The increasing networking and digitalization of industrial systems brings with it new challenges in terms of IT security. Trustworthy, secure handling of sensitive data such as product and production knowledge is just as necessary as protection against attacks on networked systems, as required not least by relevant standards such as IEC 62443 "Industrial communication networks - IT security for networks and systems". In order to counteract potential damage, the security of information technology (IT) and operational technology (OT) must be guaranteed not only during operation, but also throughout the entire development process of a system and its software. It is therefore important - and also required by IEC 62443 - to analyze threats to the system as early as possible in the development process and to counteract them with suitable design decisions.

The use of OPC UA is ideal for networking industrial systems, especially at the threshold between OT and IT. OPC UA is more than just a communication protocol, as it also describes data models and interaction concepts and offers a manufacturer-independent standard that can considerably simplify the networking of individual components. OPC UA also offers information models that describe the properties, capabilities and access rights of machines and systems in a type-safe and semantically unambiguous manner. OPC UA was also developed from the outset with explicit consideration of IT security - i.e. secure by design. This was confirmed in a study commissioned by the German Federal Office for Information Security (BSI) under the leadership of TÜV SÜD Rail. However, OPC UA is not secure by default: The existing security mechanisms must be activated and OPC UA must be securely integrated into the respective application.

Clearly defined procedures

Figure 1: The impact of Microsoft's Security Development Lifecycle (SDL) on the IT security of its application software.

© Fraunhofer IEM

The use of clearly defined procedures for the secure development of software can drastically reduce the vulnerability to attack, as Microsoft has shown in a study on the use of its Security Development Lifecycle (SDL) (see Figure 1). The vulnerabilities in two products (Windows and SQL Server) were compared with each other before and after the introduction of the SDL. In the case of the SQL server, a reduction in vulnerabilities of more than 90% was recorded. In the early phases of the SDL, a systematic recording of possible threats is planned, for example with Microsoft's 'Stride' method and the associated software tool. Stride supports the systematic, partially automated analysis of threats using a data flow model of the system.

SDL and Stride can be used not only for pure IT systems, but also for IT/OT systems. To reduce the effort involved, the methods can be adapted to the specifics of OT systems. This is exactly what Fraunhofer IEM did for the threat analysis with Stride and OPC UA: Using an extension mechanism of Stride, specific threats for OPC UA were added for automatic consideration, which were evaluated using a secure and an insecurely configured OPC UA connection. The Stride method and the extension created are presented below.

The 'Stride' methodology

The Stride method developed by Microsoft offers a systematic procedure for analyzing threats to a system. The classic three protection goals - confidentiality, integrity and availability - are extended by three further protection goals, the so-called 'Triple A': authentication, authorization and accountability. These six protection goals are offset by the threat categories that make up the acronym Stride: spoofing (faking the identity of another person), tampering (manipulating data), repudiation (proving that a certain person has carried out an action), information disclosure (disclosing information), denial of service (making the system unusable for legitimate users), elevation of privilege (extending existing rights).

Figure 2: Data flow diagram in the Microsoft Threat Modeling Tool.

© Fraunhofer IEM

There are two options for applying Stride in threat analysis: 'Stride per element' and 'Stride per interaction'. In the first case, the individual elements, i.e. the elements of a system, are analyzed using the threat categories, whereas in the second case the analysis is based on the interactions between the elements of a system.

Microsoft has developed the 'Threat Modeling Tool' to support this methodology. This can be used for an early threat analysis of the system to be developed. The first step is to create a model of the system consisting of components and data flows. This model is the data flow diagram (DFD) - shown as an example in Figure 2. A DFD consists of external entities (other systems that interact with your own, such as the human user), processes (components of your own system, such as the OPC UA client), data flows (interactions between the elements of the DFD, such as OPC UA communication between the OPC UA client and server) and data storage (these can be databases, files or even storage areas, such as the database). In addition, so-called trust boundaries are integrated into the DFD - such as the Internet Boundary. These are essential for the actual task of the tool, which is to automatically generate existing threats for the currently modeled system.

