I saw an article today talking about exploits specifically targeting Omron and Schneider Electric, but more generally targeting Codesys and OPC-UA.
Inductive, when you get a little more grasp on this situation, could you respond to potential vulnerability and mitigation strategies for the OPC-UA portion of this ICS hacking software?
It looks like a brute force OPC-UA attack, so perhaps if our OPC-UA connections are all using certificates and not usernames/passwords we will be less susceptible to the attacks.
Thanks for any feedback, and I’m also curious of other users’ thoughts regarding this new ICS hacking suite.
Ignition 8 is safe in its default configuration, which doesn’t allow unsecured connections, so there’s no possibility for an attacker to even attempt to establish a session unless you go in and trust the certificate.
Beyond that, you can and certainly should change the default credentials used by the server’s default user profile. If you’re still using 7.9 or prior then changing the credentials should be very high priority if your server may be accessible to an adversary, as it doesn’t have the same default security configuration nor does it have the OPC UA certificate validation and management facilities Ignition 8 does.
I should have included a link to the story in my original post. Thanks for adding that.
I guess what I was getting at were your thoughts about specific things to check in the system or potential security blunders which would put one at risk from this specific “swiss army knife”.
It sounds like you don’t have any other recommendations aside from “make sure you don’t have user name and password OPC security validation enabled”. Is that correct?
What if one upgraded their system from 7.9 to v8.x? Would any of those 7.9 security configuration defaults or OPC UA certificate validation facilities be carried forward?
No, it's make "make sure you change the default credentials".
Everyone should upgrade to 8.x regardless. 7.9 is currently in a courtesy extension to its original EOL of Dec 2021 that will last through June 2022.
If you upgrade from 7.9 to 8.x you'll get all the certificate management stuff I'm talking about. The only change you might want to make (aside from credentials if you haven't) is to disable access via the "None" SecurityPolicy, which I think will be allowed if you're doing an upgrade from 7.9 vs a fresh install of 8.x.