Securing OPC DA With Unidirectional Gateways

Securing OPC DA servers with unidirectional gateways is by far the best, and most-cost-effective method. Here is why:
Picture of Waterfall team

Waterfall team

OPC DA secured using unidirectional gateways

“When it comes to securing OPC DA, nothing compares to the security that a unidirectional gateway provides.”

OPC DA (Open Platform Communications – Data Access) is a classic communication protocol used in industrial automation and control systems, and enables data exchange between software applications (such as SCADA systems, HMI software, and PLCs) from different manufacturers, using different communications protocols. OPC DA works great at providing a flow of data from all the sensors and devices that are needed to fine tune an industrial processes, in order to keep things running smoothly. However, the OPC DA classic protocol was created in 1996, before cybersecurity became a common consideration for industrial controls.

A unidirectional security gateway, which allows data to flow in only one direction, has long been used in environments where network security is critical, such as the industrial control systems (ICS) in critical infrastructures, such as the electric sector, pipelines, refineries and water treatment systems, and is increasingly used in industries where outages are either expensive, or unacceptable or both, including manufacturing, transportation, data centers, and mining operations.

OPC DA was not designed with security in mind, as this wasn’t considered much of a threat back in 1996. All solutions for securing OPC DA were designed after-the-fact. Securing OPC DA servers with unidirectional gateway is by far the best, and most-cost-effective method.

Steps to secure OPC DA with a Unidirectional Gateway:

Here’s how industrial engineers secure OPC DA with unidirectional gateways:

Hardware-Enforced Unidirectional Protection: Unidirectional hardware that is physically able to send information in only one direction – the hardware acts as a 1-way check valve for the data. OPC DA information can flow out of the OPC server in the OT network, but nothing can flow back to put the server or the OT network at risk.

Easy Integration: Waterfall has a large connector library, which includes an OPC DA connector. Once the connector is activated on the Waterfall appliance, the connector seamlessly copies the OPC server to the OT network – all of the OPC server by default, but you can select how much you want replicated.

The End (Almost):  Now you simply enjoy secure OPC DA integration. Data flow remains secure no matter what cyber-sabotage attacks are launched at the unidirectional device. Even if a zero-day rolls out on the OPC server, any attempt to remotely access is defeated by the gateway hardware.  

By using a unidirectional gateway, OPC DA communication can be effectively secure to protect critical industrial control systems from external threats while still allowing data to be exchanged between the OPC DA server and client applications in a safe and secure manner.

Steps to secure OPC DA but WITHOUT a Unidirectional Gateway:

Alternatively, if industrial engineers wanted to secure OPC DA communication but without a unidirectional gateway, this is a breakdown of what they’d need to do, which still wouldn’t provide the gateway’s “unbreachable” level of security:

Network Firewall Segmentation: Segment the network to try to isolate the OPC DA servers and clients from other parts of the network. Making OPC-DA available to IT users through a firewall, however, is difficult. OPC-DA uses DCOM under the hood, and accessing DCOM through a firewall means opening over 1000 ports on the firewall.

>>The downside here is that firewalls are software-based security and are routinely defeated, for example when ransomware attacks pass through IT-Internet firewalls into IT networks.

DCOM Access Control Lists (ACLs): Use DCOM access control lists to restrict access to OPC DA servers and data based on user roles and permissions. Implement role-based access control (RBAC) to ensure that only authorized users can access OPC DA outputs.

>>One downside here is that DCOM servers regularly suffer zero-day exploits, sometimes in parts of the servers that must be accessed even before access control lists are consulted.

Intrusion Detection and Prevention Systems (IDPS): Deploy IDS and IPS solutions to monitor OPC DA traffic for suspicious activity and detect potential security threats. IPS can help identify and block unauthorized access attempts, malware, and other security incidents in real-time.

>>Intrusion detection takes time, and some attacks happen very quickly. Intrusion prevention can generally be enabled only for the most serious and most obvious attacks, because false alarms lead to connectivity interruptions and possibly other malfunctions of the OT OPC-DA server. More generally, advanced attacks often create very “noisy” diversions in other parts of a compromised IT network, generating a lot of alarms and drawing attention away from more subtle attacks on OPC DA servers exposed through firewalls to the IT network.

Regular Patching and Updates: All the systems, from the OPC DA server itself, to all the supporting hardware and software all need to be patched and kept updated so that any new vulnerabilities can not be exploited by attackers who remain more up-to-date with the system.

>>One downside with this solution is that the system remains vulnerable before the patch is installed, even if it’s just for a few days. Additionally, there might be issues in the patches themselves that can cause damage. This creates an ongoing dilemma between updating and patching as soon as possible, and delaying it in order to give time for the patch to be confirmed as “good” on other machines before updating it to your own. Another downside is that “zero day” attacks exploit vulnerabilities for which no patches exist, and modern attacks only sometimes exploit known vulnerabilities, often preferring nowadays to exploit permissions instead.

Unidirectional Gateways: The best way to secure OPC DA

When it comes to securing OPC DA, nothing compares to the security that a unidirectional gateway provides. When this highest-level-of-security is combined with the fact that the gateways are also very affordable, it becomes clear why using Unidirectional Security gateways are the obvious choice for protecting OPC DA server

About the author
Picture of Waterfall team

Waterfall team


Stay up to date

Subscribe to our blog and receive insights straight to your inbox