On May 10th, 2017, cybersecurity firm Kaspersky Labs released a report that identified 17 zero-day vulnerabilities in OPC Foundation open source code that was obtained from GitHub. The report attracted a lot of attention in the manufacturing sector. OPC itself has been quite transparent about sharing these vulnerabilities at https://opcfoundation.org/security/. On May 18, OPC Foundation issued a statement about Kaspersky report that can be viewed in full here.
The Kaspersky Labs report issued on May 10th, 2018 has garnered a lot of media attention based on its claim of having identified 17 security issues in some OPC UA implementations. A detailed description of the 17 issues can be found at https://opcfoundation.org/security/. OPC Foundation has always been transparent about security issues, and indeed one of the advantages of open source is that it facilitates identification and remediation of security issues in a transparent manner. OPC Foundation works cooperatively with vendors to have the open source code base tested by external security organizations and have those results incorporated into GitHub. OPC UA standard and its various open-source implementations are continuously subjected to scrutiny by many in the large and active OPC UA community; something the OPC Foundation openly welcomes as this only makes the open-source implementations better.
What Does This Mean for End Users?
Vulnerability reports like this one are common, and all but one of the issues reported were addressed in 2016 or 2017, so the timing of the report did create some confusion in the marketplace. If you are an end user, you are most likely not affected by these issues, provided your applications are up to date. OPC Foundation has and continues to be committed to ensuring the OPC UA standard provides the highest levels of security and as such has reviewed the claims made in the Kaspersky report and found that:
- Eight issues were associated with an OPC Foundation ANSI-C sample server application that was provided with the ANSI-C stack code in GitHub.
- These issues did not affect the ANSI C stack itself or products based on commercial SDKs.
- Nevertheless, all issues have been fixed.
- Six issues were associated with the OPC Foundation server enumerator (LDS). These were fixed in 2017 and a CVE was published. These issues were not exploitable remotely.
Three issues affected some products in the field. Specifically:
- One issue was specific to a product from a vendor who published a CVE in 2016.
- The second issue is specific to a product from a vendor who is working on a fix and will report it to US ICS CERT as soon as possible.
- The third issue affected a legacy .NET stack that was promptly fixed by the OPC Foundation in 2017. OPC users were notified of this issue via a CVE in 2017.
OPC Foundation is Committed to Security
In addition, to alleviate potential confusion the Kaspersky Labs report may have created about the strong security the OPC UA standard offers, the OPC Foundation emphasizes that:
- The OPC UA software eco-system is composed of multiple commercial OPC UA SDK/Toolkit vendors that offer well tested and well-documented products.
- The majority of OPC UA products are based on these commercial OPC UA SDK/Toolkits and are not affected by the issues with the ANSI-C sample server application published on GitHub.
Again, detailed information on the process for managing security issues can be found at https://opcfoundation.org/security/. The OPC Foundation is committed to addressing all issues as they arise, to working with OPC vendors to ensure that software is patched quickly, and to notifying OPC users about the issues and the fixes. This process of continuous improvement based on open source software is a major reason why OPC UA is so successful in the market today. The OPC Foundation will continue to provide its users with the robust and secure foundation that they expect from a key industrial interoperability standard.
You can also download the OPC Guide to Practical Security Recommendations for Building OPC UA Applications here.