistrato r lev el c red ent ials to Ness Nessus). us). 1. Po rt Sc Sc a ns – ns – Given the use of multiple non-standard ports, port-scans against OPC are not very useful, but do help identify unnecessary syste yste m se rvic e s (II (IIS et c ) tha t m a y b e running o n a n OP O PC ho h o st. The y a lso lso help c on firm firm if the TCP po rt nu m b er restri restric c tions in sug sug g este este d in S Sec ec tion 4.2 4.2 and 4.3. 4.3.2 2 are e ffec tive. 2. SM B Sha re Enum Enum e rat ion – If a no nym ous b row sing is en a b led (or log log in c red ent ials a re p rov ide d ) Ness Nessus ide ntifies ntifies rem ot ely a c c ess essible sha res. es. 3. RPC Enum e ration rat ion – – The RPC sc sc a nning m od ule p rov ide s ou tp ut g a thered from from p rob es to RPC/ DCE DCE.. No useful useful informa informa tion tion a b out OPC OPC a p p lic a tions tions c ould b e ga ined from from the RPC sc sc a ns d uring uring o ur tests tests.. 4. Pa ssw o rd Po lic lic y & His Histo ry – ry – For this module, passwords that have c hang ed a nd o ther enforc enforc em ent me c hanisms hanisms suc h minimum minimum leng th, streng treng th, forc forc e log off time , and numb er of logins until loc kout a re rep orted . Som e o f these these m a y not b e a p p rop riate fo r c ontrol sys system tem environments. 5. Rem ot e Reg istry Ac c ess ess – – Ness Nessus d et ermined w het he r or not rem ot e reg istry istry b row sing is p o ssible. ib le. 6. User Enumeration – Enumeration – Nes Ness sus rem ot ely d et ermined the Sec urity urity Id Id en tifiers tifiers (SI (SIDs) Ds) and na m es of ide ntified ntified p rivil ivileg ed a nd u np rivileg ivileg ed user user accounts. 7. Known Vulnerabilities in Windows and 3rd Party Components – Components – Using “ loc a l” a nd rem ote c hec ks, ks, Nes Ness sus ident ifi ified p ote ntially ntially vulnerab vulnerab le so ftw a re ve rsions rsions.. 8. Rem ot e Servic ervic e Enum erat ion – – In addition to standard services (Computer Browser, DHCP Client, etc.) Nessus identified the OPC Se rve r Br Bro w se r and an d OPC Se Se rve r whe n run a s a servic e.


38

Nov em b er 200 2007 7


9. Installed Software – Software – Ness Nessus p rov ide d the na m e a nd ve rsion info info rma tion on insta insta lled OPC OPC c lient a nd server ap p lic a tions, tions, in in a d d ition ition to othe r 3r 3rd p a rty softw softw a re. 5.3.3

Aud it Files Files for for Nes Ne ssus Vulnerab ility Sc Sc a nne r

Tena b le Netw ork Sec urity urity ha s d ev elop ed Ness Nessus p lugins tha t w ill ill aud it the c onfiguration of a d evic e unde r test test to an esta esta b lished c onfiguration. Dig Dig ita l Bond has created an audit file based on the security recommendations in wh ite p a p er. The a ud it fil file, a va ila ila b le a s Dig Dig itia itia l Bond sub sc ribe r c on te nt, will will a llow a n OPC OPC user user to d ete rmine if their OPC OPC imp lem enta tion me ets the g oo d p ra c tice sec uri urity rec rec om me nd a tions in Pa Pa rt 3 of t he OPC OPC w hite hite p a p er seri series es.. The a ud it c a p a b ility ility is is a va ila ila b le in Ness Nessus 3 to Tena b le Direc Direc t Fee Fee d sub sc ribe rs a nd Sec urity urity Cen te r users users.. The “ Policy C om p lianc e” p lug ins (ID’ (ID’ s 21156 and 21157) must be enabled the credentials for an account with Wind Wind o w s Ad m inis inistrato tra to r p rivil rivileg eg es m ust ust b e e nte red into Ne ssus. us. The a ud it file file for OPC OPC server servers s is a d d ed via via the c om p lia nc e ta b . Som e of the set tings req uire uire c usto usto miza miza tion p er OPC OPC server. For For e xa m p le, a ud iting t he DCO M p erm iss issions req uire uire s the CL CLS SID of t he OPC se se rve r b e ent ered into th e a ud it file. file. This va ries b y ve nd or a nd p rod uc t, b ut it is ea sily ily d et ermined on the OPC OPC server a nd Dig Dig ital Bon Bon d ha s a large list ist o f CLS CLSID’ s. Additional instructions on the use and results from the OPC security audit file a re a va ila b le a t Digita Digita l Bond ’ s we b site.


39

Nov em b er 200 2007 7


6 A Sum Sum m a ry of o f OPC OPC Ho Ho st Ha Ha rde ning Prac tise tise s 6.1 An A c tion Plan Plan for Ha Ha rde ning OPC OPC Hosts Hosts In earlier sections of this white paper we pointed out the best way to harden a n OPC OPC ho st is to d o it in in sta sta ge s. One b eg ins ins b y loc loc king king d ow n the op erating syste yste m tha t the t he OPC serve serve r o r client re side s o n, whic wh ich h in mo m o st c a ses is so m e version of Windows. Next, one should tackle the OPC applications by restr estricting icting t he O PC a c c ounts, ounts, lilimiting miting DCOM ob jec t a c c ess ess a nd c onstr onstra a ining ning RPC p rot oc ol o p tions. tions. La La stly, to ve rify the h a rd ening ha s b ee n suc suc c ess essful, it is is important to check for remaining security vulnerabilities using security analyzer tools. While it seems like a lot of effort, it is important to remember that effective sec urity urity d oe s not sta rt o r sto sto p with the se three ste p s. S Sec ec urity urity is a n o ng oing process and thus we recommend the following overall process for users of OPC OPC tec hnolog hnolog y: 1. Determine whether OPC or DCOM is in use in your facility: This ma y seem like a trivial task, but some applications may not adequately document what lower level API is used. We located at least one company that was unaware that DCOM was in use on its control system ystem be c a use use it wa s b undled into a c ontrol ontrol produc t w ith a different different name. 2. Doc ume nt how OPC OPC or DCOM DCOM is de ploy ed in your fac fac ility: ility: This inc lud e s determining what systems and devices communicate using OPC and how critical this communications is for your operation. List all OPC servers ervers a nd c lient a p p lic a tions tions on ea c h ho st in your fa c ili ility. 3. Evaluate possible operating system hardening practices: Se c tio ns 3 and Sec tion tion 6.2 6.2 (be (be low ) highli highlight ght c om mo n areas of c onc ern ern and go od practices for operating system hardening. Also investigate guidelines from your yo ur IT IT d e p a rtme nt a nd o the r bo d ies suc h a s NIS NIST a nd US-DoD 20. 4. Selec t the a pp rop riate o pe rating system ystem hardening practices for your environment: Chose the hardening practices effective for your facility from the re sults o f ste ste p 3. 5. Evalua te p oss ossible O PC/ DCOM ha rde ning p rac tices : Review the g uideline uid eline lis liste d in Se c tion s 4 and an d 6.2 6.2 of th is rep o rt. Also Also rev iew the recommendations of your OPC vendor and other bodies such as the OPC Foundation, for security settings. For exa mp le see see htt p :/ / c src.nis rc.nist.g t.g ov / its itse e c / SP800 800-68 -68-20 -20051 051102 102.pd .pd f a nd http :/ / ias iase.d e.d is isa a .mil/s .mil/stig tig s/ c he c kli klis st/ W2K W2K3_ 3_Ch Ch ec kli klis st_V5 t_V5-1-1-10_ 10_200 200705 70525. 25.z zip

