This year’s Pwn2Own Miami 2022 contest ended on April 21st 2022 with competitors earning $400,000 for 26 zero-day exploits targeting ICS and SCADA products. Security researchers targeted multiple production categories, including OPC Unified Architecture (OPC UA) Server.Dutch security researchers Daan Keuper and Thijs Alkemade said that breaking into OPC UA, an open-source communications protocol, was the “easiest” thing they’d hacked at the conference so far. The hacking of OPC UA protocol won the duo $40,000 and helped them to secure the conference’s championship title, called “Master of Pwn.”
OPC UA is used pretty much everywhere in the industrial world as a connector between systems, in a. NET implementation, the duo demonstrated that unauthorised access was possible. In a C++ implementation, a DDoS vulnerability was found.
The flaw the duo found can bypass authentication normally required to read or change anything, alarmingly it only took the researchers just a couple of days to identify.
The IEC 62541 OPC Unified Architecture (OPC UA) standard was developed in 2006 by the OPC Foundation consortium for reliable and, which is important, secure transfer of data between various systems on an industrial network. OPC UA is not immune to vulnerabilities, in fact throughout its life there have been numerous flaws that have been identified and addressed. Kaspersky Labs undertook a OPC UA security analysis back in 2018 and identified 17 zero-day vulnerabilities as well as several others in commercial applications that use these products.
There are (assumed) still undisclosed issues with OPC UA which will be uncovered over time, for now it is prudent to ensure that OPC UA is correctly secured, you can read more about this at the OPC foundation here
The benefit of open standards is that they are scrutinised by a wider community, with more eyes on the code and implementation there is more scope to get early warnings of vulnerabilities like those identified by researchers Daan and Thijs.
OPC and the security thereof, is only part of the overall tasks that are needed when securing a modern and connected industrial control system. Assuming other vulnerabilities will be identified not only in OPC UA but other products and operating systems as well, how do you keep up to date and secure? Well, that is a really good question and one that will differ from site to site. We must accept a possibility of a data breach and make and monitor for these changes.
Industrial control systems are reasonably deterministic which means that monitoring tools can establish a good baseline of operation, also include Yara and Snort rules with a sprinkle of artificial intelligence and machine learning and you have a wonderful receipt for early identification. The protection comes from acting on the information that your alarm systems tell you!
At SolutionsPT we take a balanced approach to the management of assets and the security throughout its lifecycle. We monitor and track the ever-evolving cybersecurity threat landscape and align to frameworks such as IEC 62443 and the NIS Directive, engaging with both private and government cyber security resources, we keep abreast of threats and have influence current thinking and best practice guidance across the OT sector.