Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments
release_q2xgtdoa35crhouedru5bfhfje
by
Markus Dahlmanns, Johannes Lohmöller, Ina Berenice Fink, Jan Pennekamp, Klaus Wehrle, Martin Henze
2020
Abstract
Due to increasing digitalization, formerly isolated industrial networks,
e.g., for factory and process automation, move closer and closer to the
Internet, mandating secure communication. However, securely setting up OPC UA,
the prime candidate for secure industrial communication, is challenging due to
a large variety of insecure options. To study whether Internet-facing OPC UA
appliances are configured securely, we actively scan the IPv4 address space for
publicly reachable OPC UA systems and assess the security of their
configurations. We observe problematic security configurations such as missing
access control (on 24% of hosts), disabled security functionality (24%), or use
of deprecated cryptographic primitives (25%) on in total 92% of the reachable
deployments. Furthermore, we discover several hundred devices in multiple
autonomous systems sharing the same security certificate, opening the door for
impersonation attacks. Overall, in this paper, we highlight commonly found
security misconfigurations and underline the importance of appropriate
configuration for security-featuring protocols.
In text/plain
format
Archived Files and Locations
application/pdf 1.0 MB
file_l4vghsqg7zgm7bnafqdlaywn7u
|
arxiv.org (repository) web.archive.org (webarchive) |
2010.13539v1
access all versions, variants, and formats of this works (eg, pre-prints)