A Broken Chain: Discovering OPC UA Attack Surface and Exploiting the Supply Chain

The presentation discusses the vulnerabilities in the OPC UA communication protocol and the potential risks in the supply chain. It also highlights the importance of securing the protocol and provides examples of previous research done in the area.

• The OPC Foundation Security Working Group is actively working on securing the protocol
• Previous research has been done by BSI, Kaspersky, and Claudia on threats, specifications, and vulnerabilities in OPC UA
• The .NET Standard Communication Stack by the OPC Foundation is vulnerable to issues in complex data types, flexible encoding, and message security
• Softing CPP SDK, which is used by many vendors, has vulnerabilities in the transfer from C structures to CPP objects
• The Pub Sub area of OPC UA is another potential area of vulnerability
• It is important to read academic papers for securing your own OPC server or client

The presentation highlights a vulnerability in the .NET Standard Communication Stack where an attacker can create a large enough XML to crash the SDK. This vulnerability can be exploited by an attacker in the IT network to retrieve sensitive files and send malicious requests into the internal network.

OPC Unified Architecture (OPC-UA) is emerging as one of the most important architectures for industrial communication and industry 4.0 transformation. It is platform-independent and trusted for connecting Industrial environments with the IT and cloud and it is being rapidly adopted. Yet with great trust comes great responsibility. The potential of the OPC-UA protocol as an enabler for cyberattacks is tremendous. Thus, we decided to thoroughly evaluate the protocol itself, without focusing on specific products. We reviewed the architecture's attack surface - including specifications, components, connection types, and communication stack implementations. During our analysis of the communication stacks, we noticed an interesting tree of software supply chain branches. At the end of these branches were products using stack implementations made by a line of vendors, each modifying and extending the original (now legacy) implementation. How secure is a protocol after a chain of vendors have made customizations on top of a legacy implementation, based on an evolving specification? Spoiler alert - not very.Using what we learned from the attack surface analysis, we had a few ideas for weak spots where different implementations might fail. Targeting the leading nodes in the tree revealed 9 zero-day vulnerabilities within the OPC Foundation stack and multiple SDKs, affecting a variety of industrial products at the end of the chain. Going down the chain, we evaluated modifications at the product level, while still remaining vendor-agnostic. Since many of the devices are embedded, we worked on a network-based, platform-independent fuzzer.In this presentation, we will walk through the process of our research, the attack surface, and the software supply chain tree. Practical experience, insights, and the weak spots we detected will be shared, along with the vulnerabilities identified and the exploitations of different components: OPC-UA servers, clients and PubSub subscribers.