20


40

Nov em b er 200 2007 7


6. Selec t ap prop riate OPC/ OPC/ DCOM ha rde ning prac tices for for your environment: Chose Chose the OPC/ OPC/ DCOM ha rde ning ning p rac tic tic es effec tive tive for your facility from the results of step 5. 7. Test hard ening enin g p rac tises tises on o ffline ffline test system system s: Make sure that you have tested any hardening techniques on non-critical systems and conduct functional testing to ensure OPC servers are operating p rop erly. erly. Only Only a fter you a re s sur ure e t ha t the y will will not imp a c t your proc ess ess sho uld yo u d ep loy them on c ritic itic a l syste yste m s. 8. Consult Consult with your vend or/ system ystem integra tor to ad d ress ress p oss ossible sec urity urity incompatibility issues: Unfortunately some applications may not func tion tion p rop erly erly when either OS or OPC/ OPC/ DCOM ha rd ening p ra c tice s are applied. Work with your vendor/integrator to determine and resolve these issues. 9. Implement hardening practises on operational systems: Once all hardening techniques have been confirmed on offline test systems, d ep loy the m o n online online sys system tem . Then c ond uc t func tiona tiona l testin testing g to ensur ensure e a ll OPC OPC servers a re op erat ing p rop erly. erly. 10. Verify Verify the dep loyed OPC/ OPC/ DCOM a nd OS hardening p rac tices: After implementing hardening practices, make sure they are operating as expe c ted usi using tec hniq hniq ues d esc esc ribed in Sec tion 5. 11. Implement other security countermeasures: The h o st ha rd en ing g uid uid elines elines d esc esc rib ed in this this d oc ume nt a re not suffic uffic ient on their ow n - itit is p rud ent to ha ve a d efense-i efense-in-de n-de p th a p p roa c h to sec uri urity. This his will will include other solutions such as patch management, firewalls, antivirus de ployment ployment a nd so so o n. 12. Monitor OPC hosts for intrusions or unusual activities: This c a n b e d one using host and network based monitoring tools as well as Windows Aud iting iting a nd Log g ing t oo ls a s d isc isc uss ussed in Sec tion 5.

6.2 Sum m a ry of Hig Hig h Ris Risk k Vulnerab ilities ilities a nd Mitiga ting G oo d Practices Using th e results esults from from White White Pa p er # 2, we ha ve sum m a rized ized the key finding s relating to common operating system vulnerabilities that are most critical for OPC deployments. We have then added the recommended practices for m itiga ting th em b a sed on t he g uide line line s in this rep ort. Plea Plea se rem em b er this this is only a summary and is by no means a complete list of vulnerabilities or mitigations.


41

Nov em b er 200 2007 7


Vulnerab Vulnerab ility ility Ina d eq ua te Pa tc hing of Host ost

Unne c e ssa ry Se rvic rvic es Unne c e ssa ry Ac c e ss to Ho st from Other Devic Devic es Syste yste m Enum era tion & Profiling rofiling

Wea k Pa sswo rds

Rem ot e Reg istry istry Ac c e ss

Ina d eq ua te Sec urity urity Log ging

Goo d Prac tice Follow ollow gu id a nc e from from OPC OPC vend or a nd exis existing orga niza niza tiona l g uidelines uidelines.. (Se (Se c tion 3.1 3.1)) Disa Disa b le unn e c e ssa ry se rvic rvic e s a nd e nsure nsure O PC ho sts a re sing sing le p urp o se p lat fo rms. rms. (Sec tio n 3.2) 3.2) Use Wind o w s IP Filtering (Se (Se c tio n 3.4) Disa Disa b le Unne c e ssa ry Servic e s (Se (Se c tio n 3.2) 3.2) a nd Co nfirm nfirm w ith Vulne Vulne rab ility ility Sc a nning (Sec (Sec tion 5.3) Beyo nd the sc op e of this d oc um en t. Follow esta esta b lis lishe d indu stry or orga niza niza tiona l be st practices. Ha rde n reg istry istry a nd d isa isa b le rem ot e ed iting iting (Sec (Sec tion 3.5). 3.5). IfIf p oss ossible d isa isa b le rem ot e browsing. Ena b le system ystem a ud iting iting for OPC OPC a nd DCOM objects to identify unauthorized access a tte mp ts. ts. (Sec tion 5.3) 5.3)

Ta ble 6-1: High High Risk isk O/ S Vulnerab ilities ilities and Possible ossible Mitiga ting Prac tice s Vulnerab Vulnerab ility ility La c k of Authentic a tion for OPC OPC Server Browser OPC Serve Serve r Exec Exec ute s w ith Exc e ssive Pe rmiss rmissions io ns O ve rly rly Pe Pe rmiss rmissive Se tt ing s fo r OPC Server Browser

Unne c ess essa ry Pr Prot oc ol Sup Sup p ort fo r OPC Se rver Exc e ssive O p e n TC TC P p o rts o n O PC Server Lack of Confidentiality in OPC Communications La c k of Integ rity in in O PC Communications Use o f His Histo ric ric a lly Ins Inse e c ure Transp ra nspo o rt OPC Sec urity urity Co nfigura tion La La c ks Fine Grained Ac c ess ess Co ntrol

