Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems

TL;DR

This paper systematically investigates the security of OPC UA implementations in industrial control systems, revealing widespread vulnerabilities and demonstrating real-world attack scenarios that compromise critical infrastructure security.

Contribution

It provides the first comprehensive analysis of OPC UA vendor implementations, identifying security gaps and demonstrating practical attack methods.

Findings

38 out of 48 artifacts have security issues

7 artifacts do not support OPC UA security features

Demonstrated attacks can steal credentials, eavesdrop, manipulate processes, and prevent anomaly detection

Abstract

The OPC UA protocol is an upcoming de-facto standard for building Industry 4.0 processes in Europe, and one of the few industrial protocols that promises security features to prevent attackers from manipulating and damaging critical infrastructures. Despite the importance of the protocol, challenges in the adoption of OPC UA's security features by product vendors, libraries implementing the standard, and end-users were not investigated so far. In this work, we systematically investigate 48 publicly available artifacts consisting of products and libraries for OPC UA and show that 38 out of the 48 artifacts have one (or more) security issues. In particular, we show that 7 OPC UA artifacts do not support the security features of the protocol at all. In addition, 31 artifacts that partially feature OPC UA security rely on incomplete libraries and come with misleading instructions. Consequently, relying on those products and libraries will result in vulnerable implementations of OPC UA security features. To verify our analysis, we design, implement, and demonstrate attacks in which the attacker can steal credentials exchanged between victims, eavesdrop on process information, manipulate the physical process through sensor values and actuator commands, and prevent the detection of anomalies.