Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

Slides:



Advertisements
Similar presentations
Technical Presentation AIAC Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.
Advertisements

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Accessing PI System using OPC Unified Architecture
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WS-Security TC Christopher Kaler Kelvin Lawrence.
Core Web Service Security Patterns
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I
Prashanth Kumar Muthoju
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
CSCI 6962: Server-side Design and Programming
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
September, 2005What IHE Delivers 1 G. Claeys, Agfa Healthcare Audit Trail and Node Authentication.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Network Security Essentials Chapter 5
Web305 Security Practices for Web Services (Part 1) : Now I Understand Eric Schmidt Technical Evangelist Platform Strategy & Partner Group Microsoft Corporation.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Security in Skype Prepared by Prithula Dhungel. Security in Skype2 The Skype Service P2P based VoIP software Founded by the founders of Kazaa Can be downloaded.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
 A Web service is a method of communication between two electronic devices over World Wide Web.
SWEB SWEB Security and Privacy Technologies – Implementation Aspects Venue:SWEB Day in APV, Novi Sad Author(s):Dr. Milan Marković Organisations:MISANU.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Deconstructing API Security
Web Services Security Patterns Alex Mackman CM Group Ltd
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Web Services Security Mike Shaw Architectural Engineer.
Web Services Security with WSE 2.0 Muhammad Saqib Ilyas
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
Cryptography CSS 329 Lecture 13:SSL.
Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
The Secure Sockets Layer (SSL) Protocol
Computer Communication & Networks
Secure Sockets Layer (SSL)
REST/SOAP Security A Brief Introduction.
Security & .NET 12/1/2018.
The Secure Sockets Layer (SSL) Protocol
Presentation transcript:

Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

Introducing Myself Dick Oyen, IndustrialSysDev, Inc. Editor of the Security part of OPC UA ISA SP99 contributor Developed control systems as a Sr R&D Engineer with ABB and Bailey Controls since 1977 Started IndustrialSysDev in Sept 2006

Who are you in the audience? You … 1.have heard of OPC? 2.know that UA replaces DA, AE, HDA? 3.know something about SSL/TLS or PKI?

Topics What OPC UA is Security objectives OPC UA security architecture UA meets the objectives

Topics  What OPC UA is Security objectives OPC UA security architecture UA meets the objectives

OPC until Now A client-server standard for communicating process information Until now, an object model based on COM –uses DCOM Three parallel standards –OPC DA –OPC AE –OPC HDA

Starting now; OPC UA “Unified Architecture” Unifies the three OPC standards Web Services based –Move to improved and current base standard –To be system-independent Now being prototyped

Topics What OPC UA is  Security objectives OPC UA security architecture UA meets the objectives  What OPC UA is Security objectives OPC UA security architecture UA meets the objectives

Security Requirements Site Requirements UA-Certified Product console network device OPC UA Certification Security

Site Requirements Could include: Policy Procedures Physical boundaries Network zones Access control Malware countermeasures

OPC UA Product Requirements OPC UA certified products –must provide the OPC UA security functions OPC UA security functions –are optional at the site –support site requirements

OPC UA Security Objectives Authentication Authorization Confidentiality Integrity Auditability Availability

Authentication UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthN user UA Client UnAuth N user UnAuthN UA Client

Authorization UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client UnAuth Z user UnAuthZ UA Client

Confidentiality UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client Eavesdropper

Integrity UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client Hacker

Auditability UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client Hacker UnAuth N user UnAuth Z user Ugly

Availability UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client HackerMalware

Topics What OPC UA is Security objectives  OPC UA security architecture UA meets the objectives What OPC UA is  Security objectives OPC UA security architecture UA meets the objectives

OPC UA Security Architecture

Objectives met by Layers Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x

Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x Communication Layer Security

Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x XML Web Services Mapping Mappings: XML WS UA Native

XML Web Services Stack

WS-Security Specifies a SOAP header with info on –Authentication using any of Username/password Kerberos X.509 –Signature XML Signature –Encryption XML Encryption

WS-Trust Validate credentials Request and issue security tokens

WS-SecureConversation Security context establishment and sharing Session key derivation

Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x UA Native Mapping Mappings: XML WS UA Native

UA Native Mapping UA Native Mapping available when WS is not (controllers, etc.) The product supplier develops the implementations of these layers Manages secure channel

App Authentication – UA Native Application X.509 Certificates are exchanged when the secure channel is established

Integrity – UA Native No messages altered –sign the messages HMAC or RSA encryption SHA1 hash –change the key periodically Message sequence not altered –Nonce –Time stamp

Confidentiality – UA Native Options –Encrypt only channel management –Encrypt all messages Encryption –AES if symmetric –RSA if asymmetric

Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x Application Layer Security Mappings: XML WS UA Native

User Authentication OPC UA defines optional user security token types –X.509 –Username / password Server application can validate the user’s token

User Authorization Application product developer –specifies user authorization scheme –implements scheme in client application

Auditing All security events are recorded Traceable through intermediate nodes For interoperability –Minimum required set of logged parameters

Availability Depends primarily on the Site for protection Minimum processing before authentication

Topics What OPC UA is Security objectives OPC UA security architecture  UA meets the objectives What OPC UA is Security objectives  OPC UA security architecture UA meets the objectives

UA meets Objectives Authentication –Certificates –Challenge-response Authorization –Implemented per product Confidentiality –Encryption Integrity –Changing keys Auditability –Traceable log entries Availability –Minimal processing before AuthN

Further Info Tom Burke presentation at 2:00 today –Articles for non-members –UA specifications for members