The greatest threats arise in the case of communication across trust boundaries, as in this case the communication path cannot be trusted and there is therefore an increased probability of an attack. For example, an attacker could read the communication in the case of unencrypted transmission via HTTP and OPC UA Secure Channel 'None'. The threats generated by the tool are created on all communication paths between elements and therefore make it possible to ensure that these threats are not forgotten during the design phase.

As new threats are constantly being discovered and each technology is individually vulnerable, the Microsoft Threat Modeling Tool uses a customizable template that can be easily supplemented with additional threats. To do this, a corresponding descriptive text must be created for a threat, preferably with possible countermeasures. It is also crucial to use include and exclude conditions to define when a threat must be generated. This is an important mechanism for taking known threats into account in new system developments and implementing appropriate countermeasures. However, this template was previously lacking for OPC UA. The template now developed by Fraunhofer IEM is presented below.

The German Federal Office for Information Security (BSI) conducted a security analysis for OPC UA in 2015 under the leadership of TÜV SÜD Rail. OPC UA communication was systematically and specifically analyzed with regard to secure channel, session and discovery services. The specification analysis did not reveal any systematic errors and thus showed that OPC UA offers a high level of security in contrast to many other industrial protocols. However, these security mechanisms must also be configured correctly with regard to possible threats.

Dangers of OPC UA communication

The greatest danger for any communication is that confidential data is read and thus information is disclosed, or that the integrity of the data sent cannot be guaranteed and thus information is changed, manipulated or falsified and reaches the recipient unnoticed. Further dangers in communication using OPC UA are that authenticity is concealed or unauthorized operations such as "writing data" or "deleting data" are carried out. Ultimately, there is a risk that the configuration of an OPC UA server or its information model will be changed so that, for example, access to master data or historical data is no longer possible.

To model the OPC UA processes, Fraunhofer IEM has created an OPC UA Stride Template in the 'Microsoft Threat Modeling Tool'. So-called 'stencils' represent processes such as OPC UA servers and clients or data flows such as an OPC UA communication relationship. Each of these OPC UA-specific stencils has OPC UA-relevant security configuration settings. The stencils are used to model and configure a system. Depending on the system model, a threat analysis can be performed automatically. This analysis relates to the stencils used and their properties. In order to automatically analyze OPC UA-specific threats and generate a report, the second step was to model threats based on the stencils and their properties in the Stride template. The threats were sorted into the corresponding threat categories according to Stride.

In summary, the use of a template for the 'Microsoft Threat Modeling Tool', which deals with the specific threats for OPC UA, means an increase in security in the use of OPC UA. The automated consideration of OPC UA-specific threats reduces manual work in a threat analysis prescribed by IEC 62443 and ensures that possible threats are not forgotten.

Increased security

In this way, the systems will become more secure in terms of IT security in the future, which will ultimately also make them more secure in terms of operational security. Another advantage of the automated generation of typical threats in connection with OPC UA is that all companies that do not have their own department for IT security experts are able to have possible vulnerabilities for their system displayed directly and easily.

Direct use of the template is just one way of benefiting from the knowledge provided. Other options are to use this template as a starting point for your own template or to supplement and further develop the knowledge of OPC UA-specific threats in existing templates. This is because further development contributes to the improvement of subsequent threat analyses, which in turn is in line with process improvement in accordance with IEC 62443.

By further disseminating threat analyses and highlighting possible countermeasures - such as the use of authentication or secure configurations early on in the development process - these countermeasures can be planned and implemented in good time. In many cases, however, a subsequent correction when a vulnerability in the product becomes known involves a great deal of effort and therefore costs. To prevent this, this template provides the OPC UA-specific threats for automatic generation in the threat analysis and thus ensures the cost-effective implementation of countermeasures. As a result, future OPC UA-enabled products can be made more secure, which ultimately also serves to ensure operational security.

Authors:
Dr. Matthias Meyer is head of the Software Engineering and IT Security department at Fraunhofer IEM;
Dr. Uwe Pohlmann is a research associate at Fraunhofer IEM;
Sven Merschjohann is a research associate at Fraunhofer IEM.