OPC UA provides countermeasures to resist threats to the security of the information that is communicated. The sub clause 4.3list the currently known threats to environments in which OPC UA will be deployed, and Sub-clause 5.1reconciles these threats against the OPC UA functions.

The prevention of authorized access to a system resource or the delaying of system operations and functions. This can occur from a number of different attacks vectors including message flooding, resource exhaustion and application crashes. Each of these are described separately.

Denial of Serviceimpacts Availability.

See 5.1.2for the reconciliation of this threat.

For Client-Server, an attacker can send a large volume of Messages, or a single Messagethat contains a large number of requests, with the goal of overwhelming the OPC UA Serveror dependent components such as CPU, TCP/IP stack, operating system, or the file system. Flooding attacks can be conducted at multiple layers including OPC UA, HTTP or TCP.

Message flooding attacks can also target a Client, although this is less of a risk, since the Clientchooses who to connect to. A Clientmight receive a flood from a compromised Server which might disrupt the Application.

Messageflooding attacks can use both well-formed and malformed Messages. In the first scenario, the attacker could be a malicious person using a legitimate Clientto flood the Serverwith requests. Two cases exist, one in which the Clientdoes not have a Session with the Serverand one in which it does. Messageflooding may impair the ability to establish OPC UA Sessionsor terminate an existing Session. In the second scenario, an attacker could use a malicious Clientthat floods an OPC UA Serverwith malformed Messages in order to exhaust the Server’s resources.

For PubSub, an attacker can send a large volume of dataset messages with the goal of overwhelming the subscriber, the middleware or dependent components such as CPU, TCP/IP stack, operating system, or the file system. Flooding attacks can be conducted at multiple layers including OPC UA, UDP, AMQP, MQTT.

As in Client-Server, PubSubmessage flooding attacks can use both well-formed and malformed Messages. For well-formed Messages, the attacker could be one in which the publisher is not a member of the SecurityGroupand one in which it is a member. For malformed Messages, an attacker could use a malicious Publisherthat floods a network with malformed Messagesin order to exhaust the system’s resources.

In general, Messageflooding may impair the ability to communicate with an OPC UA entity and result in denial of service.

An attacker can send a limited number of messages that obtain a resource on the system. The commands are typically valid, but they each use up a resource resulting in a single Clientobtaining all resources blocking valid Clientsfrom accessing the Server. For example, on a Serverin which only 10 Sessionsare available a malicious person using a legitimate Client, might obtain all 10 Sessions. Or a malicious Clientmight try to open 10 secure channels, without actually completing the process.

Resource exhaustion attacks do not occur in the same manner for PubSubcommunications since no session or resources are allocated. For PubSubcommunication, the Publisheris not susceptible. In broker-less PubSubcommunication, the Subscribercan, with the use of filters, bypass any resource exhaustion issues. In broker case, both the Publisherand Subscribermust connect to the broker. Although the Publisherand Subscriberare not directly susceptible (as in the broker-less case), the broker is susceptible. The details for broker communication is not part of OPC UA but is defined by the broker protocol.

An attacker can send special message that will cause an application to crash. This is usually the result of a known problem in a stack or application. These system bugs can allow a Clientto issue a command that would cause the Serverto crash, as an alternate it might be a Serverthat can respond to a legitimate message with a response that would cause the Clientto crash. The attacker could also be a Publisherthat issues a Messagethat would cause Subscribersto crash.

Eavesdropping is the unauthorized disclosure of sensitive information that might result directly in a critical security breach or be used in follow-on attacks.

If an attacker has compromised the underlying operating system or the network infrastructure, then the attacker might be able to record and capture Messages. It may be beyond the capability of a Clientor Serverto recover from a compromised operating system.

Eavesdropping impacts Confidentialitydirectly and if session establishment is not secured Authenticationand Authorization. It also indirectly threatens all other security objectives.

See 5.1.3for the reconciliation of this threat.

