The Kaspersky Report: It's not really about OPC UA

  The Kaspersky Report: It's Not Really About OPC UA

By Bob McIlvride, Director, Communications, Skkynet Cloud Systems

Industry Automation has raved about Kaspersky Lab's new report on OPC UA and products that integrate it have security issues. Kaspersky Labs used common exploit discovery techniques to identify 17 critical vulnerabilities in the OPC UA software they tested. There is no reason to doubt their methodology, but we must all pay attention to the conclusions we achieve.

OPC UA is a protocol intended to enable client / server networking for industrial communication. The errors that Kaspersky identified were visible on an OPC UA server, which by definition is waiting for network connections from OPC UA clients. Any application that waits for connections on a network can also be a malicious hacker's point of attack. This is not unique to OPC UA – it is a fact of the design of TCP / IP networks. Period

You do not believe it? Read the report . How did you discover the vulnerabilities in OPC UA and related products? Using a technique called "fuzzing," they used a specially crafted client application to send a swift flood of messages on the UA server, each of which in some ways was slightly altered or "mutated" by a standard message. Sooner or later, one of these messages would cause the server to crash or uncover an exploitable vulnerability. This technology can be used on any networked server, such as a web server, VPN server, RDP server, or manufacturer-supplied remote access server.

What the report does not say, and it's so obvious that we might overlook it, is that this type of attack can only be successful if the intruder has access to the server in the first place. All software has errors. Any program exposed to the internet is a fair game. However, as long as your servers are operating on a trusted network and you keep all incoming firewall ports closed, there is no risk of attack from the outside, no matter how hard the attacker is.

More Products  Sprint Announces Launch of Sprint IoT Factory Online Marketplace

The real problem

The real problem is that the standard approach to industrial data communication is not appropriate for untrusted networks like the Internet. We are used to a client on the user side connecting a server to the data source – after all this is the classic server-client architecture. But for Industrial IoT, this approach poses a serious risk because the client is often outside the trusted network. It needs an open firewall port in the attachment to connect. This design itself is the basic reason for the security problem. Rather than expect logs or software to be bug-free and unassailable for attacks, it makes more sense to find a more secure design approach.

When only outgoing connections are used, all incoming firewall ports remain closed.

A Better Solution

A better solution is not to allow inbound connections at all. The entire Kaspersky Lab scenario was built on repeated client connections to the server network. What happens if the server (over which the attacker has no control) connects to the client? If you can only make outbound connections from a data source to a data user, the entire threat vector is eliminated. When all incoming firewall ports are closed, the plant network and all its OPC UA servers become invisible. And you can not attack anything that you can not see.

Is this possible? Yes. It is done today. This approach to industrial data communication runs worldwide in production systems and is fully compatible with OPC UA. By keeping OPC UA servers within the trusted network and keeping all firewall ports closed, this approach enables secure industrial IoT connectivity while leveraging the benefits of OPC UA in the plant.

More Products  congatec introduces an embedded real-time hypervisor computing platform

About the Author

Bob McIlvride is the Director of Communications at Skkynet Cloud Systems, Inc., a provider of real-time data information systems. He has worked for over 15 years as a professional technical writer in the field of industrial process control and under [email protected]


 The Kaspersky Report: It's not really about OPC UA

Please send us your request with full details via the following link to supply your equipment in the fields of power, instrumentation and industrial computers. We will try to respond to you as soon as possible.

Click to Send inquiry to Ocean Part

Leave a Reply