OPC UA Security Successes 

Tags:

As many readers might be aware, the team at Digital Bond has conducted a security assessment on the OPC UA protocol, SDK and source code.  They have recently posted some of the positive findings that will be part of their final report.  The full details can be found here.  I’ve included some of the more note worthy remarks and recapped the major findings:

Noteworthy quotes:

 “…there are numerous examples of positive findings and text in the report. In fact, there is no comparison between the security in OPC UA and the security of any other control system protocol, with the possible exception of Secure DNP3 and its IEC equivalent. The OPC Foundation should be commended for their security efforts and pressure should be applied to other protocols to step up.”

“the current profiles have leveraged existing, vetted crypto primitives and algorithms rather than try to tackle the difficult process of developing a new security algorithm”

“[the OPC UA SDK code]  is among the cleanest code Digital Bond has seen in the control system space. The code is well written, easy to follow and contains good use of comments.”

“The security event logging required by the specification will be a fantastic help to attack detection and after incident analysis. It is the best the Digital Bond team has seen in this space by far.”

The major positive security findings include:

·         Options for the use of encryption for confidentiality and signatures for source authentication and integrity, which means the protocol has ‘built-in’ security

·         OPC UA uses a profile approach for specifying functionality including the crypto algorithms and key lengths. This provides flexibility and extensibility. Additionally, the current profiles have leveraged existing, vetted crypto primitives and algorithms.

·         The OPC UA SDK code base is surprisingly clean of vulnerabilities for a code base of its size. Many common coding errors were not found and there are a number of well-written OPC wrappers of common C functionality. Comments in the code remind developers to use safe functions.

·         Excellent security event logging requirements by the specification.

Of course the whole point of security assessments is to highlight findings that could lead to vulnerabilities, and we know that the Digital Bond team has found some.  The reason the OPC Foundation so strongly supports this initiative is to find and correct these issues before they make their way into live systems.  Many of the findings have already or are in the process of being addressed. A lot of folks have put a lot of effort into ensuring the OPC UA specification stands up to its promise of being secure. Those efforts are clearly paying of in the form of a solid specification.

 
Posted by Eric Murphy on 4-Sep-08
0 Comments  |  | Bookmark this post with:        
 

Comments

Name:
URL:
Email:
Comments:

CAPTCHA Image Validation