Goo d Prac tice Dis Disa b le OPC Server Server Br Brow ser a nd Ano nym o us Log in afte r initial initial c on fig fig uration (Sec (Sec tion 4.1) 4.1) Co nfig nfig ure ure OPC OPC Server Server co mp one nts to run w ith restrict restrict ed p erm iss issions (Se c tio n 4.2) 4.2) Rem ove Everyone a c c ess ess to OPCE OPCEnum num a nd req uire uire a uthentic a ted users users a nd / or foll follow vend or rec om me nde d p ra c tic tic es. es. (Sec tion tion 4.2) Fo rce RPC t o o nly use use TC P fo r tra tra nsp nsp o rt a nd eithe r use use sta sta tic p orts or res restri tric c t p ort rang es (Se (Se c tion 4.3 4.3.1) .1) Fo rce RPC t o e ithe r use use sta sta tic p o rts (Se (Se c tion 4.2)) o r re 4.2 re stric tric t p o rt ra ra ng e s (Sec (Sec tion 4.3 4.3.2) .2) Ena b le “ Pa c ket Pr Privac y” if p oss ossible (Sec (Sec tion 4.2) Ena b le “ Pa c ket Integ rity” if po ssible. (Sec tion 4.2) Ensur nsure e p a tc hing and up grad e to O PC-UA C-UA when ava ilab le. Ca n not b e a d d ress essed a t this time

Tab le 6- 2: High High Risk isk DCOM/ OPC OPC Vulne rab ilities ilities and Possible ossible Mitiga ting Prac tice s


42

Nov em b er 200 2007 7


6.3 So m e Fina l Tho Tho ug hts Based on our research, the challenges of securing OPC deployments are c lea r. The inhe rent a rch itec tura l iss issue s w ith the c urre urre nt vers v ersions ions o f OPC, OPC, the default security posture and poor compliance to DCOM security settings of ma ny OPC OPC p rod uc ts, ts, a nd the la c k of unam biguous guida nc e w ith reg reg a rd to security, all contribute to the difficulties of securing OPC deployments in most companies. This d oe s no t m ea n O PC users users sho uld throw up the ir ha nd s in d esp esp a ir. ir. OPC’ OPC’ s reliance upon the Microsoft platform is both a blessing and a curse - while Windows has flaws, we were able to uncover a wealth of practices for hardening Windows servers that can be applied to OPC clients and servers. Furthermore, the fact that a few OPC vendors are providing good security guidance and a degree of hardening during the installation process shows tha t it is is p oss ossible to red uc e the p a in of sec sec urity urity tha t m a ny users users a re fe eling eling . What is needed from the vendor community is an immediate and focused effo rt to wa rd s imp rov ing OPC/ OPC/ DCOM insta insta lla lla tion p roc ess esses a nd sec urity urity guida nc e. Waiting Waiting for the da y whe n there is wide sp rea d a va ila b ility a nd deployment of the more secure OPC-UA is not a solution – that is simply too fa r in the future to h elp t od a y’ s OPC OPC e nd -users -users.. End-users can also do much to improve their security posture with regards to OPC. Fir Firs st, m a ny o f the th e vulne ra b ilities ilities in OPC OPC h o sts tha t w e d isc isc uss usse d in White White Pa p er # 2 are w ell within within the c ontrol of the knowled ge a b le end -user. -user. Using a well-defined security plan, such as the one supplied in this document, the end -user -user c a n s signifi ignific c a ntly red red uc e t he ir OPC OPC sec sec urity urity ris risk. k. Sec on d , the e nd user community can start demanding better OPC guidance from their vendors – as we noted in White Paper #2, a few vendors already do an excellent job, so the challenge is to move the remaining vendors in this d irec tion. tion. Only end -users -users wielding the po we r of the purcha se order c a n ma ke this ha p p en in a timely fashi fashion. on. Finally, it is critical the OPC end-user keep both operating systems and OPC a p p lica tions a s c urr urren t a s p oss ossible. The sec urity urity of m ost ost soft soft wa re p rod uc ts ha ve im p rov ed signific ignific a ntly in in the p a st five ye a rs. This is esp esp ec ially ially true for Mic rosoft osoft Wind Wind ow s a nd va rious OPC OPC p rod uc ts. ts. The ev ent ua l relea relea se o f OPCOPCUA based software is likely to significantly help reduce the security effort and risk currently currently fac ed b y industr industry y tod a y. This his c a n o nly nly ha p p en if the c om munity em b ra c es the ne w UA UA tec hnolog ies ove r the ne xt few yea rs.


43

Nov em b er 200 2007 7


7 Area Are a s for Mo re R Re e se a rc h in OPC OPC Se Se c urity Sinc e the foc us in this this p rojec t w a s on the ha rd ening o f OPC OPC hosts hosts,, a numb er of ot he r inte inte resting esting sec urity urity p oss ossibiliti ibilities es w ere n ot p ursued ursued d uring uring our resea resea rc h. We feel that these are worth investigating in future studies and have listed them below.

7.1 Firew irew a ll a nd Netw ork Rela ted Solutio ns for OPC OPC Sec urity urity Readers may have noted that there is no discussion in this white paper on b e st p rac tises tises fo r firew firewa a ll c o nfigurat nfig urat ion fo r OPC OPC s sys yste te m s. This w a s c o nside nside red out of scope for this project focusing on OPC hosts, but is an area urgently nee d ing further further res resea ea rc h.

7.2 OPC OPC Tun Tunne ne lling So lutio luti o ns for fo r Se c urity Ro b ustnes ustne ss Given the difficulty in developing firewall rule sets for DCOM-based applications (and the challenges of OPC use across multiple Windows domains), there are a number of 3 rd party products or built-in techniques to tunnel OPC/ OPC/ DCOM tra tra ffic ffic ove r a sing le p ort. Although t hese hese te c hniques ma y make the life of the systems administrator simpler, it is not clear if they improve security. Detailed analysis of these tunnelling solutions is urgently required.

7.3 Netw ork Intrus Intrusion ion Detec tion/ Intrus Intrusion ion Preve Preve ntion Sig Signa na tures In the p a st fe w yea rs intrus intrusion ion d et ec tion si sig na tures for SCA SCA DA p rot oc ols suc h a s DNP DNP3 3 and MO DB DBU US ha ve b ee n d ev elop ed b a sed on likely ikely misus misuse e o f va lid protocol patterns. We believe that a similar approach could be conducted for OPC OPC t o a lert lert o n una utho rized ized a tte m p ts to a c c ess ess OPC OPC Server Server GUI GUIDs, Ds, Prog ram IDs, Ds, or othe o the r c lien lien t o r se se rve r me ssa g e s.

7.4 Enha nc em ents to Netwo rk Vulnerab ility ility Sc Sc a nners Altho ug h sc sc a nning to o ls suc h a s Ness Nessus a nd MBS MBSA p ro ve d use use ful for id en tifying tifying Wind Wind ow s OS vulnerab ili ilities, ties, ve ry little little DCOM / OPC OPC sp ec ific ific informa tion tion wa s p rovide d b y these these t oo ls.

7.5 Resea esea rc h Im Im p lem enta tion Vulnera Vulnera b ilities ilities in OPC OPC Com p one nts Over the past several years, a number of tools have been released that attempt to find implementation flaws in ActiveX and COM components. Althoug h Inte rne t Sec urity urity Sys Syste te ms Inc Inc orp ora te d ’ s Sc a nne r/ Intrusion ntrusion Det e c tion Syste yste m (IDS (IDS)) ha s a signa ture fo r a n OP O PC Buffe Buffe r o ve rflo rflo w 21, to our

21

http:/ / xforce.is force.iss s.net/ xfor forc c e/ xfdb / 13 1339 393 3


44

Nov em b er 200 2007 7


knowledge no implementation flaws have been disclosed in the OPC Foun d a tion C om p on en ts suc h a s Proxy/ Stub DL DLL L’ s or OPC Ap p lic lic a tions. tions.

7.6 Use o f Dom Dom a in Isola Isola tion in Co ntrol Environm Environm ents Dom a in Is Isolation is tec hniq hniq ue b a sed on IPSec a nd Group Polic olic y to p reve nt access from untrusted devices to trusted devices on a corporate network. Whil While very promisi promising on the surfac urfac e, just just ho w effec tively tively this this tec hnolog y c a n b e used used in the ind ustri ustria a l c ont rols env iron iron m ent req uires uires a d d ition ition a l resea esea rc h.


