DOCSLIB.ORG

OPC UA Security Analysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
OPC UA Security Analysis OPC UA Security Analysis 02/03/2017 Authors The OPC UA security analysis study was commissioned by the Federal Office for Information Security (BSI) and performed under the consortium leadership of TÜV SÜD Rail from 14 January 2015 until 2 December 2015. Listed in alphabetical order, the other companies and people involved in the consortium were as follows: ascolab Mr. Damm Mr. Gappmeier Mr. Zugfil SIGNON Mr. Plöb TÜV SÜD Mr. Fiat (project manager) Mr. Störtkuhl Acknowledgements The authors would like to thank the OPC Foundation for the open and constructive cooperation. All suggestions for improvement presented in this study were taken up by the OPC Foundation and discussed intensively. This study led to an adjustment of specification and reference implementation which will be incorporated into the next updates. An overview of the OPC Foundation's feedback on this study can be found at the following address: https://opcfoundation.org/security/ Federal Office for Information Security P.O.B. 20 03 63 D-53133 Bonn (Germany) Phone: +49 22899 9582-0 E-mail: [email protected] Internet: https://www.bsi.bund.de © Federal Office for Information Security (BSI) 2016 Content AUTHORS .................................................................................................................................................................... 2 ACKNOWLEDGEMENTS ............................................................................................................................................... 2 1 MANAGEMENT SUMMARY ................................................................................................................................. 6 2 SUBJECT OF THE ANALYSIS .................................................................................................................................. 8 2.1 SUBJECT UNDER EXAMINATION ................................................................................................................................... 8 2.2 OBJECTIVES OF THE ANALYSIS ................................................................................................................................... 10 2.3 SCOPE OF THE ANALYSIS .......................................................................................................................................... 10 2.3.1 Analysis of the OPC UA Specification ........................................................................................................... 11 2.3.2 Performing of security tests on a reference implementation ....................................................................... 13 2.4 EXCLUSION AND ASPECTS THAT ARE NOT TAKEN INTO ACCOUNT ....................................................................................... 13 2.4.1 Exclusions ..................................................................................................................................................... 13 2.4.2 Uncertainties ................................................................................................................................................ 14 3 METRIC FOR ASSESSING THE CRITICALITY OF VULNERABILITIES .........................................................................15 3.1 BASE METRIC GROUP ............................................................................................................................................ 15 3.2 TEMPORAL METRIC ............................................................................................................................................... 16 3.3 ENVIRONMENTAL METRICS ..................................................................................................................................... 16 3.4 CALCULATION OF THE SCORE .................................................................................................................................... 16 4 DESCRIPTION OF THE TEST ENVIRONMENT ........................................................................................................18 5 INVENTORY OF THE LEVEL OF KNOWLEDGE WITH RESPECT TO THE IT SECURITY OF OPC UA .............................21 6 EDITORIAL COMMENTS AND SUGGESTIONS FOR CORRECTION ..........................................................................24 7 RESULTS OF THE SPECIFICATION ANALYSIS .........................................................................................................38 7.1 REVIEW OF SECURITY OBJECTIVES AND THREAT TYPES .................................................................................................... 38 7.1.1 Analysis by means of STRIDE ........................................................................................................................ 38 7.1.2 Review of the security objective definitions ................................................................................................. 40 7.1.3 Review of the threat type definitions ........................................................................................................... 41 7.1.4 Review of the assignment of security objectives versus threats .................................................................. 42 7.1.5 Results .......................................................................................................................................................... 42 7.2 THREAT ANALYSIS FOR THE OPC UA PROTOCOL ........................................................................................................... 45 7.2.1 Analysis according to the threats from Part 2.............................................................................................. 45 7.2.2 Analysis of the threats for elements of the OPC UA infrastructure .............................................................. 55 7.2.3 Results .......................................................................................................................................................... 58 7.3 ANALYSIS OF THE PROTECTION MECHANISMS ON THE PARAMETER LEVEL ........................................................................... 58 7.3.1 Explanation of the analysis table ................................................................................................................. 58 7.3.2 Detailed explanation of the results of the analysis table ............................................................................. 60 7.3.3 Conclusion .................................................................................................................................................... 