Kaspersky Lab ICS experts on the response to cyberncidentals CERT – analyzed the protocol OPC UA (Object Linking and Embedding for Process Control Unified Automation), developed specifically for industrial facilities.
The study identified 17 0-day vulnerabilities in OPC Foundation products, as well as several vulnerabilities in commercial applications, who use them. By exploiting these bugs, attackers could run third-party code and perform Denial of Service (DoS) attacks. It is reported that all gaps were detected and eliminated in March 2018.
The IEC 62541 OPC Unified Architecture (OPC UA) was developed in 2006 by the OPC Foundation consortium for reliable and secure data transmission in the process network. In fact, this is an improved version of the OPC protocol, which is universally applied in various industrial areas. New properties and well thought-out architecture of OPC UA make it more popular among automation system manufacturers, and over time the standard should become the basis of communication in industrial Internet systems of things and smart cities around the world.
Initially, Kaspersky Lab ICS CERT conducted security audit and pentest at several industrial sites. All audited organizations used the same software product for process control (ICS), and the experts looked for vulnerabilities in it. It turned out that part of the network services interacted precisely with the OPC UA protocol. This prompted experts to study the protocol.
During the research, all discovered vulnerabilities were immediately reported to the software developers. Representatives of the OPC Foundation and other commercial product development teams responded promptly to notifications and promptly fixed the problems found.
Most of the errors in third-party software products using OPC UA Stack were due to the fact that the developers misused the functions provided by the OPC Foundation API , implemented in the library uastack.dll – for example, misinterpreted the values of the fields of transmitted data structures.
“Very often software developers overly trust industrial protocols, and implement these technologies without conducting a thorough safety inspection. In this case, vulnerabilities can affect the success of the entire product line. It is necessary to pay close attention to innovations that are widely used in various industrial sectors. Many people think that creating their own protocols more efficiently and safely, but even completely new software can contain numerous vulnerabilities, “says Sergey Temnikov, senior researcher at Kaspersky Lab ICS CERT.