45

Nov em b er 200 2007 7


Glossary ACL - Access Control List: List of rules in a router or firewall specifying access p rivileg vileg es to net w ork res resourc ourc es. es. API - Application Programming Interface: The sp sp ec ifica ifica tion of the interfac e a n a p p lic a tion tion must must invoke to use use c ertain sys system tem fea tures tures.. CATID CATID - Ca teg ory Identifier: Sp ec ifies ifies the a c tive OPC OPC sp sp ec ific ific a tions. tions. CCM - Component Category Manager: A utility that creates categories, places components in specified categories, and retrieves information about categories. CERN - Conseil Européen Recherche Nucleaire: European Laboratory for Pa rtic le Phy Phys sic s. CIFS - Common Internet File System: Up d a te d ve rsion of Server Me ssa g e Block application-level protocol used for file management between nodes on a LAN. CIP - Common Industrial Protocol: CIP is an open standard for industrial network technologies. It is supported by an organization called Open Devic Devic eNet Vend or Ass Assoc ia tion (ODVA). COM – Component Object Model : Microsoft’s architecture for software c om p one nts. nts. ItIt is used used for interproc interproc ess ess a nd intera intera p p lic a tion c om munic a tions. tions. It lets c om p onents b uil uilt b y differ different ent ve ndo rs b e c om bined in a n a pp lic ation. CLSID - Class Identifier: An ide ntifi ntifier for COM ob jec ts. ts. CORBA - Common Object Request Broker Architecture: Architecture that enables objects, to communicate with one another regardless of the programm ing langua ge and op erating erating sys system tem b eing eing used used . CSP - Client Server Protocol : An Allen-Bradley protocol used to communicate t o PLC s o v e r TC P/ IP. IP. DDE – Dyna mic Data Exc DDE Exc hang e : A mechanism to exchange data on a Microsoft Windows system. DCOM – Distributed Component Object Model : This is a n e xtens xte nsion ion to the th e Component Object Model to support communication among objects loc ate d on differ different ent c om pute rs ac ross oss a netwo rk. DCS – Distributed Control System: System: A Dis Distrib trib ute d Co ntrol ntro l Syste yste m a llo llo w s fo r remote human monitoring and control of field devices from one or more operation centers. DDE - Dynamic Data Exchange: An interprocess communication system built into Windows systems. DDE enables two running applications to share the common data. OPC Sec uri urity ty WP 3 (Vers (Version ion 1-3 1-3c c ).do c

