The OPC Foundation has said security vulnerabilities found by Kaspersky Labs in its OPC-UA framework, designed for secure data transfer between clients and servers in industrial systems, were in fact discovered in outdated versions of the OPC UA protocol.
Reviewing the Kaspersky Labs findings, from earlier this month, which claimed 17 zero-day vulnerabilities in certain implementations of OPC-UA, the OPC Foundation said the faults affected older versions of the industrial protocol.
Most had been fixed anyway, fixed previously, or could not be exploited remotely. A CVE has been issued already in each of two further cases, it said, related to third-party products using the OPC UA stack; a fix is being worked on for another vendor-specific issue.
In a wide review, the OPC Foundation re-stated that OPC UA software is composed of multiple commercial SDK vendors offering “well tested and well documented” products, and that most OPC UA products are based on these commercial OPC UA toolkits and remain unaffected by the issues raised by Kaspersky Labs.
“The broad adoption of OPC UA on a global basis reflects the market’s deep need for secure, open data connectivity and interoperability in manufacturing and beyond,” said the OPC Foundation said in a statement.
“Fortunately, this means that the OPC UA standard and its various open-source implementations are continuously subjected to close scrutiny by many in the large and active OPC UA community; something the OPC Foundation openly welcomes as this only makes the open-source implementations better.”
Kaspersky Labs had said code design flaws in both the OPC Foundation’s own applications as well as third-party applications using the OPC-UA stack had left many open to denial-of-service and remote code execution attacks.
Meanwhile, Rockwell Automation, part of a band of automation specialists seeking to establish a new OPC-UA variant that introduces time-sensitive networking (TSN) to industrial connectivity, has said companies can now take advantage of the OPC UA standard in its products.
Rockwell Automation is offering OPC UA support via its FactoryTalk Linx software, which allows data to be exchanged between Rockwell Automation and third-party products.
“Rockwell Automation helped develop the OPC UA specification, so it’s only natural we bring OPC UA support to our portfolio,” said Ron Bliss, senior product manager for communications software at Rockwell Automation.
“The FactoryTalk Linx software helps close communications gaps between industrial IoT devices, machines and software. This can help companies extend the reach of their Connected Enterprise and meet their smart manufacturing goals.”