OPC UA is a transformative force reshaping how industries communicate, collect data, and ensure seamless operations. OPC UA protocols are well adapted to most applications, from small-scale embedded systems to large-scale enterprise environments.
OPC UA is a communication tool that makes it easier for machines to work together, share information, and make our industrial world more efficient and connected. Let’s learn more in detail.
Understanding OPC UA: Yesterday vs. Today
The IEC 62541 OPC Unified Architecture (OPC UA) standard came into being in 2006, thanks to the collaborative efforts of the OPC Foundation consortium. Its primary focus was on ensuring dependable and, notably, secure data transfer across diverse systems operating within industrial networks.
This standard represents a significant improvement over its predecessor, the OPC protocol, which has established itself as a ubiquitous presence within modern industrial settings.
In industrial landscapes, it’s common to encounter monitoring and control systems from various vendors, each employing their own, often proprietary, network communication protocols.
This is where OPC gateways/servers step in, serving as the crucial bridges between disparate industrial control systems and telemetry, monitoring, and telecontrol systems. They play a pivotal role in harmonizing control processes within industrial enterprises.
The previous iteration of this protocol heavily relied on Microsoft’s DCOM technology, regrettably introducing some notable limitations.
To overcome these constraints and address other identified issues with OPC, the OPC Foundation developed and released an enhanced protocol version.
Thanks to its newly introduced features and meticulously designed architecture, the OPC UA protocol is rapidly gaining widespread acceptance among automation system vendors. An increasing number of industrial enterprises are adopting OPC UA gateways globally.
This protocol finds ever-expanding utility in establishing communication channels between components of industrial Internet of Things (IoT) infrastructures and smart city systems.
Security is an area of paramount concern, mainly when dealing with technologies that find favor among automation system developers and have the potential to become ubiquitous within industrial facilities worldwide.
Technical Understanding of OPC UA Protocol
OPC-UA operates as an asynchronous protocol constructed through multiple communication and data exchange tiers.
Application Layer
At the Application Layer, we define the categories of data and services that OPC UA clients and servers can share. This layer houses the OPC UA object model, outlining the arrangement and functions of the data ready for exchange.
Session Layer
Moving to the Session Layer, its responsibility lies in managing the dialogue between OPC UA clients and servers. This layer handles setting up, sustaining, and concluding communication sessions.
Transport Layer
Beneath it all, we have the Transport Layer, serving as the conduit for data transfer between OPC UA clients and servers. This layer encompasses a variety of protocols for data conveyance, including TCP/IP and HTTPS.
The OPC UA protocol is meticulously engineered for security, scalability, and independence from specific platforms. This versatility renders it exceptionally well-suited for industrial automation and control systems.
Its adaptable architecture enables its utilization in many scenarios, ranging from compact embedded systems to extensive enterprise setups.
Although OPC-UA can function across various transport layers like TCP/IP, HTTP, or MQTT, the prevalent choice is TCP/IP. Unlike a fixed predefined port, each application selects a distinct port.
For instance, various applications utilize ports like 4840, 4841, 4885 (Triangle Microworks), 49320 (Kepware), 48010 and 48020 (Cpp Stack), 48031 (GE), 4897 (Softing), 53520 and 53530 (Prosys), and 62541 (.NET Stack). This diversity caters to different needs across the OPC-UA landscape.
Security in OPC UA
Authentication
OPC UA includes several authentication mechanisms, including username/password, X.509 certificates, and anonymous authentication. They make sure that authorized logins are made.
Encryption
OPC UA protects data in transit through cryptographic algorithms. This keeps your sensitive data from eavesdropping.
Authorization
Role-based access control (RBAC) is a core of OPC UA’s security model. It allows administrators, which is you, to define access policies for different devices or people. This ensures the authenticity of access.
Audit Trails
Security incidents can be better investigated with OPC UA servers as they often maintain audit trails that log all significant events and actions.
Security Policies
OPC UA relies on security policies, such as Basic128Rsa15 and Basic256, for various levels of security. This helps your organization to choose what policy suits them best.
Data Integrity in OPC UA:
Digital Signatures
OPC UA supports digital signatures, ensuring your data remains unchanged during transmission to prevent tampering.
Message Digests
Message digests (hashes) are the tools to verify data integrity. They are generated for each message and compared at the receiving end to confirm that the data has not been altered.
Sequencing and Timestamps
OPC UA uses sequence numbers and timestamps in messages to check for the order and integrity of data.
Cryptographic Mechanisms in OPC UA:
Asymmetric and Symmetric Encryption
Asymmetric encryption is used for secure key exchange and digital signatures. OPC UA often relies on X.509 certificates for these purposes. It utilizes symmetric encryption algorithms like AES (Advanced Encryption Standard) for efficient data encryption.
Key Pair Management
To securely store the keys, efficient key pair management is crucial, which is efficiently managed by the OPC UA protocols.
