This is a personal project I worked on to get a deeper understanding of how OT protocols work. As a cybersecurity analyst, I'm interested in knowing how they operate in order to detect threats and configure detection rules. If you're in the same situation, I hope this project helps you as much as it helped me. In this repository, I present the scripts and how to use them, along with a brief explanation.
- OPC UA
$ pip install opcua$ python server.py$ python client.pyThe client will connect to the OPC server using credentials. It reads nodes and tries to write to them. Note that it will show a write error — this is because the user does not have write permissions on the node. This is intentional, to show that you can harden your nodes by removing write permissions (if necessary). Do not close this execution, as we will run the attacker script and observe the changes.
$ python attacker.pyThe attacker script will write to the RogueTemp node. Check the client script to see how RogueTemp has changed.
You can observe a bunch of interesting traffic you can monitor as an analyst:
Use this traffic to detect possible OPC Scanners
You could use it if you want to monitor if there is a response by the server. Maybe useful if you correlate Hello messages with Acknowledge messages.
You want to know if there are uncontrolled and malicious devices on your OT network. Create alerts if you see writerequests from those uncontrolled devices on the net.
Do you want to prevent the attacker from writing to the RogueTemp node? I challenge you to try it! Edit server.py and look for the line of code you need to modify.
Spoiler warning
[...]
# Enable writing permissions
#control_node.set_writable()
# Comment the following line:
#rogue_node.set_writable()
[...] Rerun server.py and attacker.py to see if your hardening was successful