46

Nov em b er 200 2007 7


DLL - Dyna m ic Link Lib rarie s: A file containing executable code and data DLL bo und to a program at the a pp lic ation’ s loa d or run run time time , ra ra ther tha tha n lilinki nking during during the c om pilation pilation of the the ap p lic ation’ s c od e. DMZ - Demilitarized Zone: A small network inserted as a "neutral zone" b etw ee n a trus trusted p riva te net wo rk a nd the o utsi utsid e untrusted untrusted netw ork. ork. DNP3 - Distribute DNP Distributed d Netw Network ork Protoc ol 3 : A protoco l used used betw een c omp onents in SCA DA sys syste te m s (p rima rily rily in in the p o w er and a nd w a te r ind ustri ustries es). ). DNS – Domain Name System: A distributed database system for resolving huma n rea rea d a b le na me s to Internet Internet Pr Proto c ol ad d ress esses. es. EN - Enterprise Network: The c orpo ra tion-wide tion-wide b usi usiness ness c om munic a tion netw ork of a fir firm. ERP - Ente rpris rp rise e Re so urc e Pla nn nning ing : Se Se t o f a c tivitie s a b usine usines ss use use s to m a na g e its key res resou ou rc es. es. GUI GUI - G rap hic al Us User Interfac Interfac e: Gra Gra phica l, as op po sed to textual, textual, inter interfac fac e to a c omp uter. uter. GUID - Globally Unique Identifier: A unique 128-bit number that is produced by the Windows operating system and applications to identify a particular c om po nent, ap p lic ation, fil file, d ata ba se entry entry or user. user. HMI - Huma Huma n Ma c hine Inter Interfac fac e: A softw softw a re o r ha rd wa re sys system tem tha t ena b les the inter interac ac tion tion of ma n and ma c hine. hine. HTML - Hyp ertext M arkup Lang uag e: The a uthoring uthoring softw a re la ng ua g e used used on t he Internet's World World Wid Wid e Web . HTTP - Hyp e rTe x t Tra Transfe nsferr Pro Proto to c o l : The p rot oc ol used used to transfer transfer Web d oc ume nts from from a server to a b row ser. HTTPS - Hyp e rTe x t Tra Transfe nsferr Pro Proto to c o l o v e r SS SSL: A secure protocol used to tra tra nsfer nsfer Web Web d oc ume nts from from a server to a b row ser. IIS - Internet Informa tion Serve r: Mic rosoft’ osoft’ s we b server ap p lica tion. IDL IDL - Interfac Interfac e Definition efinition La ngua ge : Lang uag e for desc desc ribing the interfac nterfac e of a software co mp onent. IDS IDS - Intrusion Dete c tion tio n System System : A system to detect suspicious patterns of netw ork tra tra ffic ffic . IPX - Internetwork Packet Exchange: A networking protocol used by the Novell Incorporated. IPS IPSEC – Interne Inte rnett Prot Proto o c o l SE SECu Curity rity:: An Internet Internet sta nd a rd p roviding sec urity urity at the ne tw ork la yer. IP - Internet Protocol: The sta sta nd a rd p roto c ol used used on the Internet tha t d efines the d a tag ra m forma t a nd a b est est effort effort p ac ket de livery very ser servi vic c e. OPC Sec uri urity ty WP 3 (Vers (Version ion 1-3 1-3c c ).do c

47

Nov em b er 200 2007 7


I/O - Input/ Input/ Output: Output: An inter interfac fac e for the input input a nd outp ut of infor informa ma tion. tion. ISA - Instrumentation, Automation and Systems Society: ISA is a nonprofit organization that helps automation and control professionals to solve tec hnica l ins instr trume ume nta tion p rob lem s. IT - Inform a tion Tec Tec hno log y : The d eve lop me nt, imp lem enta tion tion o f ap p lica tions on c om p uter sys system tem s.

insta insta lla tion tion

a nd

LAN - Loc Loc a l Area Netwo rk : A c om p uter netw netw ork ork that c overs a sma ll area area . LM - LAN Manager: A now obsolete Microsoft Windows networking system and authentic authentic ation protoc protoc ol. ol. LDAP - Lightweight Directory Access Protocol: A protocol for accessing directory services. MBSA - Microsoft Baseline Security Analyzer: A tool from Microsoft used to te st a syste yste m t o see see if Mic rosoft osoft b est est p ra c tic es a re b eing used used . MIB - Ma nag em ent Informa Informa tion Bas Base: e: The d a ta b a se t ha t a system ystem running a n SNMP a g ent m a intains. intains. MODBUS - A communications protocol designed by Modicon Incorporated fo r use use w ith its PLC s. NETBEUI - Ne tBIOS Ex te nd e d Use r Inte rfac NET rfa c e : An enhanced version of the Net BIOS p roto c o l. NetBIOS - Network Basic Input Output System: A de facto IBM standard for ap p lic ations to use use to c om munica te o ver a LAN. NTLM - Ne w Tec Tec hno log y LAN LAN Ma na g er : A challenge - response authentication protocol that was the default for network authentication for Mic rosoft osoft Wind Wind ow s New Tec hno log y (NT) (NT) o p era ting syste yste m s. OLE - Object Linking and Embedding : A precursor to COM, allowing ap plic plic a tions tions to share share da ta a nd m a nipulate nipulate shared shared d ata . OPC OPC - OLE OLE for fo r Proc Proc e ss Co ntro l : An industrial API standard based on OLE, COM and DCOM for accessing process control information on Microsoft Windows systems. OPC-A&E - OPC Alarms & Events: Sta nd a rd s c rea ted b y the OPC OPC Found Found a tion tion for a larm monitori monitoring and ac know know led ge me nt. OPC-DA - OPC Data Access OPC-DA: Sta nd a rd s c rea ted b y the OPC OPC Foundation for accessing real time data from data acquisition devices such a s PL PLC s. OPC-DX - OPC Data Exchange: Sta nd a rd s c rea ted b y the OPC OPC Found Found a tion tion to a llow OPC-DA OPC-DA server servers s to excha nge d a ta without usi using a n OPC OPC c lient.


