analysis on the protection of industrial control network system based on opc protocol

Posted by santillano at 2020-04-03

1、 Agreement overview

When it comes to OPC protocol, we think about OPC classic 3.0 most. In fact, there are two categories of OPC protocol, one is "classic" based on Microsoft COM / DCOM technology, the other is OPC UA based on Web service. Based on DCOM protocol, the former was born earlier, and has been widely used in various industrial control systems, becoming the fact standard in the field of industrial automation. The latter was born later than the former, but the security factor was considered in the design, and the encryption mechanism was provided, but the current application scope is small. This paper mainly discusses the protection of the former in the industrial control system.

Microsoft's DCOM protocol was designed before the network security problems were widely recognized, while OPC classic based on DCOM protocol basically did not add any security related features. Almost all famous industrial automation software (including HMI Software, advanced control and optimization software, monitoring and control platform software, integrated software, etc.) are developed based on Windows platform, OPC technology is used or partially used, so it is difficult to protect the industrial control system using OPC protocol.

2、 Dynamic port

Unlike most application layer protocols, the basic protocol of OPC, DCOM protocol, uses the dynamic port mechanism. Before the data connection is really established, the communication parties need to negotiate the ports to be used. An example is as follows:

Figure 1 OPC dynamic port negotiation process

In the above figure, the OPC client uses 5568 as the source port to initiate a connection to port 135 of the OPC server. After the connection is successful, a new port 1118 will be assigned to the OPC server, and the response message of remotechreateinstance will be returned to the client through the interface issystematicator method. After that, the client uses 5569 as the source port to initiate a new connection to port 1118 of the server for later use Transmission of real data.

3、 Security threats

The industrial control network system based on OPC protocol faces various threats. Under the background of "two networks" integration, the isolation of industrial control system has been broken, and the threat from the network has increased unprecedentedly. The opening of useless ports, the security loopholes in the operating system on which the industrial software depends, and the lack of security in the industrial protocol will bring huge security risks to the industrial control network. Before the real access to the enterprise management network and the Internet, the industrial control system based on OPC protocol must join the corresponding security equipment for protection, in order to improve the security of its own network. Because OPC protocol is different from the traditional IT application layer protocol, the analysis depth of OPC protocol determines the real role of security products in the security protection of industrial control system.

4、 Brief introduction of protection scheme

Traditional IT system firewall

If the traditional IT system firewall (hereinafter referred to as traditional firewall) is installed in the industrial control system based on OPC protocol for protection, because the traditional firewall does not support any analysis of OPC protocol, in order to ensure the normal use of OPC business, all the open ports of OPC server have to be opened, and OPC server can assign a wide range of port numbers. If OPC server is installed in Windows Server 2008, more than 16000 port numbers may be used, and the previous version of windows has more than 48000 port numbers.

Figure 2 deployment diagram of traditional firewall

In the figure above, the traditional firewall is installed at the boundary of the enterprise management network and the production control network for protection. Since the OPC server may use any available port for real data connection, the specific port number used is in the response message in response to the client's request. The traditional firewall can't recognize the port number of the OPC server. In order to ensure that the OPC client can connect to the OPC server normally, the firewall needs to be configured with all ports accessible. Such a traditional firewall is a virtual device. The door of the production control network is wide open, almost completely exposed to the attacker.

2. Port protection industrial firewall

Different from traditional firewalls, the industrial firewalls developed in recent years, which are specially used to protect the industrial control site, basically support the depth analysis of OPC, but according to the depth of analysis, the protection ability of the industrial firewalls is different in the network based on OPC protocol.

The industrial firewall with simple analysis of OPC can track the dynamic port established by OPC connection and minimize the port of open industrial control network. The following picture:

Figure 3 port protection level industrial Firewall deployment diagram

The port protection level industrial firewall is also deployed at the boundary of the enterprise production network and production control network. At this time, the configuration strategy only needs to configure 135 ports of the open OPC server. When the OPC client establishes a connection with the server, the port protection level firewall tracks and analyzes the dynamic ports negotiated by the OPC server and the OPC client, and then automatically adds the dynamic ports to the opening of the firewall Compared with the traditional firewall, the protection ability of the firewall is further improved.

3. Command protection industrial firewall

Compared with the traditional firewall, the port protection industrial firewall improves the protection ability, but the attacker can still send malicious OPC operation instructions through the established data channel, so only dynamic port tracking can not guarantee the security of the industrial control system based on OPC protocol. Therefore, the further analysis of OPC protocol gives birth to the instruction level protection industrial firewall, which is also the mainstream industrial firewall on the market at present. The requirement of OPC protocol's deep parsing is also added to the draft of the national standard of industrial firewall (this standard has not been officially released). The following figure is a typical deployment of an instruction level protection industrial firewall:

Figure 4 deployment diagram of instruction level protection industrial firewall

The instruction level industrial firewall deployed at the boundary of the enterprise management network and the production control network can deeply analyze the OPC protocol to the instruction level. It can not only track the dynamic ports negotiated between the OPC server and the OPC client, minimize the ports of the open production control network, but also detect the command requests transmitted between the OPC client and the OPC server in real time. For those that do not meet the security requirements The interception and alarm of operation instructions greatly improve the network security of industrial control system based on OPC protocol.

In addition to command protection, there is also a more user-friendly industrial firewall built-in read-only template, which meets most business scenarios using OPC protocol, because the industrial control site using OPC protocol is generally used to collect data, and the use of read-only template to protect fully meets the site security requirements. The one click deployment of read-only template built in the industrial firewall is safe and convenient, reduces the maintenance cost of the administrator, and effectively guarantees that the data of the industrial control system will not be tampered with maliciously.

4. Comparison of advantages and disadvantages

Five. Conclusion

With the promulgation of the national network security law and the requirements of the national "made in China 2025" strategy, it is more and more urgent to break the physical isolation of the industrial production network. It is more and more important for enterprises that have OPC protocol on the production site to choose their own safety protection products based on their own strength. The resolution of OPC protocol to instruction level is not enough. In the future, it is necessary to deeply analyze whether the object operated by OPC protocol operation instruction is within the safe range, and carry out safety detection on the value of the object to ensure that every byte sent by OPC protocol is recognizable, controllable, safe and harmless.

Agent control security