CISPA
Browse
cispa_all_3789.pdf (904.13 kB)

Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems

Download (904.13 kB)
conference contribution
posted on 2023-11-29, 18:22 authored by Alessandro Erba, Anne MüllerAnne Müller, Nils Ole TippenhauerNils Ole Tippenhauer
The OPC UA protocol is an upcoming de-facto standard for building Industry 4.0 processes in Europe, and one of the few industrial protocols that promises security features to prevent attackers from manipulating and damaging critical infrastructures. Despite the importance of the protocol, challenges in the adoption of OPC UA's security features by product vendors, libraries implementing the standard, and end-users were not investigated so far. In this work, we systematically investigate 48 publicly available artifacts consisting of products and libraries for OPC UA and show that 38 out of the 48 artifacts have one (or more) security issues. We show that 7 OPC UA artifacts do not support the security features of the protocol at all. In addition, 31 artifacts that partially feature OPC UA security rely on incomplete libraries and come with misleading instructions. Consequently, relying on those products and libraries will result in vulnerable implementations of OPC UA security features. To verify our analysis, we design, implement, and demonstrate attacks in which the attacker can steal credentials exchanged between victims, eavesdrop on process information, manipulate the physical process through sensor values and actuator commands, and prevent the detection of anomalies.

History

Preferred Citation

Alessandro Erba, Anne Müller and Nils Tippenhauer. Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems. In: Joint Workshop on CPS & IoT Security and Privacy (CPSIoTSec). 2022.

Primary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

Joint Workshop on CPS & IoT Security and Privacy (CPSIoTSec)

Legacy Posted Date

2022-09-23

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3789, title = "Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems", author = "Erba, Alessandro and Müller, Anne and Tippenhauer, Nils Ole", booktitle="{Joint Workshop on CPS & IoT Security and Privacy (CPSIoTSec)}", year="2022", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC