Dataset to "Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments"

This is the dataset to "Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments" [In ACM Internet Measurement Conference (IMC ’20)]. It contains our weekly scanning results between 2020-02-09 and 2020-08-31 complied using our zgrab2 extensions, i.e, it contains an Internet-wide view on OPC UA deployments and their security configurations. To compile the dataset, we anonymized the output of zgrab2, i.e., we removed host and network identifiers from that dataset. More precisely, we mapped all IP addresses, fully qualified hostnames, and autonomous system IDs to numbers as well as removed certificates containing any identifiers. See the README file for more information. Using this dataset we showed that 93% of Internet-facing OPC UA deployments have problematic security configurations, e.g., missing access control (on 24% of hosts), disabled security functionality (24%), or use of deprecated cryptographic primitives (25%). Furthermore, we discover several hundred devices in multiple autonomous systems sharing the same security certificate, opening the door for impersonation attacks. Overall, with the analysis of this dataset we underpinned that secure protocols, in general, are no guarantee for secure deployments if they need to be configured correctly following regularly updated guidelines that account for basic primitives losing their security promises.

本数据集配套论文《借助开放平台通信统一架构（OPC UA）消解部署安全顾虑：面向全球互联网的不安全部署调研》[发表于ACM互联网测量大会（IMC ’20）]。本数据集收录了2020年2月9日至2020年8月31日期间的每周扫描结果，这些数据通过我们开发的zgrab2扩展工具生成，涵盖了全球互联网范围内的OPC UA部署情况及其安全配置信息。为构建本数据集，我们对zgrab2的扫描结果进行了匿名化处理，即移除了数据中的主机与网络标识符。更具体地说，我们将所有IP地址、完全限定主机名以及自治系统编号映射为数字，并删除了包含任何标识符的数字证书。更多细节请参阅README文件。基于本数据集的分析显示，93%的面向互联网的OPC UA部署存在安全配置缺陷，例如24%的主机缺失访问控制机制、24%的部署禁用了安全功能，或是25%的部署使用了已弃用的加密原语。此外，我们在多个自治系统中发现了数百台共享同一安全证书的设备，这为身份冒充攻击埋下了隐患。总体而言，通过对本数据集的分析，我们证实了如下结论：一般而言，安全协议本身并不能确保部署安全，唯有按照定期更新的指导规范进行正确配置方可实现——而此类规范需考虑到基础加密原语可能会丧失安全保障能力这一情况。