A Framework for Network Intrusion Detection on Open Platform Communications Unified Architecture

Open Platform Communications Unified Architecture (OPC UA) is a Machine to Machine (M2M) communication standard, first released in 2008 as the evolution of OPC, created for Industrial Control Systems (ICS) and Internet of Things (IoT) programming. It was designed to create an abstract model on which any information exchange in form of structured data can be implemented. Industry and state actors use it to control factories and plants thus putting OPC UA dependent software in a critical security position. In December 2015, the German Federal Office for Information Security proved that an official reference implementation of OPC UA contained security flaws in the code that could compromise, if exploited, industrial machineries and other dependent systems [49]. Cyber attacks in ICS may be extremely expensive because of the critical processes which they aim to stop. This thesis proposes a Network Intrusion Detection System (NIDS) based solution to monitor malicious computer attacks on OPC UA. This work develops a plug-in for the dynamic Bro NIDS to support OPC UA based protocols, therefore it creates an Application Programming Interface (API) that can be used to write Turing complete security policies in the Bro language. Furthermore, policy scripts have been implemented to detect the exploitation of flaws and standard inconsistencies found in the analysis [49]. In addition, the parser is also able to detect malformed packets, also sources of attacks in general and those identified in [49]. The result has been tested and evaluated in efficiency, security and standard coverage terms. The aim of this project is to suggest the use of an additional tool that might be used by Computer Emergency Response Teams (CERTs) to investigate any attack and in order to safeguard OPC UA dependent machines.