OPC Cybersecurity: Larry O’Brien from ARC talks to with Randy Armstrong of the OPC Foundation
The OPC Foundation publishes security bulletins that affect software that it maintains or distributes. In many cases these bulletins will affect code that OPC vendors incorporate into their products. As a result, vendors will have to patch their products to address the vulnerabilities identified.
All the bulletins that have been published are available here.
Any vulnerabilities or security concerns should be reported to ‘securityteam AT opcfoundation DOT org’.
A PGP key to encrypt any sensitive security report can be found here.
Security Deep Dive Webinar
Java log4j2 vulnerability
A new a critical vulnerability to the open source log4j2 Java service was announced. This vulnerability (CVE-2021-44228) has been rated with a CVSS score of 10.0.
Information for OPC users can be found here:
- Classic OPC (including OPC Core Components).
- OPC UA (including open source code managed by the OPC Foundation).
Security Analysis by Kaspersky Labs
On May 10th, 2017 Kaspersky Labs released a report identifying 17 zero day vulnerabilities in OPC Foundation code.
- The OPC Foundation’s formal response can be found here.
- The complete list of vulnerabilities along with references to appropriate CVEs can be found here.
- The process that the OPC Foundation follows when these kinds of concerns are raised can be found here.
Practical Security Recommendations for Building OPC UA applications
!! Updated v3 available !!
OPC Foundation members and partners have published the whitepaper “Practical Security Recommendations”.
January, 2017: First Security Analysis by German Office for Information Security (BSI)
The BSI reviewed the OPC UA security mechanisms and created an evaluation report. Two analyses were performed for this purpose: In the first part of the project, the specification of the OPC UA was analyzed Protocol version 1.02 on systematic errors. This analysis was divided into the following steps:
- Analysis of already carried out investigations of IT security by OPC UA
- Threat analysis (analysis of the objectives and threats, analysis of threats and measures)
- Analysis of the OPC UA specification in detail with an emphasis on the parts of 2, 4, 6, 7 and 12
The Security working group of the OPC Foundation assessed the findings in the BSI report and initiated necessary measures. Although no major flaws had been detected, these measures will help improve the document and the implementations.
The OPC Foundation responses have been inserted into the original BSI report. Each response is labelled with [OPC-F].
All issues that need further work have been recorded in Mantis (the OPC Foundation problem reporting tool). Mantis issue references are marked with (Mantis #XXXX), where XXX is the reference number within mantis.
All issues are planned to be solved with the next OPC UA specification (most likely version 1.04) respectively in the OPC Foundation’s ANSI-C stack for OPC UA, version 1.03.340.
Download the BSI report with the OPC Foundation responses:
February, 2022: Second Security Analysis by German Office for Information Security (BSI)
BSI: Subject of the analysis – Chapter 2
OPC UA was one of the first protocols to be set as an Industrie 4.0 standard by Plattform Industrie 4.0. Compared to other industrial communication protocols, OPC UA in the variant of the client-server communication paradigm offers integrated security mechanisms for authenticated, integrity-protected and, if necessary, encrypted communication, as well as mechanisms to authorize applications or users for access to the corresponding information models. The specified security mechanisms are basically suitable for ensuring secure communication according to the state of the art. This was already examined and confirmed in 2016 in a study conducted on behalf of the BSI for OPC UA Version 1.02. In addition to the analysis of the standard and a threat analysis, the ANSI C implementation of the OPC Foundation was also examined using static and dynamic code analysis including fuzzing.
Since this study from 2016, there have been major changes in both the OPC UA specification and the implementations provided by the OPC Foundation. OPC UA is now specified in version 1.04 and the most comprehensive change is certainly the newly added communication paradigm PubSub. Other parts of the standard, which cover certificate management for example, have also undergone major changes. The ANSI C implementation (the implementation examined in the 2016 study) is now only available as a legacy version. In addition, more and more products are appearing with (certified) OPC UA support, although it is not always apparent which security functions have been implemented in each case via the security policies and user identity tokens. This includes, for example, the support of a Global Discovery Server (GDS).
Based on this initial situation, it makes sense to update the 2016 study and add new aspects to the investigation. The aim of this study is therefore to provide an update of the 2016 study based on version 1.04 of the OPC UA standard.
For the update of the study, all security-relevant changes to the OPC UA specification from version 1.02 to 1.04 were therefore collected and the new version of the specification was examined for vulnerabilities and improvements analogous to the study from 2016. In agreement with the German Federal Office for Safety, PubSub (Part 14) as a new communication paradigm was not considered as part of the update, since the major differences between the two communication paradigms, client/server and PubSub, would not ensure comparability of the results. In addition, no complete (or certified) implementations were available at the time the study was updated. PubSub and the infrastructure required for it should therefore be examined at a later date as part of a separate analysis.
In the context of updating the study, an open (open source) implementation of the OPC UA protocol should be investigated using static and dynamic code analysis methods. It has been chosen open62541 [Open source implementation by Fraunhofer. Note by OPCF: This is not a solution or an offering by the OPC Foundation] as open implementation for investigation in the updated study. On the one hand, it is investigated whether parts of the vulnerabilities identified in 2016 can also be found in the new implementation, if applicable, but also what other anomalies occur during the tests. Any vulnerabilities found will be implemented as far as possible in proof-of-concept exploits and attacks on the implementation or standard will be demonstrated.
In addition, a market survey will be conducted to determine which security mechanisms have been implemented in the individual products and what difficulties the manufacturers encountered in doing so. The results are to be recorded in recommendations for action for secure implementation by manufacturers and integrators.
Download the BSI report:
- English under preparation