OPC UA provides countermeasures to resist threats to the security of the information that is communicated. The sub clause 4.3 list the currently known threats to environments in which OPC UA will be deployed, and Sub-clause 5.1 reconciles these threats against the OPC UA functions.
The prevention of authorized access to a system resource or the delaying of system operations and functions. This can occur from a number of different attacks vectors including message flooding, resource exhaustion and application crashes. Each of these are described separately.
See 5.1.2 for the reconciliation of this threat.
For Client-Server, an attacker can send a large volume of Messages, or a single Message that contains a large number of requests, with the goal of overwhelming the OPC UA Server or dependent components such as CPU, TCP/IP stack, operating system, or the file system. Flooding attacks can be conducted at multiple layers including OPC UA, HTTP or TCP.
Message flooding attacks can also target a Client, although this is less of a risk, since the Client chooses who to connect to. A Client might receive a flood from a compromised Server which might disrupt the Application.
Message flooding attacks can use both well-formed and malformed Messages. In the first scenario, the attacker could be a malicious person using a legitimate Client to flood the Server with requests. Two cases exist, one in which the Client does not have a Session with the Server and one in which it does. Message flooding may impair the ability to establish OPC UA Sessions or terminate an existing Session. In the second scenario, an attacker could use a malicious Client that floods an OPC UA Server with malformed Messages in order to exhaust the Server’s resources.
For PubSub, an attacker can send a large volume of dataset messages with the goal of overwhelming the subscriber, the middleware or dependent components such as CPU, TCP/IP stack, operating system, or the file system. Flooding attacks can be conducted at multiple layers including OPC UA, UDP, AMQP, MQTT.
As in Client-Server, PubSub message flooding attacks can use both well-formed and malformed Messages. For well-formed Messages, the attacker could be one in which the publisher is not a member of the SecurityGroup and one in which it is a member. For malformed Messages, an attacker could use a malicious Publisher that floods a network with malformed Messages in order to exhaust the system’s resources.
In general, Message flooding may impair the ability to communicate with an OPC UA entity and result in denial of service.
An attacker can send a limited number of messages that obtain a resource on the system. The commands are typically valid, but they each use up a resource resulting in a single Client obtaining all resources blocking valid Clients from accessing the Server. For example, on a Server in which only 10 Sessions are available a malicious person using a legitimate Client, might obtain all 10 Sessions. Or a malicious Client might try to open 10 secure channels, without actually completing the process.
Resource exhaustion attacks do not occur in the same manner for PubSub communications since no session or resources are allocated. For PubSub communication, the Publisher is not susceptible. In broker-less PubSub communication, the Subscriber can, with the use of filters, bypass any resource exhaustion issues. In broker case, both the Publisher and Subscriber must connect to the broker. Although the Publisher and Subscriber are not directly susceptible (as in the broker-less case), the broker is susceptible. The details for broker communication is not part of OPC UA but is defined by the broker protocol.
An attacker can send special message that will cause an application to crash. This is usually the result of a known problem in a stack or application. These system bugs can allow a Client to issue a command that would cause the Server to crash, as an alternate it might be a Server that can respond to a legitimate message with a response that would cause the Client to crash. The attacker could also be a Publisher that issues a Message that would cause Subscribers to crash.
Eavesdropping is the unauthorized disclosure of sensitive information that might result directly in a critical security breach or be used in follow-on attacks.
If an attacker has compromised the underlying operating system or the network infrastructure, then the attacker might be able to record and capture Messages. It may be beyond the capability of a Client or Server to recover from a compromised operating system.
See 5.1.3 for the reconciliation of this threat.
This includes feigning identities (user, application, process etc.). An attacker may forge Messages from a Client or a Server or a Publisher where the messages are forged to attempt to appear to be from an application other that the sending application or process. Spoofing may occur at multiple layers in the protocol stack.
See 5.1.4 for the reconciliation of this threat.
See 5.1.5 for the reconciliation of this threat.
Network traffic and valid application layer Messages may be captured and resent to OPC UA Clients, Servers and Subscribers at a later stage without modification. An attacker could misinform the user or send a valid command such as opening a valve but at an improper time, so as to cause damage or property loss. An attacker may attempt to establish a Session using a recorded Session.
The OPC UA Client, Server or Subscriber may incorrectly handle certain malformed Messages by performing unauthorized operations or processing unnecessary information. It might result in a denial or degradation of service including termination of the application or, in the case of embedded devices, a complete crash. In a worst-case scenario an attacker could use malformed Messages as a pre-step for a multi-level attack to gain access to the underlying system of an OPC UA Application.
See 5.1.7 for the reconciliation of this threat.
An attacker tries to deduce the identity, type, software version, or vendor of the Server or Client in order to apply knowledge about specific vulnerabilities of that product to mount a more intrusive or damaging attack. The attacker might profile the target by sending valid or invalid formatted Messages to the target and try to recognize the type of target by the pattern of its normal and error responses.
Server profiling impacts all of the security objectives indirectly.
See 5.1.8 for the reconciliation of this threat.
An attacker may use information (retrieved by sniffing the communication or by guessing) about a running Session established between two applications to inject manipulated Messages (with valid session information) that allow him or her to take over the Session from the authorized user.
An attacker may gain unauthorized access to data or perform unauthorized operations.
Session hijacking impacts all of the security objectives.
See 5.1.9 for the reconciliation of this threat.
An attacker builds a malicious OPC UA Server or installs an unauthorized instance of a genuine OPC UA Server in a system. The rogue Server may attempt to masquerade as a legitimate UA Server or it may simply appear as a new Server in the system.
The OPC Client may disclose confidential information.
See 5.1.10 for the reconciliation of this threat.
An attacker who builds a malicious OPC UA Publisher or installs an unauthorized instance of a genuine OPC UA Publisher in a system. The rogue Publisher may attempt to masquerade as a legitimate UA Publisher or it may simply appear as a new Publisher in the system.
See 5.1.10 for the reconciliation of this threat.
An attacker obtains user credentials such as usernames, passwords, Certificates, or keys by observing them on papers, on screens, or in electronic communications, or by cracking them through guessing or the use of automated tools such as password crackers.
An unauthorized user could launch and access the system to obtain all information and make control and data changes that harm plant operation or information. Once compromised credentials are used, subsequent activities may all appear legitimate.
See 5.1.11 for the reconciliation of this threat.
This is not a direct attack, since it is not about communication, but it is the trust following the communication. Repudiation causes trust issues with either the sender or the receiver of the data.
See 5.1.12 for the reconciliation of this threat.