Vulnerabilities in industrial protocol

June 2018 News, Cyber Security

Kaspersky Lab ICS CERT has analysed the OPC UA (Object Linking and Embedding for Process Control Unified Automation) protocol, which is designed to secure data transfer between servers and clients in industrial systems, including critical infrastructure.

Kaspersky Lab ICS CERT experts analysed OPC UA architecture and its products. They examined its open-source code (available on GitHub), including a sample server, and discovered that current implementations of the protocol had code design and writing errors. These errors should not exist in such widespread critical infrastructure software. Overall, 17 zero-day vulnerabilities in the OPC Foundation’s products were identified and reported to the developers, who fixed them accordingly. All were fixed by the end of March 2018.

OPC UA is an industrial protocol, which was developed and released by the OPC Foundation in 2006 for reliable and secure data transmission between various systems on an industrial network. This protocol is widely used by major vendors in modern industrial facilities, in the manufacturing, oil and gas, pharmaceuticals industries and others. Its gateways are installed by a growing number of industrial enterprises, for communication in automated process control and telemetry, and monitoring and telecontrol systems, allowing these enterprises to unify their management processes. The protocol is also used in IoT and smart city components, which are increasingly attracting hacker attention.

In addition, Kaspersky Lab ICS CERT analysed third-party software based on this industrial protocol, including solutions by leading ­industry vendors. In most cases, they discovered flaws were caused by the developers not using some of the protocol implementation ­functions properly. In other cases, vulnerabilities were the result of incorrect modifications applied to the protocol’s infrastructure. Thus, experts discovered the insecure implementation of functions in a commercial product, despite the fact that the original OPC Foundation implementation did not include errors. As a result, such modifications in the protocol’s logic, made by vendors for unknown reasons, was leading to risky functionality.

All the vulnerabilities found in the OPC UA protocol implementations could result in heavy damage to industry. On the one hand, there was the risk of denial-of-service (DoS) issues, which could pose serious threats to industrial systems by disrupting or shutting down industrial processes. On the other hand, remote code execution was made possible, allowing attackers to send any kind of server commands to control industrial processes, or continue their intrusion into the network.

“Very often software developers put too much trust in industrial protocols, and implement the technology in their solutions without putting the product code through security checks. Thus, vulnerabilities in the example used can affect complete product lines, so it’s highly important that vendors pay close attention to such widely available technologies. Moreover, they should not be deceived by the idea that they can design their own piece of software. Many think this could be more efficient and secure than existing software, but even a brand new piece of software may still contain numerous vulnerabilities,” said Sergey Temnikov, senior security researcher at Kaspersky lab ICS CERT.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Spend on cloud to accelerate across Africa in 2023
News
More than two-thirds of companies using cloud computing across major African markets plan to increase their spending on cloud services in 2023.

Read more...
ChatGPT’s impacts will be social, not technical
News
ChatGPT is truly a remarkable achievement, an artificial intelligence (AI) that you can have a conversation with and ask to do everything from writing essays to coding computer programs.

Read more...
Artificial intelligence in Africa: levelling the narrative
News
While AI can benefit multiple industries, in Africa the key sectors that stand to gain are financial services (specifically fintech) and agriculture.

Read more...
Improving data security for a hybrid society
News
Researchers from Tokyo University of Science develop a method that can perform computations with encrypted data faster and at a lower cost than conventional methods, while also improving security.

Read more...
Cybersecurity in 2023: The latest trends and developments
News
In 2023, experts predict that several trends will shape the cybersecurity landscape, including the growing use of artificial intelligence (AI), the increasing focus on the Internet of Things (IoT), and the rise of quantum computing.

Read more...
SAN market set for growth
Technews Publishing News IT infrastructure
Storage-area network (SAN) market to hit US$ 26,86 billion in revenue by the end of 2029 due to factors like widespread adoption of Hybrid SAN-NAS solutions.

Read more...
Enterprise threats in 2023
News Cyber Security
Large businesses and government structures should prepare for cybercriminals using media to blackmail organisations, reporting alleged data leaks, and purchasing initial access to previously compromised companies on the darknet.

Read more...
Trends in the proptech industry for 2023
News
By mixing real estate with technology to optimise industries, create new ones, and generate efficiencies or capabilities that improve revenue generation, something as fundamental as the concept of parking has been turned on its head.

Read more...
CA Southern Africa unmasks container security
Technews Publishing IT infrastructure Cyber Security
Adoption of software containers has risen dramatically as more organisations realise the benefits of this virtualised technology.

Read more...
31 percent of all IoT SIMs managed with third-party IoT CMPs
News Integrated Solutions
Berg Insight recently released new findings about the market for IoT connectivity management platforms (CMPs), a standard component in the value proposition from mobile operators and IoT MVNOs around the world.

Read more...