The OPC Foundation publishes security bulletins that affect software that it maintains or distributes. In many cases these bulletins will affect code that OPC vendors incorporate into their products. As a result, vendors will have to patch their products to address the vulnerabilities identified.
All the bulletins that have been published are available here.
Any vulnerabilities or security concerns should be reported to ‘securityteam AT opcfoundation DOT org’.
A PGP key to encrypt any sensitive security report can be found here.
Security Deep Dive Webinar
Security Analysis by Kaspersky Labs
On May 10th, 2017 Kaspersky Labs released a report identifying 17 zero day vulnerabilities in OPC Foundation code.
- The OPC Foundation’s formal response can be found here.
- The complete list of vulnerabilities along with references to appropriate CVEs can be found here.
- The process that the OPC Foundation follows when these kinds of concerns are raised can be found here.
Practical Security Recommendations for Building OPC UA applications
!! Updated v3 available !!
OPC Foundation members and partners have published the whitepaper “Practical Security Recommendations”.
Security Analysis by German Office for Information Security (BSI)
The BSI reviewed the OPC UA security mechanisms and created an evaluation report. Two analyses were performed for this purpose: In the first part of the project, the specification of the OPC UA was analyzed Protocol version 1.02 on systematic errors. This analysis was divided into the following steps:
- Analysis of already carried out investigations of IT security by OPC UA
- Threat analysis (analysis of the objectives and threats, analysis of threats and measures)
- Analysis of the OPC UA specification in detail with an emphasis on the parts of 2, 4, 6, 7 and 12
The Security working group of the OPC Foundation assessed the findings in the BSI report and initiated necessary measures. Although no major flaws had been detected, these measures will help improve the document and the implementations.
The OPC Foundation responses have been inserted into the original BSI report. Each response is labelled with [OPC-F].
All issues that need further work have been recorded in Mantis (the OPC Foundation problem reporting tool). Mantis issue references are marked with (Mantis #XXXX), where XXX is the reference number within mantis.
All issues are planned to be solved with the next OPC UA specification (most likely version 1.04) respectively in the OPC Foundation’s ANSI-C stack for OPC UA, version 1.03.340.
Download the BSI report with the OPC Foundation responses: