Practical Pitfalls for Security in OPC UA
2021
In 2006, the OPC Foundation released the first specification for OPC Unified
Architecture protocol, one of the industrial protocols that promises security
features such as authentication, authorization, integrity, and confidentiality.
Challenges in the practical adoption of those security features by product
vendors, libraries implementing the standard, and end-users were not
investigated so far. In this work, we systematically investigate practical challenges to configure
OPC UA securely. In particular, we review 48 artifacts consisting of products
and libraries for OPC UA and show that 38 out of the 48 artifacts have one (or
more) security issue. In particular, we show that 7 OPC UA artifacts do not
support the security features of the protocol at all. In addition, 31 artifacts
that partially feature OPC UA security rely on incomplete libraries and come
with misleading instructions. Consequently, relying on those products and
libraries will result in vulnerable implementations of OPC UA security
features. We design, implement and demonstrate attacks in which the attacker
can steal credentials exchanged between victims, eavesdrop on process
information, manipulate the physical process through sensor values and actuator
commands, and prevent the detection of anomalies in the physical process.
Keywords:
- Correction
- Source
- Cite
- Save
- Machine Reading By IdeaReader
7
References
0
Citations
NaN
KQI