This includes feigning identities (user, application, process etc.). An attacker may forge Messages from a Clientor a Serveror a Publisherwhere the messages are forged to attempt to appear to be from an application other that the sending application or process. Spoofing may occur at multiple layers in the protocol stack.

By spoofing Messages from a Client,a Server orPublisher, attackers may perform unauthorized operations and avoid detection of their activities.

Messagespoofing impacts Integrityand Authorization.

See 5.1.4for the reconciliation of this threat.

Network traffic and application layer Messages may be captured or modified and forwarded to OPC UA Clients, Servers, andSubscribers. Messagealteration may allow illegitimate access to a system.

Messagealteration impacts Integrity, Authorization, Auditability, Non-Repudiation and during session / secure channel establishment Authentication.

See 5.1.5for the reconciliation of this threat.

Network traffic and valid application layer Messages may be captured and resent to OPC UA Clients, Serversand Subscribersat a later stage without modification. An attacker could misinform the user or send a valid command such as opening a valve but at an improper time, so as to cause damage or property loss. An attacker may attempt to establish a Sessionusing a recorded Session.

Messagereplay impacts Authorization and during Session/ secure channel establishment Authentication.See 5.1.6for the reconciliation of this threat.

An attacker can craft a variety of Messages with invalid Messagestructure (malformed XML, UA Binary, etc.) or data values, and send them to OPC UA Clients, Servers orSubscribers.

The OPC UA Client, Server orSubscribermay incorrectly handle certain malformed Messages by performing unauthorized operations or processing unnecessary information. It might result in a denial or degradation of service including termination of the application or, in the case of embedded devices, a complete crash. In a worst-case scenario an attacker could use malformed Messages as a pre-step for a multi-level attack to gain access to the underlying system of an OPC UA Application.

Malformed Messages impacts Integrityand Availability.

See 5.1.7for the reconciliation of this threat.

An attacker tries to deduce the identity, type, software version, or vendor of the Serveror Clientin order to apply knowledge about specific vulnerabilities of that product to mount a more intrusive or damaging attack. The attacker might profile the target by sending valid or invalid formatted Messages to the target and try to recognize the type of target by the pattern of its normal and error responses.

Serverprofiling impacts all of the security objectives indirectly.

See 5.1.8for the reconciliation of this threat.

An attacker may use information (retrieved by sniffing the communication or by guessing) about a running Session established between two applications to inject manipulated Messages (with valid session information) that allow him or her to take over the Session from the authorized user.

An attacker may gain unauthorized access to data or perform unauthorized operations.

Session hijacking impacts all of the security objectives.

See 5.1.9for the reconciliation of this threat.

An attacker builds a malicious OPC UA Serveror installs an unauthorized instance of a genuine OPC UA Serverin a system. The rogue Servermay attempt to masquerade as a legitimate UA Serveror it may simply appear as a new Serverin the system.

The OPC Clientmay disclose confidential information.

A rogue Serverimpacts all of the security objectives except Integrity andNon-Repudiation.

See 5.1.10for the reconciliation of this threat.

An attacker who builds a malicious OPC UA Publisheror installs an unauthorized instance of a genuine OPC UA Publisherin a system. The rogue Publishermay attempt to masquerade as a legitimate UA Publisheror it may simply appear as a new Publisherin the system.

A rogue Publisherimpacts all of the security objectives except Integrity andNon-Repudiation.

See 5.1.10for the reconciliation of this threat.

An attacker obtains user credentials such as usernames, passwords, Certificates, or keys by observing them on papers, on screens, or in electronic communications, or by cracking them through guessing or the use of automated tools such as password crackers.

An unauthorized user could launch and access the system to obtain all information and make control and data changes that harm plant operation or information. Once compromised credentials are used, subsequent activities may all appear legitimate.

Compromised user credentials impact Authentication, Authorization andConfidentiality.

See 5.1.11for the reconciliation of this threat.

This is not a direct attack, since it is not about communication, but it is the trust following the communication. Repudiationcauses trust issues with either the sender or the receiver of the data.

RepudiationimpactsNon-Repudiation.

See 5.1.12for the reconciliation of this threat.