OPC Foundation reviews Kaspersky Labs report; identifies security improvements | Automation.com

OPC Foundation reviews Kaspersky Labs report; identifies security improvements

OPC Foundation reviews Kaspersky Labs report; identifies security improvements

May 21, 2018 – The Kaspersky Labs report issued on May 10th, 2018 has garnered a lot of media attention based on its claim of having identified 17 security issues in some OPC UA implementations. The OPC Foundation has and continues to be committed to ensuring the OPC UA standard provides the highest levels of security and as such has reviewed the claims made in the Kaspersky report and found that:

  1. Eight issues were associated with an OPC Foundation ANSI-C sample server application that was provided with the ANSI-C stack code in GitHub. These issues did not affect the ANSI C stack itself or products based on commercial SDKs. Nevertheless, all issues have been fixed.

  2. Six issues were associated with the OPC Foundation server enumerator (LDS). These were fixed in 2017 and a CVE was published. These issues were not exploitable remotely.

  3. Three issues affected some products in the field.  Specifically:
    1. One issue was specific to a product from a vendor who published a CVE in 2016;
    2. The second issue is specific to a product from a vendor who is working on a fix and will report it to US ICS CERT as soon as possible;
    3. The third issue affected a legacy .NET stack that was promptly fixed by the OPC Foundation in 2017.  OPC users were notified of this issue via a CVE in 2017.

In addition, to alleviate potential confusion the Kaspersky Labs report may have created about the security the OPC UA standard offers, the OPC Foundation emphasizes that: 

  • The OPC UA software eco-system is composed of multiple commercial OPC UA SDK/Toolkit vendors that offer tested and documented products.
  • The vast majority of OPC UA products are based on these commercial OPC UA SDK/Toolkits and are not affected by the issues with the ANSI-C sample server application published on GitHub.
  • The OPC Foundation works cooperatively with vendors to have the open source code base tested by external security organizations and have those results incorporated into GitHub.

The adoption of OPC UA on a global basis reflects the market’s need for secure, open data connectivity and interoperability in manufacturing and beyond. This means that the OPC UA standard and its various open-source implementations are continuously subjected to close scrutiny by many in the large and active OPC UA community.

The OPC Foundation is committed to addressing all issues as they arise, to working with OPC vendors to ensure that software is patched, and to notifying OPC users about the issues and the fixes. The OPC Foundation will continue to provide its users with the foundation that they expect from an industrial interoperability standard. 

About the OPC Foundation

Since 1996, the OPC Foundation has facilitated the development and adoption of the OPC information exchange standards. As both advocate and custodian of these specifications, the Foundation’s mission is to help industry vendors, end-users, and software developers maintain interoperability in their manufacturing and automation assets. 

Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now