Paessler Blog - All about IT, Monitoring, and PRTG

4 ways to protect your OPC UA environment right now

Written by Shaun Behrens | Jun 9, 2022

OPC UA is a widely adopted standard in industrial environments. Despite this, there are still problems with its security. This was clearly demonstrated in April 2022 when two hackers at Pwn2Own (a hacker conference that offers prizes to contestants who can breach Industrial Control Systems) gained access to software that runs many of the world’s power grids. And of course, if two ethical security hackers can get this kind of access to critical services within two days, then so can foreign intelligence agencies.

To further drive the point home in the same month, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint alert with the US Department of Energy, National Security Agency, and the FBI: they had identified tools that presented an advanced persistent threat to OPC UA servers. I’ll take a look at the danger to OPC UA servers highlighted by the Pwn2Own hack and the CISA alert, and then I’ll go into four actions you can take right now to protect your OPC UA environment.

Gaining access to OPC UA servers through brute force

Here’s how the CISA alert, called “APT cyber tools targeting ICS/SCADA devices”, describes the threat:

“The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.”

Cybersecurity and Infrastructure Security Agency (CISA)

To be fair, this problem is not an OPC UA vulnerability; rather, inadequate implementation results in security holes that attackers can exploit. This is how the hackers at Pwn2Own accessed the power system: they were able to enter the network and then gained access through brute force. What the CISA found – and what the alert is about – are specific tools that attempt to do exactly this.

If attackers succeed with these tools (or similar ones), they can get crucial operational data from the infrastructure or, worst case scenario, can make changes to the system. An external actor with this kind of OPC UA access can have disastrous consequences, and can even present a national security risk.

How to mitigate the risk to OPC UA

The CISA alert offers some actions that you can take to make your OPC UA environment more secure. I’ll go into those, and I’ll add some suggestions from our monitoring experts here at Paessler.

1. Isolate ICS/SCADA systems and networks from corporate and internet networks

Although not directly related to OPC UA, this does minimize the possibility of external actors having access to the ICS networks and systems in the first place. The Utopian ideal would be to have a completely air-gapped ICS network, but in reality, this is almost never possible. Instead, keeping close control on communication “entering or leaving ICS/SCADA perimeters” is what the CISA alert recommends.

A good practice here would be to closely monitor the firewalls on the border between the different networks to ensure you know what traffic is going into and out of the network, and to watch for any unusual activity (like spikes in bandwidth usage that can’t be explained).

2. Configure OPC UA security

CISA recommends that OPC UA security is configured correctly. This includes making sure there is application authentication in place and that explicit trust lists are used. Refer to the OPC Foundation’s practical security guidelines for building OPC UA applications for their recommendations. 

3. Monitor your OPC UA server’s diagnostic summary

This one’s a recommendation from our experts at Paessler. Brute force attempts tend to exhibit certain hallmarks, such as a spike in the number of session attempts, or in the number of OPC UA requests. It stands to reason that you should watch these two aspects of your OPC UA environment.

OPC UA servers can be configured to track diagnostics information. If this is turned on, you can monitor certain counts that could indicate a brute force attempt to gain access. This includes rejected sessions and rejected requests counts

You can use a monitoring tool that has OPC UA functionality (like our Paessler PRTG products) to watch these two metrics and to trigger an alert when rejected session or request counts spike abnormally.

4. Keep an eye on your OPC UA certificates

OPC UA certificates are a critical part of the security concept, and they need to be monitored carefully to ensure that they’re valid and that they don’t expire unexpectedly. Here, too, a monitoring tool with OPC UA functionality can play an important role. 

To see an example of how OPC UA certificate monitoring works, take a look at this OPC UA certificate monitoring tutorial.

Monitoring is an important part of network security

Monitoring is key to maintaining a secure network. It not only identifies activity that might indicate suspicious activity, but also can trigger alerts so that you know about it right away. Even the CISA report recommends using a monitoring solution to log and trigger alerts on malicious indicators and behaviors.

Paessler PRTG monitoring software lets you monitor your OT environment using standards and protocols like OPC UA, Modbus, SNMP, and more. Even better, it lets you combine your OT, IIoT, and IT monitoring data into one overview. Find out more about its uses in industrial infrastructure.

 

Do you have any tips of your own for improving the security of OPC UA? Share your knowledge in the comments below!