63 7.4 FURTHER OBSERVATIONS REGARDING THE DESIGN ........................................................................................................ 64 7.5 SUMMARY OF THE OVERALL ANALYSIS RESULTS ............................................................................................................ 65 8 RESULTS OF THE REFERENCE IMPLEMENTATION ANALYSIS.................................................................................71 8.1 DESCRIPTION OF THE OPC UA COMMUNICATION STACK TESTED ..................................................................................... 71 8.2 ATTACKS TO VULNERABILITIES IDENTIFIED IN THE SPECIFICATION ANALYSIS ......................................................................... 71 8.3 PROCEDURE ......................................................................................................................................................... 71 8.4 CERTIFICATE TESTS ................................................................................................................................................. 73 8.4.1 Description of the tests ................................................................................................................................ 73 8.4.2 Analysis of the results .................................................................................................................................. 75 8.5 STATIC CODE ANALYSIS ............................................................................................................................................ 78 8.6 FUZZING .............................................................................................................................................................. 80 Federal Office for Information Security 3 Error! Use the Home tab to apply Überschrift 1 to the text that you want to appear here. 8.6.1 Programming in Peach ................................................................................................................................. 80 8.6.2 Choice of fuzzing tests .................................................................................................................................. 83 8.6.3 Results .......................................................................................................................................................... 83 8.7 DYNAMIC CODE ANALYSIS ........................................................................................................................................ 86 8.7.1 Results: ......................................................................................................................................................... 86 8.8 CODE COVERAGE ................................................................................................................................................... 91 8.8.1 Measurement ..............................................................................................................................................
Load more

Recommended publications
  • Modbus TCP Master (OPC) User's Manual
    Station Automation COM600 3.4 Modbus TCP Master (OPC) User's Manual 1MRS756445 Station Automation COM600 3.4 Issued: 21.12.2007 Version: D/06.11.2009 Modbus TCP Master (OPC) User's Manual Contents: 1. About this manual .................................................................................. 7 1.1. Copyrights ...................................................................................... 7 1.2. Trademarks .................................................................................... 7 1.3. General .......................................................................................... 7 1.4. Document conventions .................................................................. 8 1.5. Use of symbols .............................................................................. 9 1.6. Terminology .................................................................................... 9 1.7. Abbreviations ............................................................................... 11 1.8. Related documents ...................................................................... 12 1.9. Document revisions ..................................................................... 12 2. Introduction ........................................................................................... 13 2.1. Functional overview ..................................................................... 13 2.2. Modbus OPC Server features ...................................................... 14 3. Configuration .......................................................................................
    [Show full text]
  • OPC DX Link Option for Kepserverex
    OPC DX Link Option for KEPServerEX Overview: OPC technology has been extremely successful at bridging the vertical communication gap between the plant floor and the control room. Using standards such as OPC Data Access (DA), hundreds of software applications have been written to gather data from a wide range of control systems using this simple Client/Server architecture. OPC DA did not, however, address the needs of integration and interoperability directly between devices. Historically there have been a number of high-level and low-level bus protocols, each one written to address the differing needs and uses of the devices they were intended to serve. Protocols such as PROFIBUS, DeviceNet, ControlNet, and many more, have been utilized in the past. Recently there has been a growing movement towards the use of Ethernet as an industrial communication backbone. Initially each of these respective bus specifications was redeveloped for use over Ethernet. The resulting PROFInet, Ethernet/IP, High-Speed Ethernet Fieldbus (HSE), and BACNET/IP provided a means for customers to move smoothly from their proprietary wiring schemes to Ethernet. However it didn't address the key issue of true Device-to-Device interoperability or more importantly Bus-to-Bus interoperability. While these new Ethernet based protocols could coexist on the same wire, there was still no way to get data from a PROFInet device directly into an Ethernet/IP device. Example using DX to route data between OPC Items in KEPServerEX Example of using DX to pull data from an OPC DA server and eXchange data (bi-directional) with an OPC DX server OPC DX: OPC Data Exchange (DX) was designed to address the needs of Device-to-Device and Bus-to-Bus interoperability by applying the same technologies currently used by desktop applications at the device level.
    [Show full text]
  • Investigate M2M-Related Communication Standards That Exist on the Global Market Today
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Agder University Research Archive Investigate M2M-related communication standards that exist on the global market today by Aleksander Albretsen Thesis in partial fulfilment of the degree of Master in Technology in Information and Communication Technology Agder University College Faculty of Engineering and Science Grimstad Norway June 2006 Abstract Most M2M applications use well-known communication technologies to interconnect the devices. Even though they use well-known communication technologies there are no widely used and well-defined M2M standards regarding the data exchange (application layer). This thesis investigates and identifies M2M related communication standards that exist on the global market today, and are applicable for M2M standardisation. This thesis is limited to the following segments within M2M: Security, Automatic Meter Reading (AMR) and Utility Control. Today, and in the future, IP will play an important role within M2M. This thesis is therefore mainly focusing on standards that implement how to transfer the application layer using the IP-stack. M2M is defined in this thesis as an application with a central server communicating with end-devices through a gateway, using remote communication from server to gateway. The following standards are investigated and found applicable in one or more of the selected segments: CIP, MODBUS, LonWorks, KNX, DLMS/COSEM, M-BUS, SIA, M2MXML, OPC and ZigBee. Each of the standards is explained within the thesis. All standards are identified and categorised, and area of applications and proposed solutions are described. This thesis discusses the applicability regarding each segment, multiple services behind one gateway, bandwidth consumption, software update and interconnection of networks.
    [Show full text]
  • Matrikonopc Server for Simulation User Manual.Pdf User’S Manual for This Server
    MatrikonOPC Server for Simulation User's Manual MatrikonOPC Server for Simulation User's Manual This manual is a product of Matrikon Inc. Matrikon Inc. Suite 1800, 10405 Jasper Avenue Edmonton, AB T5J 3N4 Canada Phone: 780.448.1010 Fax: 780.448.9191 www.matrikonopc.com Document Revision History: Document Date Description Author Version 2003-08-19 1.0 Initial document. DENG 2004-04-02 1.1 Added HDA and AE functionality descriptions. IMF 2008-05-14 2.0 Converted to new template. LB Added OPC item descriptions, updated Installed 2008-08-25 2.1 Files, updated Installation and Un-Installation RK, LB sections, updated Troubleshooting section. MatrikonOPC Server Framework v1.11.1.0/1.7.0.0 applied to server. Software version updated to 1.5.0.0. Updated Installation section. Updated Contacting Support section. Alias Configuration section updated to include Calculation scaling and 2009-07-17 3.0 LB Item Browser information. Limitations section updated. Appendix B – Aliases: added Scaling Calculation section, updated CSV File Format and Scaling Algorithms sections. Updated Appendix E – Security. MatrikonOPC Server for Simulation v1.5.0.0 User’s Manual 2 SOFTWARE VERSION Version: 1.5.0.0 DOCUMENT VERSION Version: 3.0 COPYRIGHT INFORMATION © Copyright 1997 - 2009, Matrikon Inc. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, translated, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Matrikon Inc. CONFIDENTIAL The information contained herein is confidential and proprietary to Matrikon Inc. It may not be disclosed or transferred, directly or indirectly, to any third party without the explicit written permission of Matrikon Inc.
