The OPC Foundation publishes security bulletins that affect software that it maintains or distributes. In many cases these bulletins will affect code that OPC vendors incorporate into their products. As a result, vendors will have to patch their products to address the vulnerabilities identified.
All the bulletins that have been published are available here.
Security Analysis by German Office for Information Security (BSI)
The BSI reviewed the OPC UA security mechanisms and created an evaluation report. Two analyses were performed for this purpose: In the first part of the project, the specification of the OPC UA was analyzed Protocol version 1.02 on systematic errors. This analysis was divided into the following steps:
- Analysis of already carried out investigations of IT security by OPC UA
- Threat analysis (analysis of the objectives and threats, analysis of threats and measures)
- Analysis of the OPC UA specification in detail with an emphasis on the parts of 2, 4, 6, 7 and 12
The Security working group of the OPC Foundation assessed the findings in the BSI report and initiated necessary measures. Although no major flaws had been detected, these measures will help improve the document and the implementations.
The OPC Foundation responses have been inserted into the original BSI report. Each response is labelled with [OPC-F].
All issues that need further work have been recorded in Mantis (the OPC Foundation problem reporting tool). Mantis issue references are marked with (Mantis #XXXX), where XXX is the reference number within mantis.
All issues are planned to be solved with the next OPC UA specification (most likely version 1.04) respectively in the OPC Foundation’s ANSI-C stack for OPC UA, version 1.03.340.
Download the BSI report with the OPC Foundation responses: