Due to its popularity as an embedded protocol operating in devices across the industrial control systems (ICS) domain, the Claroty Research Team decided to analyze the Open Platform Communications (OPC) for security vulnerabilities and implementation issues. In a blog, they shared some details about a number of vulnerabilities that emerged from their intensive investigation of the protocol.

The OPC network protocol is the middleman of operational technology (OT) networks, ensuring operability between industrial control systems (ICS) and proprietary devices, such as programmable logic controllers (PLCs) responsible for the correct operation of field devices. Having standardized communication protocols such as OPC and its specifications (OPC DA, AE, HDA, XML DA, DX, and OPC UA) guarantees that management and oversight of devices and processes can happen from a centralized server, says researcher Uri Katz. 

Often, organizations that use vendors’ products built on OPC are exposed to attacks that could result in denial-of-service conditions on devices, remote code execution, and information leaks of sensitive device data.

In their analysis, the Claroty Research Team discovered vulnerabilities in Softing’s Industrial Automation OPC library, Kepware PTC’s ThingWorx Kepware Edge and KEPServerEX OPC servers, and Matrikon’s Matrikon OPC Tunneller.

These three products are integrated into many other vendors’ offerings as a third-party component, Katz says. For example, Softing’s OPC library is being used as a third-party OPC protocol stack by some vendors, and the KEPServerEX OPC Server is being used as an OEM shelf solution by other well-known vendors, including Rockwell Automation and GE, both of which have published advisories informing their users of these security issues. Katz notes that the research team believes these vulnerabilities may affect multiple other products sold by vendors across all ICS vertical markets.

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, says, “No surprises here with the latest news regarding vulnerabilities found in OPC software. Like all software, when security researchers focus and prioritize time, they will uncover software bugs and this time several critical security vulnerabilities have been discovered within a popular OPC software. This is a significant reminder that software is critical to the safety and security of Industrial Control Systems (ICS) and if a security in depth strategy is not in place then cybercriminals could abuse them.” 

Chris Morales, head of security analytics at Vectra notes that exploiting vulnerabilities is just one piece of a bigger puzzle and does not equate to an attack. "These vulnerabilities need to be assessed for risk of exploit based on environmental variable specific to an organization. Many systems are vulnerable, but not exploitable. Would exploiting these vulnerabilities require an already existing insider with access, or is it remotely executable? These environmental variables are far more important to an attacks success than the actual vulnerabilities themselves."

Morales adds, "As for how exploitable these are, I cannot really speak to the OT industry as I am not well versed in the protocols used there. Meaning I cannot quantify the severity of these findings. It sounds like the step of an attack, after an initial foothold is established and the attack has moved laterally to systems with direct line of sight to a the industrial control system. This means there would be a lot of activity within the IT environment prior to an OT system being discovered and targeted.”

For more of Claroty research and findings, please visit https://www.claroty.com/2021/01/25/blog-research-critical-flaws-in-opc-protocol/