Easing the Conscience with OPC UA

Dahlmanns, Markus; Lohmöller, Johannes; Fink, Ina Berenice; Pennekamp, Jan; Wehrle, Klaus; Henze, Martin

doi:10.1145/3419394.3423666

“…Since traditional industrial communication protocols, e.g., Modbus, were designed for communication in isolated environments, their design does not include any security mechanisms (Dahlmanns et al 2020). Furthermore, especially older embedded industrial devices often lack the computational resources to perform state-of-the-art cryptography operations, which becomes particularly problematic in the face of the upcoming shift toward post-quantum cryptography (Henze 2020).…”

Section: Network Securitymentioning

confidence: 99%

“…However, security analyses indicate that 42 % of all TLS-enabled industrial protocol deployments on the Internet, i.e., deployments which are reachable in the IPv4 address space, show security deficits (Dahlmanns et al 2022). Additionally, although OPC UA, the most promising modern industrial communication protocol, was designed with security in mind, research shows that 92 % of the Internetreachable OPC UA deployments are configured with security deficits (Dahlmanns et al 2020).…”

Section: Network Securitymentioning

confidence: 99%

Evolving the Digital Industrial Infrastructure for Production: Steps Taken and the Road Ahead

Pennekamp,

Belova,

Bergs

et al. 2023

Interdisciplinary Excellence Accelerator Series

Self Cite

1

0

View full text Add to dashboard Cite

The Internet of Production (IoP) leverages concepts such as digital shadows, data lakes, and a World Wide Lab (WWL) to advance today’s production. Consequently, it requires a technical infrastructure that can support the agile deployment of these concepts and corresponding high-level applications, which, e.g., demand the processing of massive data in motion and at rest. As such, key research aspects are the support for low-latency control loops, concepts on scalable data stream processing, deployable information security, and semantically rich and efficient long-term storage. In particular, such an infrastructure cannot continue to be limited to machines and sensors, but additionally needs to encompass networked environments: production cells, edge computing, and location-independent cloud infrastructures. Finally, in light of the envisioned WWL, i.e., the interconnection of production sites, the technical infrastructure must be advanced to support secure and privacy-preserving industrial collaboration. To evolve today’s production sites and lay the infrastructural foundation for the IoP, we identify five broad streams of research: (1) adapting data and stream processing to heterogeneous data from distributed sources, (2) ensuring data interoperability between systems and production sites, (3) exchanging and sharing data with different stakeholders, (4) network security approaches addressing the risks of increasing interconnectivity, and (5) security architectures to enable secure and privacy-preserving industrial collaboration. With our research, we evolve the underlying infrastructure from isolated, sparsely networked production sites toward an architecture that supports high-level applications and sophisticated digital shadows while facilitating the transition toward a WWL.

show abstract

“…For the IoT and IIoT, research revealed many deployments relying on vulnerable software [6,30,46] and communicating without any security mechanism [12,57,59,60,83], e.g., access control. Even with built-in security features, operators often configure such services insecurely [11]. For example, a massive reuse of certificates was traced back to a Docker image including certificates and corresponding private keys [12] jeopardizing the authenticity of numerous deployments.…”

Section: Related Workmentioning

confidence: 99%

“…Our search terms (which we elaborate in more detail in Appendix B) build two query groups (Table 1 (left)); Standard comprises mainstream communication protocol names [68] and frequently used technologies [74] for a wide analysis of images referencing current issues. For comparison and more focusing on a specific area, we choose the Industrial Internet of Things (IIoT) as past studies showed a great susceptibility to security faults [11,12,35,53,59,60], i.e., IIoT includes protocol names from this area.…”

Section: Retrieving Images From Docker Hubmentioning

confidence: 99%

“…(Industrial) IoT Context: We extend our analysis on images in the (Industrial) IoT context, as deployments in this area showed massive security deficits in past [11,12,35,53,59,60], in single cases traced back to security secret leakage via GitHub and Docker images [12]. As search terms, we take (Industrial) IoT protocol names that were subject to recent research [12].…”

Section: B Image Download From Docker Hubmentioning

confidence: 99%

See 1 more Smart Citation

Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact

Dahlmanns

¹

,

Sander

²

,

Decker

³

et al. 2023

Proceedings of the ACM Asia Conference on Computer and Communications Security

Self Cite

4

0

View full text Add to dashboard Cite

Containerization allows bundling applications and their dependencies into a single image. The containerization framework Docker eases the use of this concept and enables sharing images publicly, gaining high momentum. However, it can lead to users creating and sharing images that include private keys or API secrets-either by mistake or out of negligence. This leakage impairs the creator's security and that of everyone using the image. Yet, the extent of this practice and how to counteract it remains unclear.In this paper, we analyze 337,171 images from Docker Hub and 8,076 other private registries unveiling that 8.5 % of images indeed include secrets. Specifically, we find 52,107 private keys and 3,158 leaked API secrets, both opening a large attack surface, i.e., putting authentication and confidentiality of privacy-sensitive data at stake and even allow active attacks. We further document that those leaked keys are used in the wild: While we discovered 1,060 certificates relying on compromised keys being issued by public certificate authorities, based on further active Internet measurements, we find 275,269 TLS and SSH hosts using leaked private keys for authentication. To counteract this issue, we discuss how our methodology can be used to prevent secret leakage and reuse. CCS CONCEPTS• Security and privacy → Network security; Key management.

show abstract

Evolving the Digital Industrial Infrastructure for Production: Steps Taken and the Road Ahead

Pennekamp,

Belova,

Bergs

et al. 2023

Interdisciplinary Excellence Accelerator Series

1

0

View full text Add to dashboard Cite

The Internet of Production (IoP) leverages concepts such as digital shadows, data lakes, and a World Wide Lab (WWL) to advance today’s production. Consequently, it requires a technical infrastructure that can support the agile deployment of these concepts and corresponding high-level applications, which, e.g., demand the processing of massive data in motion and at rest. As such, key research aspects are the support for low-latency control loops, concepts on scalable data stream processing, deployable information security, and semantically rich and efficient long-term storage. In particular, such an infrastructure cannot continue to be limited to machines and sensors, but additionally needs to encompass networked environments: production cells, edge computing, and location-independent cloud infrastructures. Finally, in light of the envisioned WWL, i.e., the interconnection of production sites, the technical infrastructure must be advanced to support secure and privacy-preserving industrial collaboration. To evolve today’s production sites and lay the infrastructural foundation for the IoP, we identify five broad streams of research: (1) adapting data and stream processing to heterogeneous data from distributed sources, (2) ensuring data interoperability between systems and production sites, (3) exchanging and sharing data with different stakeholders, (4) network security approaches addressing the risks of increasing interconnectivity, and (5) security architectures to enable secure and privacy-preserving industrial collaboration. With our research, we evolve the underlying infrastructure from isolated, sparsely networked production sites toward an architecture that supports high-level applications and sophisticated digital shadows while facilitating the transition toward a WWL.

show abstract

Easing the Conscience with OPC UA

Cited by 29 publications

References 46 publications

Evolving the Digital Industrial Infrastructure for Production: Steps Taken and the Road Ahead

Evolving the Digital Industrial Infrastructure for Production: Steps Taken and the Road Ahead

Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact

Evolving the Digital Industrial Infrastructure for Production: Steps Taken and the Road Ahead

Contact Info

Product

Resources

About