Nov 2022: FAQ on Industrial Ethernet Security Concepts
The Industrial Ethernet Security Harmonization Group (IESHG) meets on a regular basis to discuss security topics in the industrial automation context. The goal of this group is the alignment of Industrial Ethernet security concepts, so that end users of the protocols have less complexity when using security in their automation systems.
The group consists of representatives of the following four standards developing organizations
(SDOs): OPC Foundation, ODVA, Inc., Profibus & Profinet International, FieldComm Group
OPC Cybersecurity: Larry O’Brien from ARC talks to with Randy Armstrong of the OPC Foundation
Security Deep Dive Webinar
Java log4j2 vulnerability
A new a critical vulnerability to the open source log4j2 Java service was announced. This vulnerability (CVE-2021-44228) has been rated with a CVSS score of 10.0.
Information for OPC users can be found here:
- Classic OPC (including OPC Core Components).
- OPC UA (including open source code managed by the OPC Foundation).
Security Analysis by Kaspersky Labs
On May 10th, 2017 Kaspersky Labs released a report identifying 17 zero day vulnerabilities in OPC Foundation code.
- The OPC Foundation’s formal response can be found here.
- The complete list of vulnerabilities along with references to appropriate CVEs can be found here.
- The process that the OPC Foundation follows when these kinds of concerns are raised can be found here.
Practical Security Recommendations for Building OPC UA applications
!! Updated v3 available !!
OPC Foundation members and partners have published the whitepaper “Practical Security Recommendations”.
February, 2022: Second Security Analysis by German Office for Information Security (BSI)
BSI: Subject of the analysis – Chapter 2
In the context of updating the study, an open (open source) implementation of the OPC UA protocol should be investigated using static and dynamic code analysis methods. It has been chosen open62541 [Open source implementation by Fraunhofer.
Note by OPCF: This is not a solution or an offering by the OPC Foundation] as open implementation for investigation in the updated study.
Download the BSI report:
January, 2017: First Security Analysis by German Office for Information Security (BSI)
The BSI reviewed the OPC UA security mechanisms and created an evaluation report. Two analyses were performed for this purpose: In the first part of the project, the specification of the OPC UA was analyzed Protocol version 1.02 on systematic errors. This analysis was divided into the following steps:
- Analysis of already carried out investigations of IT security by OPC UA
- Threat analysis (analysis of the objectives and threats, analysis of threats and measures)
- Analysis of the OPC UA specification in detail with an emphasis on the parts of 2, 4, 6, 7 and 12
The Security working group of the OPC Foundation assessed the findings in the BSI report and initiated necessary measures. Although no major flaws had been detected, these measures will help improve the document and the implementations.
The OPC Foundation responses have been inserted into the original BSI report. Each response is labelled with [OPC-F].
All issues that need further work have been recorded in Mantis (the OPC Foundation problem reporting tool). Mantis issue references are marked with (Mantis #XXXX), where XXX is the reference number within mantis.
All issues are planned to be solved with the next OPC UA specification (most likely version 1.04) respectively in the OPC Foundation’s ANSI-C stack for OPC UA, version 1.03.340.
Download the BSI report with the OPC Foundation responses: