Digital Bond has just completed a security assessment report on the OPC Unified Architecture [UA] protocol, and we will be issuing a series of blog posts supported with SCADApedia content on the results.

The assessment included both a paper security review of the multi-part OPC UA specification and an application assessment of the OPC Foundation’s Software Development Kit [SDK]. The SDK consists of a communication stack that vendors can build OPC UA applications on top of as well as sample client and server applications. The OPC UA security controls are in the communication stack. You can think of this as an assessment of a library with the sample client and server exercising the library.

This is an ideal time to review OPC UA security. The specifications are complete enough to support a review, and the SDK that many vendors will use to develop OPC UA client and server applications is out in beta, and OPC UA is not yet used in production systems. So by identifying and correcting vulnerabilities now, we can prevent them from getting deployed and avoid the reluctance and difficulty in making changes in operational systems.

The tentative organization of this series is:

• Part 1: Intro
• Part 2: Positive Findings
• Part 3: Specification Vulnerabilities
• Part 4: SDK Vulnerabilities
• Part 5: OPC UA Vendor Implementation Vulnerabilities
• Part 6: Asset Owner Tip Sheet to Analyzing The Security of Competitive OPC UA Servers
• Part 7: Specification and SDK Improvements

One last point that is important to highlight in this introduction is the OPC Foundation’s interest in security. The OPC Foundation took an attitude that is still all too rare. They were eager and supportive of this assessment. In addition to the specification and SDK that any member can get, the OPC Foundation also provided the source code. In return, Digital Bond provided the OPC Foundation the full assessment report including findings and recommendations.

In discussions throughout the assessment it was very clear the OPC Foundation wanted to identify any security problems, and they wanted to fix them. In fact, you will note that Part 7 will list how the OPC Foundation has addressed and corrected the majority of the findings. We are aware a lot of this is already done or in process, but we will hold off on Part 7 until the revised specification and SDK are available.