Resting on Feet of Clay: Securely Bootstrapping OPC UA Deployments

While most protocols in industrial control systems (ICS) rarely implement security features, the OPC Foundation's Unified Architecture (OPC UA) promises security features such as authentication, authorization, integrity, and confidentiality. Nevertheless, researchers have found large numbers of insecurely configured OPC UA devices exposed to the Internet. That means that specified security features will not always lead to secure systems in practice. Challenges in the adoption of those security features by product vendors, libraries implementing the standard, and end-users were not investigated so far. In particular, the initial distribution of public keys is a fundamental issue.On the Internet, the initial distribution of public keys is commonly solved by shipping devices (or OS) with certificates of a set of core root certificate authorities (CAs). Servers (identified by unique DNS names) then provide certificates authenticated directly (or indirectly) by those root CAs. Such a solution is not possible for ICS networks, as they are air-gapped and do not provide (externally verifiable) unique addressing. Local self-signed CAs are an alternative, but their certificates will not be shipped together with devices newly introduced into the system. That implies that bootstrapping the security in an OPC UA system critically relies on the manual pre-distribution of certificates. In this talk, we will discuss the practical challenges to configure OPC UA securely. We review 48 publicly available artifacts consisting of products and libraries for OPC UA and show that 38 out of the 48 artifacts have one (or more) security issues related to missing support for certificate management features or recommend insecure behaviors for certificate exchange. Consequently, relying on those products and libraries will result in vulnerable implementations of OPC UA security features. Based on the identified security pitfalls in OPC UA implementations, we will implement and demonstrate three attacks that exploit insecure features in key exchange and management. Through these attacks, we will demonstrate that signed and encrypted OPC UA traffic does not guarantee any security property and it is possible to steal user credentials, eavesdrop on process information, manipulate the physical process through sensor values and actuator commands, and prevent the detection of anomalies in the physical process. We will showcase a video of these attacks implemented on an Industrial testbed operated with OPC UA.In conclusion, we will discuss possible countermeasures against the presented attacks.