Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems
This work addresses security risks in critical infrastructure by exposing widespread vulnerabilities in vendor implementations of the OPC UA protocol, which is incremental as it builds on known protocol standards but reveals new adoption challenges.
The study systematically analyzed 48 publicly available OPC UA protocol implementations for industrial control systems, finding that 38 had security issues, including 7 with no security features and 31 with incomplete or misleading implementations, leading to vulnerabilities like credential theft and process manipulation.
The OPC UA protocol is an upcoming de-facto standard for building Industry 4.0 processes in Europe, and one of the few industrial protocols that promises security features to prevent attackers from manipulating and damaging critical infrastructures. Despite the importance of the protocol, challenges in the adoption of OPC UA's security features by product vendors, libraries implementing the standard, and end-users were not investigated so far. In this work, we systematically investigate 48 publicly available artifacts consisting of products and libraries for OPC UA and show that 38 out of the 48 artifacts have one (or more) security issues. In particular, we show that 7 OPC UA artifacts do not support the security features of the protocol at all. In addition, 31 artifacts that partially feature OPC UA security rely on incomplete libraries and come with misleading instructions. Consequently, relying on those products and libraries will result in vulnerable implementations of OPC UA security features. To verify our analysis, we design, implement, and demonstrate attacks in which the attacker can steal credentials exchanged between victims, eavesdrop on process information, manipulate the physical process through sensor values and actuator commands, and prevent the detection of anomalies.