Authors: Caspar Gries, Sergey Tverdyshev (SYSGO AG)
In the publicly funded BaSys 4.0 project, SYSGO is cooperating with academic and industrial partners from the Industry Automation market such as ABB, Bosch and FESTO to develop an open platform for the Industry 4.0.
One network protocol that will likely play an integral role in that ecosystem is OPC UA, successor of the venerable Open Platform Communications protocol (OPC).
Primarily designed for Machine-to-Machine communication, OPC UA replaces the proprietary roots of its Windows COM/DCOM-based ancestor. It features an open design that anybody can use to roll their own protocol stack implementation. Quite a number of organisations have already done so, as a quick Google search shows.
Nevertheless, some OPC UA stacks have gained more popularity than others. The full-featured ANSI-C reference implementation by the OPC Foundation (OPCF) can be considered reasonably mature and comes with an attractive RCL/GPLv2 dual-licensing model. In combination, this has convinced some of the bigger players on the market to rely on the OPCF code base for their M2M needs.
Wherever there’s a network protocol in wide-spread use, sooner or later its security aspects will be probed by people with all kinds of different hat-colors [i.e. white hats (ethical hackers) and black hats (not-so-ethical ones)].
This has also been the thinking of the German Administration for IT Security (BSI), who had the foresight to assign the TÜV Süd Rail with an OPC UA security analysis in April 2016.
The resulting paper is structured into two main parts. The first one is a specification analysis that serves to uncover systematic flaws in the protocol design. Based on that, they did a hands-on penetration test on the OPCF reference implementation complete with extensive fuzz testing.
Good news first, the Foundation code appears to be pretty much bullet-proof and continuous bombardment with millions of garbage messages didn’t even manage to crash the stack, let alone uncover a more serious vulnerability. From the perspective of an IT security expert, by the way, that is an impressive outcome and really speaks for the maturity of a code base.
What’s more interesting are the results of the specification analysis.
The testers used the CVSS vulnerability scoring system to determine the impact of existing security flaws. The most critical issue with a CVSS rating of 6.7 reads as follows: “Erlangt ein Angreifer die Kontrolle über das Betriebssystem, auf dem eine OPC UA Applikation läuft, so kann er u.a. die Applikation beenden, den Arbeitsspeicher auslesen, usw.”
In other words, TÜV Süd sees the Operating System security as the most critical factor when employing OPC UA in any type of device. This is certainly an issue that every provider of Industry 4.0 technology should keep in mind.
Operating systems with strong security properties can support you here. For example with PikeOS, security policies created at engineering time enable you to define exactly which file system access or system calls are allowed at runtime and which are not.
Even a successful attack with execution of malicious code does not mean a full compromise of your device. The attacker will still be locked into their partition, which by default is unable to influence any other application running in parallel. In summary, BSI tells us that things are looking quite good for OPC UA.
Just don’t rely on the protocol stack alone, also keep an eye on the security of your overall system as well.