Full Report
This paper discusses our project that involved searching for vulnerabilities in implementations of the OPC UA protocol. In publishing this material, we hope to draw the attention of vendors that develop software for industrial automation systems and the industrial internet of things to problems associated with using such widely available technologies, which turned out to be quite common.
Analysis Summary
# Research: OPC UA Security Analysis
## Metadata
- **Authors:** Pavel Cheremushkin, Sergey Temnikov
- **Institution:** Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT)
- **Publication:** Kaspersky ICS CERT Reports
- **Date:** May 10, 2018
## Abstract
This research presents a comprehensive security audit of various implementations of the OLE for Process Control Unified Architecture (OPC UA) protocol. As the primary communication standard for Industrial IoT (IIoT) and Industry 4.0, the security of OPC UA is critical. The research identifies numerous vulnerabilities across multiple commercial and open-source stacks, highlighting systemic issues in how developers implement this complex protocol.
## Research Objective
The study aims to evaluate the practical security posture of OPC UA implementations. It addresses a central question: Is the technical complexity of the OPC UA specification leading to common, repeatable security flaws in the software stacks used by industrial automation vendors?
## Methodology
### Approach
The researchers employed a multi-stage security analysis:
1. **Static Analysis:** Manual and automated code review of open-source implementations.
2. **Binary Analysis:** Reverse engineering of proprietary, closed-source commercial products.
3. **Fuzz Testing:** Using instrumentation-based fuzzing to identify memory corruption and logic errors in protocol parsers.
4. **Proof-of-Concept (PoC) Development:** Creating exploits to demonstrate the impact of identified vulnerabilities.
### Dataset/Environment
The researchers tested a diverse range of products, including:
- **Open-source stacks:** UA-SICP-Stack (C++), open62541 (C), and FreeOpcUa (Python/C++).
- **Commercial SDKs:** Leading industrial stacks from vendors like Unified Automation.
- **End-user products:** SCADA systems, HMI units, and PLC communication gateways from global vendors (Siemens, Schneider Electric, etc.).
### Tools & Technologies
- **American Fuzzy Lop (AFL):** For coverage-guided fuzzing.
- **AddressSanitizer (ASan):** For detecting memory safety violations.
- **Wireshark:** For deep packet inspection and protocol analysis.
- **IDA Pro:** For reverse engineering proprietary binaries.
## Key Findings
### Primary Results
1. **Widespread Memory Safety Issues:** Multiple implementations were vulnerable to buffer overflows, heap out-of-bounds access, and use-after-free errors.
2. **Denial of Service (DoS):** Researchers found numerous ways to crash OPC UA servers and clients using malformed "Hello" messages or asymmetrical resource exhaustion.
3. **Logic Vulnerabilities:** Significant flaws in how security certificates and authentication tokens were validated, sometimes allowing authentication bypass.
4. **Implementation Divergence:** While the OPC UA specification is theoretically secure, the high barrier to entry leads to developers taking "shortcuts" that introduce critical holes.
### Supporting Evidence
- **17+ CVEs identified:** The research resulted in the discovery and reporting of over 17 distinct vulnerabilities (at the time of initial publication).
- **Vendor confirmation:** Major industrial vendors acknowledged the findings and released security advisories/patches based on this research.
### Novel Contributions
- This study was one of the first publicly available deep-dives into the *implementation* security of OPC UA rather than just the *theoretical* cryptographic design of the protocol.
## Technical Details
The research highlights a specific vulnerability class in the **Binary Encoding** of OPC UA messages. Because the protocol allows for complex nested structures and arrays, the "Size" fields in the headers are often trusted by the parser before memory allocation. By sending a packet claiming a multi-gigabyte array size, an attacker can trigger a Null Pointer Dereference or a massive memory allocation, leading to an immediate Denial of Service (DoS) of the industrial controller or SCADA server.
## Practical Implications
### For Security Practitioners
- **Don't Assume Protocol Safety:** Just because a device uses "Secure" OPC UA doesn't mean the software stack is resilient against malformed data.
- **Legacy Risk:** Many embedded devices use older, unpatched versions of these SDKs that remain vulnerable for years.
### For Defenders
- **Network Segmentation:** Place OPC UA traffic in dedicated VLANs.
- **Deep Packet Inspection (DPI):** Utilize industrial firewalls capable of validating OPC UA message structures to filter out malformed packets at the perimeter.
- **Patch Management:** Prioritize firmware updates for PLCs and HMIs that use the affected stacks (e.g., Siemens SIMATIC, Schneider Electric, etc.).
### For Researchers
- **Stack-based Analysis:** Future research should focus on the "glue code" between the OPC UA stack and the application logic, which is often a source of input validation failures.
## Limitations
- The research focused primarily on the **unauthenticated** phase of the protocol (initial handshake and discovery), as these provide the highest impact for attackers.
- The study does not cover every available OPC UA implementation, focusing instead on the most popular commercial and open-source versions.
## Comparison to Prior Work
Previous research often analyzed the cryptographic primitives of OPC UA (e.g., RSA, SHA-256 usage). This paper shifts the focus toward **Software Security**βthe "boring" but critical bugs like buffer overflows that are often more exploitable in an industrial context than breaking high-level encryption.
## Real-world Applications
- **Infrastructure Protection:** The findings apply directly to power plants, water treatment facilities, and manufacturing lines using OPC UA for data aggregation.
- **Secure Development Lifecycle (SDL):** Provides a roadmap for industrial vendors to improve their internal testing by incorporating fuzzing into their build pipelines.
## Future Work
- Analysis of OPC UA over Pub/Sub (MQTT/AMQP) models, which were emerging at the time of the report.
- Evaluating the security of the "Global Discovery Service" (GDS) and centralized certificate management in large-scale deployments.
## References
- OPC Foundation Specification (OPC 10000-1 to 10000-14).
- Kaspersky ICS CERT CVE Database.
- Related Research: [bsh-kaspersky-ics-cert-opc-ua-10-2018] (hXXps://ics-cert[.]kaspersky[.]com/media/KL_OPCUA_MAY_2018_EN.pdf)