    [Show full text]
  • Applicom® OPC Server Is the Best Choice for Connecting Industrial Devices to Your Favorite Industrial Applications
    Open, Reliable and Efficient, applicom® OPC server is the best choice for connecting industrial devices to your favorite industrial applications. With a collection of 30 major protocols, Woodhead is a key player in OPC technology for automation solutions. ® 07 Jan. 05 applicom OPC Server Multi-protocol OPC server for industrial networking Features • Included free-of-charge in all applicom® packages • Tested and Full compliant with OPC DA specifications v1.0a, 2.05 and 3.0 • Multi-protocol Server: manages simultaneously various protocols through an unique OPC connection • Powerful! Real-time data access with Automatic data exchange optimization • Integrates redundancy features OPC Technology • Smart OPC Item browsing OPC (OLE for Process Control) is the standard communication interface that enables the data • Simultaneous access in COM exchange between client applications (HMI/SCADA, RDBM, control/command) and industrial and DCOM modes devices (PLC, I/O blocks, drives, etc). OPC is built using the Microsoft’s technologies: OLE, COM and DCOM (Distributed COM) that are well-tested and proven foundation. • InProc / OutProc connection OPC specifications are designed by the open foundation – OPC Foundation – to meet the general needs of industry, finding then an issue of specific and proprietary interfaces problem. applicom® OPC Server Supported OS The applicom® OPC Server is an OPC Data Access (DA) compliant server that enables data exchange between OPC clients and a broad range of device manufacturers through networks • Windows 32-bit: XP SP1 / 2003 such as: Ethernet TCP/IP, Profibus, Serial, Modbus Plus, WorldFIP, etc. Server / 2000 SP3 / NT4) applicom® OPC Server supports multi-protocol feature: it can manage up to 30 different protocols simultaneously.
    [Show full text]
  • Knowledge Discovery in the SCADA Databases Used for the Municipal Power Supply System
    Knowledge Discovery in the SCADA Databases Used for the Municipal Power Supply System Valery Kamaev1, Alexey Finogeev2, Anton Finogeev3, Sergey Shevchenko4 1Volgograd State Technical University, Volgograd, Russia, [email protected], 2Penza State University, Penza, Russia, [email protected], [email protected], 3National Technical University "Kharkiv Polytechnic Institute", Kharkiv, Ukraina, [email protected] Abstract. This scientific paper delves into the problems related to the develop- ment of intellectual data analysis system that could support decision making to manage municipal power supply services. The management problems of mu- nicipal power supply system have been specified taking into consideration modern tendencies shown by new technologies that allow for an increase in the energy efficiency. The analysis findings of the system problems related to the integrated computer-aided control of the power supply for the city have been given. The consideration was given to the hierarchy-level management decom- position model. The objective task targeted at an increase in the energy effi- ciency to minimize expenditures and energy losses during the generation and transportation of energy carriers to the Consumer, the optimization of power consumption at the prescribed level of the reliability of pipelines and networks and the satisfaction of Consumers has been defined. To optimize the support of the decision making a new approach to the monitoring of engineering systems and technological processes related to the energy consumption and transporta- tion using the technologies of geospatial analysis and Knowledge Discovery in databases (KDD) has been proposed. The data acquisition for analytical prob- lems is realized in the wireless heterogeneous medium, which includes soft- touch VPN segments of ZigBee technology realizing the 6LoWPAN standard over the IEEE 802.15.4 standard and also the segments of the networks of cellu- lar communications.
    [Show full text]
  • OPC Fundamentals
