1. InfoconDB
  2. Black Hat
  3. Black Hat USA 2021
  4. A Broken Chain: Discovering OPC UA Attack Surface and Exploiting the Supply Chain

A Broken Chain: Discovering OPC UA Attack Surface and Exploiting the Supply Chain

Presented at Black Hat USA 2021, Aug. 5, 2021, 1:30 p.m. (40 minutes)

OPC Unified Architecture (OPC-UA) is emerging as one of the most important architectures for industrial communication and industry 4.0 transformation. It is platform-independent and trusted for connecting Industrial environments with the IT and cloud and it is being rapidly adopted. <br><br>Yet with great trust comes great responsibility. The potential of the OPC-UA protocol as an enabler for cyberattacks is tremendous. Thus, we decided to thoroughly evaluate the protocol itself, without focusing on specific products. We reviewed the architecture's attack surface - including specifications, components, connection types, and communication stack implementations. <br><br>During our analysis of the communication stacks, we noticed an interesting tree of software supply chain branches. At the end of these branches were products using stack implementations made by a line of vendors, each modifying and extending the original (now legacy) implementation. How secure is a protocol after a chain of vendors have made customizations on top of a legacy implementation, based on an evolving specification? Spoiler alert - not very.<br><br>Using what we learned from the attack surface analysis, we had a few ideas for weak spots where different implementations might fail. Targeting the leading nodes in the tree revealed 9 zero-day vulnerabilities within the OPC Foundation stack and multiple SDKs, affecting a variety of industrial products at the end of the chain. <br><br>Going down the chain, we evaluated modifications at the product level, while still remaining vendor-agnostic. Since many of the devices are embedded, we worked on a network-based, platform-independent fuzzer.<br><br>In this presentation, we will walk through the process of our research, the attack surface, and the software supply chain tree. Practical experience, insights, and the weak spots we detected will be shared, along with the vulnerabilities identified and the exploitations of different components: OPC-UA servers, clients and PubSub subscribers.<br>

Presenters:

  • Eran Jacob - Security Research Team Lead, OTORIO
    Eran Jacob is a security researcher and research team leader at OTORIO, specializing in network, application, and industrial security. Starting as an independent researcher, Eran became an offensive security research team leader in the Israel Defense Forces. Today, he is focused on securing industrial environments.

Links:

Similar Presentations: