OPC Details Vulnerability Findings

By Thomas Burke
After Kaspersky Labs issued a report identifying 17 security issues in some Object Linking and Embedding for Process Control Unified Automation (OPC UA) implementations, we sat down at the OPC Foundation to give a more detailed report on the vulnerabilities.

Earlier this month, Kaspersky Lab reported they found 17 Zero Day vulnerabilities the OPC Foundation ended up fixing in the OPC UA protocol. OPC UA ended up developed to provide secure communications between systems on industrial networks. OPC UA launched in 2006.

RELATED STORIES
17 Zero Days Cleared in OPC UA
Charter of Trust: ‘Show the World This is Real’
Security: People as a Strength
Attack Group Targets Healthcare, Manufacturing

The OPC Foundation reviewed the claims made in the Kaspersky report and found:
• Eight issues were associated with an OPC Foundation ANSI-C sample server application provided with the ANSI-C stack code in GitHub. These issues did not affect the ANSI C stack itself or products based on commercial SDKs. Nevertheless, all issues have been fixed.
• Six issues were associated with the OPC Foundation server enumerator (LDS). These were fixed in 2017 and a CVE was published. These issues were not exploitable remotely.
• Three issues affected some products in the field. Specifically:
1) One issue was specific to a product from a vendor who published a CVE in 2016
2) The second issue is specific to a product from a vendor who is working on a fix and will report it to U.S. ICS-CERT as soon as possible
3) The third issue affected a legacy .NET stack that was fixed by the OPC Foundation in 2017. OPC users were notified of this issue via a CVE in 2017

In addition, to alleviate potential confusion the Kaspersky Labs report may have created about the security the OPC UA standard offers, we at the OPC Foundation want to point out:
• The OPC UA software eco-system is composed of multiple commercial OPC UA SDK/Toolkit vendors that offer well tested and well documented products
• The vast majority of OPC UA products are based on these commercial OPC UA SDK/Toolkits and are not affected by the issues with the ANSI-C sample server application published on GitHub
• The OPC Foundation works cooperatively with vendors to have the open source code base tested by external security organizations and have those results incorporated into GitHub

The broad adoption of OPC UA on a global basis reflects the market’s deep need for secure, open data connectivity and interoperability in manufacturing and beyond. Fortunately, this means the OPC UA standard and its various open-source implementations are continuously subjected to close scrutiny by many in the large and active OPC UA community. That is something the OPC Foundation openly welcomes as this only makes the open-source implementations better.

Click here for detailed information on the process for managing security issues.

The OPC Foundation remains committed to addressing all issues as they arise, to working with OPC vendors to ensure software is patched quickly, and to notifying OPC users about the issues and the fixes. This process of continuous improvement based on open source software is a major reason why OPC UA is so successful in market today. The OPC Foundation will continue to provide its users with the robust and secure foundation that they expect from a key industrial interoperability standard.
Thomas Burke is the president and executive director of the OPC Foundation.