    OPC Overview Adam Hill Kepware Technologies/PTC Portland, ME (USA) Agenda • Before OPC • OPC Foundation • OPC Client Communications • OPC Specifications – OPC DA – OPC HDA – OPC AE – OPC UA and Tunneling with OPC UA May 14 – 16, 2019 INTERNATIONAL SCHOOL OF HYDROCARBON MEASUREMENT What You Will Learn 1.What does OPC stand for? 2.What is the purpose of the OPC Foundation? 3.OPC specifies the communication between what and what? May 14 – 16, 2019 INTERNATIONAL SCHOOL OF HYDROCARBON MEASUREMENT Before OPC Before OPC • No standard exists for communication between devices (data sources) and computer interfaces (data gatherers). • Proprietary connections and toolkits are developed by hardware vendors. – This limits users to one type of software and hardware package. • As users want to make more client connections to one device, or add different hardware, the problem gets sticky… May 14 – 16, 2019 INTERNATIONAL SCHOOL OF HYDROCARBON MEASUREMENT Before OPC (cont.) May 14 – 16, 2019 INTERNATIONAL SCHOOL OF HYDROCARBON MEASUREMENT OPC Foundation OPC Foundation • Formed in 1995 by a consortium of 5 companies: – Fisher-Rosemount, Rockwell, Opto 22, Intellution, and Intuitive Technology. • Now there are over 450 corporate members in the Foundation. THE FOUNDATION’S MISSION “The mission of the OPC Foundation is to manage a global organization in which users, vendors and consortia collaborate to create data transfer standards for multi-vendor, multi-platform, secure and reliable interoperability in industrial automation.” • To support this mission,
    [Show full text]
  • Fundamentals of OPC
    Presents Practical Fundamentals of OPC Revision 7.1 Web Site: www.idc-online.com E-mail: [email protected] Copyright All rights to this publication, associated software and workshop are reserved. No part of this publication or associated software may be copied, reproduced, transmitted or stored in any form or by any means (including electronic, mechanical, photocopying, recording or otherwise) without prior written permission of IDC Technologies. Disclaimer Whilst all reasonable care has been taken to ensure that the descriptions, opinions, programs, listings, software and diagrams are accurate and workable, IDC Technologies do not accept any legal responsibility or liability to any person, organization or other entity for any direct loss, consequential loss or damage, however caused, that may be suffered as a result of the use of this publication or the associated workshop and software. In case of any uncertainty, we recommend that you contact IDC Technologies for clarification or assistance. Trademarks All terms noted in this publication that are believed to be registered trademarks or trademarks are listed below: Acknowledgements IDC Technologies expresses its sincere thanks to all those engineers and technicians on our training workshops who freely made available their expertise in preparing this manual. Who is IDC Technologies? IDC Technologies is a specialist in the field of industrial communications, telecommunications, automation and control and has been providing high quality training for more than six years on an international basis from offices around the world. IDC consists of an enthusiastic team of professional engineers and support staff who are committed to providing the highest quality in their consulting and training services.
    [Show full text]
  • MSG : Multiprotocol SCADA Gateway
    MSG : Multiprotocol SCADA Gateway Overview The MSG is a modern SCADA communication gateway server for telemetry applications. It supports all of Inifnite's devices, offering seamless SCADA integration using a variety of means and and protocols. The MSG server is a host for multiple clients allowing seamless 24/7 unmanned device telemetry with centralised data management. Features Support for all Infinite product ranges including BSC-50, ADU-500, ADU- 700, Sigfox ADS, iLog & SCOM. Multiple SCADA protocols including, DNP3 DNP3 Secure Authentication v5 (SAv5) IEC 60870-5-101 IEC 60870-5-102 IEC 60870-5-103 IEC 60870-5-104 IEC 60870-5 Secure Authentication for -101 and -104 OPC Data Access OPC XML Data Access OPC Alarms & Events IEC 61850 incl: 7-410(Hydro), 7- 420(DER) & 61400-25 IEC 60870-6 (TASE.2/ICCP) incl. Bi- Directional Support Modbus Connectivity via RS232 serial port, USB, ethernet, modem. MS SQL server database backend for historical data storage and management. Integration with the WaT cloud server that offers a Web interface accessible using any browser & device. Device & data management The MSG server has a comprehensive set of tools for users to : Create and manage devices and Tags. Test SCADA connectivity and protocol integrity. View, edit, delete, search & export data. Assign tags to IO and configure their properties Available integrated with the WaT cloud server server SCADA & data functionality The MSG is a Windows application used by System Integrators and Utilities to collect data from OPC, IEC 60870-6 (TASE.2/ICCP), IEC 61850, IEC 60870-5, DNP3, or Modbus Server/Slave devices and then supplies this data to other control systems supporting OPC, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, and/or Modbus Client/Master communication protocols.
