In the OPC UA SDK assessment, Digital Bond analyzed the OPC UA source code and binaries from the SDK. It should be noted that the source code will be unavailable to most OPC Foundation members.
As mentioned in Part 1 the overall code quality was quite good, but there were a small number of important [...]

As discussed in Part 3, mandating that an OPC UA server validate X.509 certificates prior to using them to create secure channels is essential. It is the foundation that all OPC UA security measures are built upon. Of course whenever you mention certificates and public key infrastructure [PKI] it makes people nervous. Understandably because PKI [...]

OPC UA is a complex, interleaved 12-part specification. To understand OPC UA security one has to read multiple parts of the specification, but we have provided an overview in an OPC UA SCADApedia page that continues to be developed.
The specification analysis portion of our assessment report had many findings at the Exposure, Concern and Observation [...]

Security assessments by their nature focus on negative findings that could lead to vulnerabilities, and the preponderance of our report focused on what Digital Bond viewed as security deficiencies in the OPC UA specification and SDK code. That said, there are numerous examples of positive findings and text in the report. In fact, there is [...]

Digital Bond has just completed a security assessment report on the OPC Unified Architecture [UA] protocol, and we will be issuing a series of blog posts supported with SCADApedia content on the results.
The assessment included both a paper security review of the multi-part OPC UA specification and an application assessment of the OPC Foundation’s Software [...]

Microsoft Security Bulletin MS08-008 Vulnerability in OLE Automation Could Allow Remote Code Execution issued today is likely to affect OPC servers. Remember that OPC was originally an acronym for OLE for Process Control.
This is a serious vulnerability rated Critical by Microsoft for most OS and would allow a remote attacker to run shell code after [...]

We mentioned AppID’s in our introduction of the OPC Security .audit files for use in compliance testing with the Nessus Vulnerability Scanner.
While it is not difficult to find the AppID for your OPC server, we have started a SCADApedia page with the AppID’s to help you out. A lot of this information came from Lluis [...]

Part 3 of the recently released OPC Security whitepaper series provided step by step instructions for implementing the available security measures for OPC clients and servers. It is complex, and we wondered if there was a simple way to audit OPC servers compliance with Part 3. We still are wondering, but we have a partial [...]

It was a very long time in the works, and I have to give Eric Byres a lot of credit for his diligence in getting reviews and incorporating feedback from a cast of thousands for Part III. The final part of the OPC Security Whitepaper Series written by Byres Research, Digital Bond and BCIT is [...]

The headline on this blog is hardly shocking, but software quality does not get enough attention in the control system community. We now have three strong data points that show all OPC servers are not created equal.
1. The latest is Landon’s work to verify configuration recommendations in Part III of the OPC Security whitepaper series. [...]