The industrial protocol OPC UA is widely used by major vendors in modern industrial facilities, including in the manufacturing, oil and gas, pharmaceuticals and smart city sectors. This morning however, Kaspersky Lab announced that it had identified 17 zero-day vulnerabilities that could result crippling cyberattacks, including the ability to take over industrial processes.
The protocol – developed and released by the OPC Foundation in 2006 for secure data transmission between various systems on an industrial network – is installed by a growing number of industrial enterprises. It is used in automated process control, monitoring and telecontrol systems and the Industrial Internet of Things (IIoT).
They examined its open-source code (available on GitHub), including a sample sever, and discovered that current implementations of the protocol had code design and writing errors.
“Very often software developers put too much trust in industrial protocols, and implement the technology in their solutions without putting the product code through security checks. Vulnerabilities in the example used can affect complete product lines, so it’s highly important that vendors pay close attention to such widely available technologies”, Kaspersky Lab’s Sergey Temnikov said in a release.
Several additional flaws were found in commercial products built on the protocol, Kaspersky Lab added, saying that it had reported vulnerabilities to the developers and they had been fixed by the end of March 2018. The Romania-headquartered cybersecurity company recommended users conduct regular audits and penetration tests to discover vulnerabilities and isolate software development processes.
The finding comes just weeks after Tripwire’s survey found a massive 70 percent of IT and OT specialists in the energy sector were concerned that a successful cyberattack “could cause a catastrophic failure, such as an explosion.”
Last year multiple security groups published findings on malware built specifically to attack industrial equipment.
Stuxnet, uncovered in 2010 by Kaspersky Lab, caused substantial damage to Iran’s nuclear programme. Other such weapons have since followed fast.
Grid-hacking tool Industroyer, or Crash Override, was revealed by the security firmsESET and Dragos Inc in mid-2017 and is believed to have caused a blackout in Kiev at the end of 2016, following an attack on Ukrainian electric utility Ukrenergo.
Triton, discovered by the firm FireEye and Dragos meanwhile, was identified in late 2017and reported to be an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. (“It could prevent safety mechanisms from executing their intended function, resulting in a physical consequence”, FireEye said.)