48

Nov em b er 200 2007 7


OPC-HDA - OPC Historical Data Access: Sta nd a rd s c rea ted b y the OPC OPC Found ation for c om munica ting ting d ata from from de vic vic es and a pp lic a tions tions that p rovide his historic toric a l d a ta . OPC-UA - OPC Unified Architecture: Sta nd a rd s c rea ted Foun d a tion fo r integ ra ting th e e xisting isting O PC sta sta nd a rd s.

b y the OPC OPC

OPC XML-DA - OPC XML Data Access: Sta nd a rd s c rea ted b y the OPC OPC Found a tion for a c c ess essing rea l time time d a ta , c a rried in X XML ML me ssa g es, es, fr from om d a ta a c q uisition uisition d ev ices ic es suc h a s PLCs. Cs. OPCENUM – OPC ENUMerator: A service for discovering and listing OPC servers. OPC Unified Architecture - OPC UA: Sta nd a rd to tie to g et her a ll exis existing O PC tec hnolog y and rep la c e the und erlyi erlying ng DCO M p roto c ols in OPC OPC w ith S SOAP OAP ba sed protoc ols. ols. PLC – P – Programm ab le Log Log ic Controller Controller:: A PLC is a small dedicated computer used used for c on trolling trolling ind ustri ustria a l ma c hinery and p roc ess esses. es. PCN - Process Control Network : A communications network used to transmit instr nstruc uc tions a nd d a ta to c ontrol d evic es a nd othe r ind ustr ustriia l eq uip uip me nt. PROGID - Program Identifier: A string that identifies the manufacturer of an OPC OPC server server and the na me of t he server. erver. RPC – Remote – Remote Procedure Call: Call : A co mm unic unic ations protoc ol for invoking nvoking c od e residing esiding on a nothe r c om p uter ac ross oss a netw ork. ork. SAP - Systems, Applications and Products: A German company that p rod uc es client/ server b usines usiness s soft w a re. SCADA – Supervisory Control And Data Acquisition : A system for industrial c o ntrol c o nsis nsisting ting o f multiple m ultiple Re Re m o te Term inal ina l Units (RT (RTUs), a c o m m unic a tion s infra nfra struc truc ture, ture, and one or mo re c entral host host c om p uters. uters. SID – Se c urity Ide Id e ntifier: ntifie r: A unique name that is used to identify a Microsoft Windo ws ob jec t. SP - Service pack: A b undle of softwa softwa re up d ate s. SPX - Sequenced Packet Exchange: A transport Layer protocol used by Novell Incorporated. SMB - Server Message Block: A Micros Microsoft oft netwo rk ap p lic ation-l ation-level p rotoc ol used used b etw een nod es on a LAN. SNMP - Simple Network Management Protocol: A protocol used to manage d ev ice ic e s suc h a s ro ute rs, s sw w itc he s a nd ho sts. ts. SOAP - Simple Object Access Protocol: A protocol for exchanging XMLb a se d m e ssa g e s using using HTTP.


49

Nov em b er 200 2007 7


SSL - Se c ure So c k e t La La y e r: A de facto standard for secure communications c rea ted by Netsc Netsc ap e Inco Inco rpo rated . TCP - Tran Trans sm iss ission io n C o ntrol Proto c o l: The sta nd a rd tra tra nsp nsp ort leve leve l proto proto c ol tha t p rov ide s a relia elia b le strea strea m servic ervic e. UDP - User Data g ram Protoc ol: Co nnec tionles tionless s netw ork tra tra nsp nsp ort p roto c ol. URL - Uniform nifo rm Re so urc e Lo c a tor: to r: The a d d ress ess of a resou esou rc e o n the Inte rnet . WS- Se c urity - We b S Se e rvic es Se c urity: A c om munic munic a tions tions p roto c ol providi providing ng a m ea ns for ap p lying sec sec urity urity to Web Servic ervic es. es. XML - eXtensible Markup Language: A general-purpose markup language for creating special purpose markup languages that are capable of d esc esc ribing ma ny different different kind kind s of d a ta .


50

Nov em b er 200 2007 7

OPC Security WP3

Recommend Documents