    [Show full text]
  • A Technical Overview of the OPC Dataaccess Interfaces
    A Technical Overview of the OPC DataAccess Interfaces Al Chisholm Chief Technical Officer Intellution Inc 1 Edgewater Drive Norwood, MA 02062 781 769 8878 KEY WORDS OPC, COM, DCOM, Windows, NT, I/O, Standards, Data, Realtime ABSTRACT This paper presents a fairly detailed technical overview of the Data Access interfaces. It begins by describing the problem these interfaces are designed to solve, the functionality they provide and the object model they employ. Following this is a review of the specific interfaces provided, including a brief discussion of the specific methods exposed by those interfaces. A REVIEW OF THE PROBLEM This paper contains a fairly detailed technical overview of the OPC (OLE for Process Control) Data Access Interface. It assumes that the reader has some technical background in COM (Component Object Model) and object oriented programming. This paper will also talk about where OPC Data Access fits in the architecture of a control system and about the objects and methods that the OPC Interface presents to the programmer. In addition to talking about WHAT the objects look like, this paper will also talk a bit about WHY they look the way they do. Which is to say it will try to answer the question, “What were those guys thinking when they designed this stuff…”. This paper talks primarily about the Custom (C++) interface as that is what server vendors and most serious client vendors need to understand and implement. Display Trend Report Display Trend Report Application Application Application Application Application Application Software Software Software Software Software Software Software Software Driver Driver Driver Driver Driver Driver Driver Driver The left figure above illustrates ‘The I/O Driver Problem’.
    [Show full text]
  • OPC Factory Server V3.60 OFS Product Introduction 35008244 11/2015
    OPC Factory Server V3.60 35008244 11/2015 OPC Factory Server V3.60 User Manual 11/2015 35008244.11 www.schneider-electric.com The information provided in this documentation contains general descriptions and/or technical characteristics of the performance of the products contained herein. This documentation is not intended as a substitute for and is not to be used for determining suitability or reliability of these products for specific user applications. It is the duty of any such user or integrator to perform the appropriate and complete risk analysis, evaluation and testing of the products with respect to the relevant specific application or use thereof. Neither Schneider Electric nor any of its affiliates or subsidiaries shall be responsible or liable for misuse of the information contained herein. If you have any suggestions for improvements or amendments or have found errors in this publication, please notify us. No part of this document may be reproduced in any form or by any means, electronic or mechanical, including photocopying, without express written permission of Schneider Electric. All pertinent state, regional, and local safety regulations must be observed when installing and using this product. For reasons of safety and to help ensure compliance with documented system data, only the manufacturer should perform repairs to components. When devices are used for applications with technical safety requirements, the relevant instructions must be followed. Failure to use Schneider Electric software or approved software with our hardware products may result in injury, harm, or improper operating results. Failure to observe this information can result in injury or equipment damage.
    [Show full text]
  • PI Interface for OPC DA Version 2.5.1.X User Guide
    PI Interface for OPC DA Version 2.5.1.x User Guide OSIsoft, LLC 777 Davis St., Suite 250 San Leandro, CA 94577 USA Tel: (01) 510-297-5800 Fax: (01) 510-357-8136 Web: http://www.osisoft.com PI Interface for OPC DA User Guide © 1998-2014 by OSIsoft, LLC. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, mechanical, photocopying, recording, or otherwise, without the prior written permission of OSIsoft, LLC. OSIsoft, the OSIsoft logo and logotype, PI Analytics, PI ProcessBook, PI DataLink, ProcessPoint, PI Asset Framework (PI AF), IT Monitor, MCN Health Monitor, PI System, PI ActiveView, PI ACE, PI AlarmView, PI BatchView, PI Coresight, PI Data Services, PI Event Frames, PI Manual Logger, PI ProfileView, PI WebParts, ProTRAQ, RLINK, RtAnalytics, RtBaseline, RtPortal, RtPM, RtReports and RtWebParts are all trademarks of OSIsoft, LLC. All other trademarks or trade names used herein are the property of their respective owners. U.S. GOVERNMENT RIGHTS Use, duplication or disclosure by the U.S. Government is subject to restrictions set forth in the OSIsoft, LLC license agreement and as provided in DFARS 227.7202, DFARS 252.227-7013, FAR 12.212, FAR 52.227, as applicable. OSIsoft, LLC. Version: 2.5.1.x Published: March 2014 Contents Introduction to the PI OPC DA interface...................................................................... 1 Related manuals............................................................................................................................................
    [Show full text]