Threat Mitigation in OPC UA:
Network Segmentation
Segmenting the networks allows vulnerable networks to be adequately isolated to prevent further vulnerabilities.
Firewalls and Intrusion Detection
Firewalls and intrusion detection systems are deployed to monitor and protect OPC UA communications.
Regular Updates
Keeping OPC UA software and firmware up-to-date is essential to patch known vulnerabilities.
Training
Training personnel on security best practices. This helps social engineering attacks prevention and security breaches.
Compliance and Certification
OPC UA undergoes certification processes to ensure the security and interoperability standards. Compliance with these standards is essential for managing a secure OPC UA ecosystem.
How is the OPC UA Standard translated into a Protocol?
People often confuse OPC UA standards with Protocols. The reality is that they are different but interdependent. Standards are the OPC Foundation’s working procedures, and Protocols are the implementations.
Translating the OPC UA (Unified Architecture) standard into a protocol will include how you define the rules, procedures, and formats for data exchange and communication that rely on the specifications outlined in the standard.
Here’s how the OPC UA standard is transformed into a working protocol:
Specification Development
The OPC Foundation develops and maintains the standard. These standards include documentation explaining the protocol’s structure, features, and functionalities.
Protocol Architecture
The OPC UA also provides the architectural framework for your organization to design the communication network. This includes Servers, Clients, and communication patterns.
Message Encoding
Encoding your data is very important for secure communication. OPC UA keeps your data encoding as a continuous process through binary fusion.
Security Measures
The key highlighting features your organization needs are also defined, which include authentication, authorization, and encryption.
Information Modeling
OPC UA allows you to represent your specific data in a standardized way.
Transport Layer
OPC UA can operate over various transport layers, including TCP/IP, HTTP, and MQTT. The standard ensures the efficient transfer of data.
Error Handling
Reliable communication through handling errors, timeouts, and retries are specified.
Session Management
OPC UA establishes, maintains, and terminates your communication sessions between Clients and Servers.
Conformance Testing
To ensure interoperability, the OPC Foundation conducts conformance testing. This keeps validation in place.
SDKs and Libraries
The OPC Foundation provides Software Development Kits (SDKs) and libraries for the developers.
Deployment and Integration
OPC UA-compliant products are well deployed in industrial settings and configured to communicate with each other using the protocol.
Testing and Validation
Detailed testing and validation ensure that OPC UA-based systems function correctly and securely.
Is OPC UA Vulnerable?
OPC UA protocols are considered safe, but changing trends in cyber attacks have not even left them unexploited.
KEPServerEX Flaws
Critical vulnerabilities in PTC’s Kepware KEPServerEX product affected multiple industrial automation vendors, discovered by Claroty, an industrial cybersecurity firm.
These flaws, tracked as CVE-2022-2848 and CVE-2022-2825, enable attackers to potentially crash servers, extract data, or execute code remotely through specially crafted OPC UA messages.
Affected products include those from PTC, Rockwell Automation, GE Digital, and Software Toolbox. CISA issued an advisory recommending organizations should apply for vendor updates.
Such vulnerabilities in OPC servers, which often sit at the core of OT networks, pose significant risks to industrial control systems.
OPC UA Vulnerabilities exploited in ICS hacking competition
JFrog, a security solutions provider, unveiled vulnerabilities in the OPC UA protocol, including some exploited by its employees in a hacking competition.
JFrog’s researchers found these flaws and presented them at Pwn2Own Miami 2022, where hackers earned rewards for ICS breaches.
The vulnerabilities, which impact servers like the OPC UA .NET Standard and Unified Automation OPC UA C++ demo server, allow for Denial of Service (DoS) attacks.
JFrog also reported eight other vulnerabilities in Unified Automation’s C++-based OPC UA Server SDK, which have since been patched.
Controller Attacks Industrial Control System
In early 2022, Mandiant, in collaboration with Schneider Electric, conducted an analysis of a set of new attack tools designed for industrial control systems (ICS) – referred to as INCONTROLLER or PIPEDREAM.
These tools are tailored to target machine automation devices and can interact with specific industrial equipment used across various industries. While the specific operational targets remain uncertain, INCONTROLLER poses a significant threat to organizations using the affected equipment.
It is believed to be state-sponsored and has capabilities related to disruption, sabotage, and potentially causing physical damage. INCONTROLLER is a rare and dangerous cyber threat akin to TRITON, INDUSTROYER, and STUXNET.
Learning the Machine language! OPC UA could be a Translator
An easy-to-communicate language standard is needed for effective communication in networks and factories. The communication platforms exactly do this for your organizations. The OPC UA model can be used to communicate “synchronously” in all scenarios, including SCADA.
There are various other protocols available for securing your industrial communication such as PubSub model, which is another communication tool, enables even better scalability and improves communication performance.
The protocols depend on your needs and communication standards. Remember, strive for being secure rather than repent of being insecure!
Anas Hasan
September 27, 2023
7 months ago
