Team82’s OPC UA Deep Dive Series was always meant to be a compilation of our research into this most important of operational technology protocols. OPC UA standardizes data and communication between dozens of proprietary industrial control systems and devices that otherwise could not share information. Modern automation runs on OPC UA.
Therefore, it made sense to deeply examine the security of the protocol, starting with its origins and ultimately arriving at its security features and attack surface. The installments of this comprehensive guide that we’ve published since last April dissects these concepts and also includes practical and theoretical attacks against OPC UA, tools you can use to test the security of your implementations, and a community of vendors and practitioners who have collaborated with us to improve the safety and reliability of products built on top of the protocol.
In this final entry of the series, we will briefly recap the results of our research and also share helpful tips for asset owners. We are confident that OPC UA implementations are much more secure and robust. Most of our research was focused on helping OPC UA developers and vendors improve their protocol stack implementations, but we would like to share some tips for asset owners as well.
First, some outcomes:
Pwn2Own ICS: We participated and demonstrated our OPC UA exploits at three Pwn2Own competitions: Pwn2Own ICS 2020, 2022, 2023
CVEs: We found and reported on ~50 OPC-UA vulnerabilities/CVE across ~15 protocol stacks, which affect hundreds of OPC UA products.
Exploit Techniques: We developed ~12 unique exploit techniques that are universal and affected multiple vendors and pushed to change the specs.
Open-Source Tools: We have released open-source tools: our OPC UA network fuzzer and the OPC UA exploit framework.
OPC UA Specifications: We helped to improve the specifications and pushed the vendors toward better and more secure products.
OPC UA Slack: We’ve collaborated with major OPC-UA vendors and created a safe place, via a dedicated Slack workspace) to discuss security issues, architecture, and possible improvements for OPC-UA protocol stack implementations.
Public Talks: We’ve presented this research at major security conferences including DEFCON and Black Hat
Now, a do’s and don’ts checklist of best practices you can use to assess the safety of your deployments.
Regularly updating software is crucial for maintaining security because updates often include patches for known vulnerabilities. Software updates should not only cover the OPC UA server but also any underlying operating systems, libraries, and dependencies. Implementing a robust update process ensures that security patches are applied promptly to mitigate potential threats.
Enabling auditing allows for the tracking and monitoring of access and activities on the OPC UA server. Auditing helps in identifying security incidents, detecting anomalies, and providing accountability for actions performed within the system. By enabling auditing, organizations can enhance security posture and comply with regulatory requirements related to data protection and access control.
Role-based access control (RBAC) is essential for managing and controlling user access to OPC UA resources based on their roles and permissions.
Organizations should define roles and associated permissions tailored to their specific security requirements and operational needs.
RBAC helps in enforcing the principle of least privilege, ensuring that users only have access to the resources necessary for their tasks, thereby reducing the risk of unauthorized access and potential misuse of privileges.
Exposing OPC UA servers directly to the internet increases the risk of unauthorized access and potential cyberattacks. It's recommended to deploy OPC UA servers within a secure network environment, preferably behind firewalls and other network security measures.
If remote access is required, consider using secure VPNs or implementing other secure access methods rather than exposing the servers directly to the internet.
Allowing anonymous authentication poses significant security risks because it allows anyone to access the OPC UA server without providing credentials. Enforcing authentication ensures that only authorized users or devices can access the server, thereby preventing unauthorized access and potential data breaches.
Sharing or using common credentials across multiple users or systems increases the risk of credential theft and unauthorized access. Each user should have unique credentials, such as usernames and passwords, to access the OPC UA server. Implementing strong password policies and multi-factor authentication can further enhance security by adding layers of verification.
OPC UA supports different security modes, including None, Sign, SignAndEncrypt.
Choosing None or an invalid security mode leaves communication unprotected, making it vulnerable to eavesdropping, tampering, and other security threats. It's essential to select an appropriate security mode based on the security requirements of the system and the sensitivity of the data being transmitted.
OPC UA defines various security policies, such as Basic256, Basic256Sha256, etc., which specify encryption and signature algorithms. Selecting the None security policy means no encryption or signature is applied to the communication, leaving it vulnerable to attacks.
Organizations should choose security policies that provide adequate protection based on their security requirements and compliance standards.
Using self-signed certificates for authentication and encryption. Doing so may introduce security risks, because they are not issued by a trusted Certificate Authority (CA). Self-signed certificates can be susceptible to spoofing attacks and may not provide the same level of trust and validation as certificates issued by trusted CAs. Whenever possible, organizations should run their own CAs because they need to control their trusted network of applications. OPCA UA certificates are generally not designed to be verified primarily by a global CA, for example.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
%3A%20Security%20Tips%20for%20Asset%20Owners%20%7C%20Claroty&_biz_n=0&rnd=138675&cdn_o=a&_biz_z=1743852576723)
%3A%20Security%20Tips%20for%20Asset%20Owners%20%7C%20Claroty&rnd=902175&cdn_o=a&_biz_z=1743852576724)