By Eric Murphy, ControlGlobal.com Columnist
The need to protect ourselves is as old as humankind. In the business and manufacturing kingdoms, cyber threats are the foe and OPC is the champion of secure interoperability. As OPC-UA rides off into battle, what kind of armor and weaponry does it have?
Surveying the Battleground
OPC UA interfaces components at all levels of industrial facilities: from top level enterprise management to embedded devices at the process control layer. These systems may involve dealings with customers and suppliers, or interface to critical control and monitoring applications. The opportunity to disrupt these communications and resulting economic impacts or safety and environmental consequences make them attractive targets for industrial sabotage. OPC-UA can be deployed in a diverse range of operational environments with varying degrees of risk and security mechanisms. Therefore, OPC-UA must provide a wide and flexible set of security mechanisms.
Knight in Shining Armor
Realistically no singular security implementation or mechanism can ride in and protect against every conceivable threat. Fundamentally, information system security reduces the damage from attacks by identifying system threats and vulnerabilities then providing countermeasures. The countermeasures reduce vulnerabilities directly, counteract threats, or recover from successful attacks. Protecting industrial automation systems means meeting a set of objectives which represent the key areas of interest. OPC-UA is designed to meet the following security objectives:
Authentication - Clients, servers, and users should prove their identities based on something the entity knows.
Authorization - The access to read, write, or execute resources should be authorized for only those entities that have a need for that function within the requirements of the system. The granularity of Authorization can be high level, such as server access or finely tuned such as allowing specific actions on specific information items by specific users.
Confidentiality - Data must be protected from passive attacks such as eavesdropping by using data encryption algorithms.
Integrity - Receivers must receive the same information that the sender sent without the data being changed during transmission. Integrity can be threatened by communication hijacking or by altering or replaying messages.
Auditability System usage must be checked to ensure the security measures are effective. Rigorous audits provide evidence of secure operation to stakeholders. The system supports auditing by recording events that are evidence of security working both well and poorly. These events include new connections, configuration changes, and security error responses to calls.
Availability - Availability is impaired when the execution of software that needs to run is disrupted or the communication system is overwhelmed by processing input.
These security objectives have been refined through many years of experience in providing security for information systems. Despite the ever-changing threats to systems, these primary objectives generally remain constant.
Know Thy Enemy - The Rogues Gallery
In order to determine if your protection is adequate, it is first important to know who the adversary will most likely be. In terms of information system security that means knowing the threats to environments in which OPC-UA is deployed. OPC-UA provides systems and countermeasure for the following threats:
Message Flooding - An attacker can send a large volume of messages, or a single message that contains a large number of requests, with the goal of overwhelming the OPC server or supporting components. Message flooding may impair the ability to communicate with an OPC-UA entity and result in denial of service.
Eavesdropping - Eavesdropping is the unauthorized disclosure of sensitive information that might result directly in a critical security breach or be used in follow-on attacks.
Message Spoofing - An attacker may forge messages from the client or server. By spoofing messages from the client or server, attackers may perform unauthorized operations and avoid detection of their activities.
Message Alteration - Network traffic and application layer messages may be captured, modified, and the modified message sent forward to OPC clients and servers. Message alteration allows illegitimate access to a system.
Message Replay - Network traffic and valid application messages may be captured and resent to OPC clients and servers at a later stage without modification. An attacker could misinform the user or send in improper command such a command to open a valve but at an improper time.
Malformed Messages - An attacker can create invalid messages or data values and send them to OPC-UA clients or servers. The OPC client or server may incorrectly handle the malformed messages and result in such things as the termination of the application or system crash.
Server Profiling - An attacker tries to deduce the identity, type, software version, or vendor of the OPC-UA product in order to apply knowledge about specific vulnerabilities in order to mount a more intrusive or damaging attack.
Session Hijacking - An attacker injects valid formatted OPC-UA messages into an existing session by taking over a session.
Rogue Server - An attacker builds a malicious OPC-UA server or installs an unauthorized instance of a genuine OPC-UA server.
Compromising User Credentials - An attacker obtains user credentials such as usernames, passwords, certificates, or keys. An unauthorized user could launch and access the system to obtain all information and make control and data changes that harm plant operation or information. Once compromised credentials are used, subsequent activities may all appear legitimate.
Meeting the Charge
After the lay of the land is known, and the measure of the opponent taken, the next step is to tighten the straps and check for chinks in the armor. OPC-UA is well designed to reconcile the security objectives against the threats ranged against it.
OPC-UA minimizes the loss of availability caused by Message Flooding by minimizing the amount of processing that must be done with a message before the message is authenticated. This prevents an attacker from leveraging a small amount of effort to cause the legitimate OPC-UA Application to spend a large amount of time responding. OPC-UA provides well-defined encryption and decryption to protect against Eavesdropping and other passive attacks. Message Spoofing and Message Alteration are countered by the ability to sign messages and by providing valid session identification. The session identification along with individual message timestamps and sequence numbers also ensure Message Replay does not occur without detection. OPC UA specifies the proper form and parameter range that OPC-UA clients and server products must check for in order to protect against Malformed Messages. Security issues such as Server Profiling, Session Hijacking, Rogue Servers and Compromised User Credentials are countered by limiting and encrypting the information provided between clients and servers.
Solid Armor is Just Part of the Protection
A knight riding into battle can only rely on armor for so much. The right helmet, shield and weapons are also required. More importantly, no one wins the fight alone. Even the knight in shining armor looks to his cavalry and archers for support. OPC-UA provides well-rounded security measures that are designed to integrate into a sites overall Cyber Security Management system. Such systems address policy and procedures, personnel, responsibilities, audits, and physical security of a site. Resulting security controls implement a defense-in-depth strategy that provides multiple security layers and recognizes that no single layer can protect against all attacks.
The OPC-UA specifications place key security requirements upon conformant client and server products. They also provide best-practice deployment recommendations in order to meet the anticipated security needs of users. Clearly, OPC-UA is well equipped to secure system interoperability within its realm.
