The prevention of authorized access to a system resource or the delaying of system operations and functions. This can occur from a number of different attacks vectors including message flooding, resource exhaustion and application crashes. Each of these are described separately.

Denial of Serviceimpacts Availability.

See 5.1.2for the reconciliation of this threat.

For Client-Server, an attacker can send a large volume of Messages, or a single Messagethat contains a large number of requests, with the goal of overwhelming the OPC UA Serveror dependent components such as CPU, TCP/IP stack, operating system, or the file system. Flooding attacks can be conducted at multiple layers including OPC UA, SOAP, [HTTP] or TCP.

Messageflooding attacks can use both well-formed and malformed Messages. In the first scenario, the attacker could be a malicious person using a legitimate Clientto flood the Serverwith requests. Two cases exist, one in which the Clientdoes not have a Session with the Serverand one in which it does. Messageflooding may impair the ability to establish OPC UA Sessionsor terminate an existing Session. In the second scenario, an attacker could use a malicious Clientthat floods an OPC UA Serverwith malformed Messages in order to exhaust the Server’s resources.

For PubSub, an attacker can send a large volume of dataset messages with the goal of overwhelming the subscriber, the middleware or dependent components such as CPU, TCP/IP stack, operating system, or the file system. Flooding attacks can be conducted at multiple layers including OPC UA, UDP, AMQP, MQTT.

As in Client-Server, PubSubmessage flooding attacks can use both well-formed and malformed Messages. For well-formed Messages, the attacker could be one in which the publisher is not a member of the SecurityGroupand one in which it is a member. For malformed Messages, an attacker could use a malicious Publisherthat floods a network with malformed Messagesin order to exhaust the system’s resources.

In general, Messageflooding may impair the ability to communicate with an OPC UA entity and result in denial of service.

An attacker can send a limited number of messages that obtain a resource on the system. The commands are typically valid, but they each use up a resource resulting in a single Clientobtaining all resources blocking valid Clientsfrom accessing the Server. For example, on a Serverin which only 10 Sessionsare available a malicious person using a legitimate Client, might obtain all 10 Sessions. Or a malicious Clientmight try to open 10 secure channels, without actually completing the process.

Resource exhaustion attacks do not occur in the same manner for PubSubcommunications since no session or resources are allocated. For PubSubcommunication, the Publisheris not susceptible. In broker-less PubSubcommunication, the Subscribercan, with the use of filters, bypass any resource exhaustion issues. In broker case, both the Publisherand Subscribermust connect to the broker. Although the Publisherand Subscriberare not directly susceptible (as in the broker-less case), the broker is susceptible. The details for broker communication is not part of OPC UA but is defined by the broker protocol.

An attacker can send special message that will cause an application to crash. This is usually the result of a known problem in a stack or application. These system bugs can allow a Clientto issue a command that would cause the Serverto crash, as an alternate it might be a Serverthat can respond to a legitimate message with a response that would cause the Clientto crash. The attacker could also be a Publisherthat issues a Messagethat would cause Subscribersto crash.