classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2017


Vulnerabilities in industrial protocol
June 2018, News, Cyber Security

Kaspersky Lab ICS CERT has analysed the OPC UA (Object Linking and Embedding for Process Control Unified Automation) protocol, which is designed to secure data transfer between servers and clients in industrial systems, including critical infrastructure.

Kaspersky Lab ICS CERT experts analysed OPC UA architecture and its products. They examined its open-source code (available on GitHub), including a sample server, and discovered that current implementations of the protocol had code design and writing errors. These errors should not exist in such widespread critical infrastructure software. Overall, 17 zero-day vulnerabilities in the OPC Foundation’s products were identified and reported to the developers, who fixed them accordingly. All were fixed by the end of March 2018.

OPC UA is an industrial protocol, which was developed and released by the OPC Foundation in 2006 for reliable and secure data transmission between various systems on an industrial network. This protocol is widely used by major vendors in modern industrial facilities, in the manufacturing, oil and gas, pharmaceuticals industries and others. Its gateways are installed by a growing number of industrial enterprises, for communication in automated process control and telemetry, and monitoring and telecontrol systems, allowing these enterprises to unify their management processes. The protocol is also used in IoT and smart city components, which are increasingly attracting hacker attention.

In addition, Kaspersky Lab ICS CERT analysed third-party software based on this industrial protocol, including solutions by leading ­industry vendors. In most cases, they discovered flaws were caused by the developers not using some of the protocol implementation ­functions properly. In other cases, vulnerabilities were the result of incorrect modifications applied to the protocol’s infrastructure. Thus, experts discovered the insecure implementation of functions in a commercial product, despite the fact that the original OPC Foundation implementation did not include errors. As a result, such modifications in the protocol’s logic, made by vendors for unknown reasons, was leading to risky functionality.

All the vulnerabilities found in the OPC UA protocol implementations could result in heavy damage to industry. On the one hand, there was the risk of denial-of-service (DoS) issues, which could pose serious threats to industrial systems by disrupting or shutting down industrial processes. On the other hand, remote code execution was made possible, allowing attackers to send any kind of server commands to control industrial processes, or continue their intrusion into the network.

“Very often software developers put too much trust in industrial protocols, and implement the technology in their solutions without putting the product code through security checks. Thus, vulnerabilities in the example used can affect complete product lines, so it’s highly important that vendors pay close attention to such widely available technologies. Moreover, they should not be deceived by the idea that they can design their own piece of software. Many think this could be more efficient and secure than existing software, but even a brand new piece of software may still contain numerous vulnerabilities,” said Sergey Temnikov, senior security researcher at Kaspersky lab ICS CERT.


Credit(s)
Supplied By: Kaspersky Lab
Tel: (011 783 2424
Fax:
Email: sales-za@kaspersky.com
www: www.kaspersky.co.za
  Share via Twitter   Share via LinkedIn      

Further reading:

  • Cybersecurity is not hype
    June 2018, Technews Publishing, News
    Regular readers of Hi-Tech Security Solutions will know that we have upped the amount of content we have about cybersecurity, whether it is aimed at the physical security market or not. This is not some ...
  • Intelligence and compliance ­depend on data governance
    June 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, Security Services & Risk Management
    The growth of data in all its forms caused data governance to become increasingly complex, to the point where it is a skill in itself.
  • Data governance and security
    June 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, Security Services & Risk Management
    Data governance has become a key issue for all businesses, and as with all things data-related these days, security is a key component of data governance.
  • The dark side of the Internet
    June 2018, Check Point South Africa, This Week's Editor's Pick, Cyber Security
    Research from Check Point Software Technologies shows that Telegram may be the new channel of choice for conducting cybercrime anonymously.
  • Phangela set to upgrade security industry
    June 2018, News, Security Services & Risk Management
    Phangela Security is on an expansion drive, taking a new data-driven approach to the security market countrywide.
  • Afribiz Invest partners with RSS Security Services
    June 2018, News, Security Services & Risk Management, Retail (Industry)
    New security company RSS Commercial will give South African businesses and government departments fresh options, including the ability to maximise cost efficiency.
  • Arecont Vision changes in MEA team
    June 2018, Arecont Vision, News
    Arecont Vision has promoted Johan Crause to regional director – Middle East and Africa.
  • Carol Mazibuko presses F5
    June 2018, Westcon-Comstor Southern Africa, News
    Carol Mazibuko has been promoted to product manager of F5 Networks at Westcon-Comstor.
  • Milestone successfully expanding in Africa
    June 2018, Milestone Systems, This Week's Editor's Pick, News
    Milestone Systems reorganises to support strong interest from customer and partners in the African region.
  • ONVIF celebrates 10th anniversary
    June 2018, This Week's Editor's Pick, News
    ONVIF is celebrating its 10th anniversary, capping off a decade of growth and rising influence as a provider of interoperability standards to the physical security market.
  • LiDAR specialist appoints first SA distributor
    June 2018, Duxbury Networking, News, CCTV, Surveillance & Remote Monitoring
    Duxbury Networking has signed a distribution agreement with US specialist vendor Quanergy Systems, a provider of next-generation 3D LiDAR (Light Detection and Ranging) sensors and perception software.
  • ESDA Charity Golf Day 2018
    June 2018, ESDA (Electronic Security Distributors Association, News, Conferences & Events
    The Electronic Security Distributors’ Association (ESDA) will be holding its annual Golf Day in aid of charity on 20 September 2018 at the Benoni Country Club. The charity being supported this year is AMCARE.

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.