• Corpus ID: 243861205

Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems

@inproceedings{Erba2021SecurityAO,
  title={Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems},
  author={Alessandro Erba and Anne Muller and Nils Ole Tippenhauer},
  year={2021}
}
The OPC UA protocol is an upcoming de-facto standard for building Industry 4.0 processes in Europe, and one of the few industrial protocols that promises security features to prevent attackers from manipulating and damaging critical infrastructures. Despite the importance of the protocol, challenges in the adoption of OPC UA’s security features by product vendors, libraries implementing the standard, and end-users were not investigated so far. In this work, we systematically investigate 48… 

Figures and Tables from this paper

Vulnerabilities of the Open Platform Communication Unified Architecture Protocol in Industrial Internet of Things Operation

TLDR
This study proposes a framework for vulnerability discovery and countermeasures that can be applied to any analysis target, and finds 30 major threats and four vulnerabilities based on the proposed framework.

References

SHOWING 1-10 OF 58 REFERENCES

Assessing the impact of attacks on OPC-UA applications in the Industry 4.0 era

TLDR
The contribution is to identify, based on the specifications, the threats and countermeasures that may occur/be applied when using OPC-UA in an Industry 4.0 environment and to highlight the impact of the eavesdropping and message flooding attacks on an O PC-UA application implemented on a real testbed.

Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments

TLDR
This paper actively scans the IPv4 address space for publicly reachable OPC UA systems and observes problematic security configurations such as missing access control, disabled security functionality, or use of deprecated cryptographic primitives on in total 92% of the reachable deployments.

Portable Trust Anchor for OPC UA Using Auto-Configuration

TLDR
This paper proposes an evaluated portable trust-anchor-based concept to establish this initial trust and demonstrates it solely based on standardized OPC UA communication.

Open-Source OPC UA Security and Scalability

TLDR
This work investigates the security models of the four most commonly used open-source OPC UA implementations: open62541, node-opcua, UA-.NETStandard, and python-OPcua and their scalabilities for the number of clients and OPCUA nodes are analyzed.

Simulating and Detecting Attacks of Untrusted Clients in OPC UA Networks

The usage of machine to machine communication and Industrial Internet of Things is increasing nowadays, in particular in industry environments. Devices with low hardware capabilities may e.g. be used

"If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS

TLDR
It is found that end users often confuse encryption with authentication, significantly underestimate the security benefits of HTTPS, and ignore and distrust security indicators while administrators often do not understand the interplay of functional protocol components.

PKI and User Access Rights Management for OPC UA based Applications

  • G. KarthikeyanS. Heiss
  • Computer Science
    2018 IEEE 23rd International Conference on Emerging Technologies and Factory Automation (ETFA)
  • 2018
TLDR
This research work is on OPC UA to understand its security architecture's support for end-to-end communication and an implementation of a demo PKI (Public Key Infrastructure) to illustrate the same and demonstrates the applicability of access level attributes in differentiating access rights between different users.

Towards Usable Checksums: Automating the Integrity Verification of Web Downloads for the Masses

TLDR
An extension to the recent W3C specification for sub-resource integrity in order to provide integrity protection for download links is proposed and an extension for the popular Chrome browser that computes and verifies checksums of downloaded files automatically is developed.

"I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

TLDR
The results suggest that the deployment process for HTTPS is far too complex even for people with proficient knowledge in the field, and that server configurations should have stronger security by default.

Comparing the Usability of Cryptographic APIs

TLDR
This paper is the first to examine both how and why the design and resulting usability of different cryptographic libraries affects the security of code written with them, with the goal of understanding how to build effective future libraries.
...