The headline on this blog is hardly shocking, but software quality does not get enough attention in the control system community. We now have three strong data points that show all OPC servers are not created equal.
1. The latest is Landon’s work to verify configuration recommendations in Part III of the OPC Security whitepaper series. Specifically setting the DCOM endpoint configuration and port restrictions to allow minimal ports through a firewall or ACL. Only three of the six tested OPC servers bothered to check the DCOM configuration. Note this is not a vulnerability that would lead to the loss of availability, integrity or confidentiality. Not all bugs lead to vulnerabilities.
2. Lluis Mora of Neutralbit (Barcelona, Spain) ran 24 test cases that would identify bugs likely to lead to vulnerabilities on 75 OPC servers. He found approximately 33% failed one or more test cases. He submitted 25 to US-CERT and a few have been published. The lack of the more advisories points to vendors not patching problems identified in January 2007. You would want a vendor that either survived the testing or was responsive in fixing software quality problems with security ramifications. An overview of his testing is blogged, and a great paper is available in the S4 Proceedings.
3. Ralph Langner of Langner Communications (Hamburg, Germany) presented at S4 serious differences in the handling of resource exhaustion attacks such as resources exhaustion through client connections, memory exhaustion through group names,
and CPU overload through new client threads.
It is not surprising that software quality varies since we are dealing with human beings coding under different, if any, security development lifecycle policies and procedures. That said, the OPC Foundation’s Product Certification appears to be the one and only software quality factor considered in a purchase. This certification is useful for positive testing and interoperability, but it would only be a minimum requirement for consideration in any product selection criteria Digital Bond ran in one of our architecture or RFI/RFP engagements.
The results from recent Landon’s testing were interesting. Not only did some products ignore DCOM settings, some of the better products allowed DCOM security to be configured during the installation process. We have not done a rigorous product comparison to make public recommendations, but based on what we know now there would be some vendors we would stay away from and others we would look to based on the three data points if forced to make a quick decision.
Our conclusion is it is worth taking some time selecting your OPC vendor – – admittedly limited data points to serious software quality problems in many implementations.