Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.
Introducing Myself Dick Oyen, IndustrialSysDev, Inc. Editor of the Security part of OPC UA ISA SP99 contributor Developed control systems as a Sr R&D Engineer with ABB and Bailey Controls since 1977 Started IndustrialSysDev in Sept 2006
Who are you in the audience? You … 1.have heard of OPC? 2.know that UA replaces DA, AE, HDA? 3.know something about SSL/TLS or PKI?
Topics What OPC UA is Security objectives OPC UA security architecture UA meets the objectives
Topics What OPC UA is Security objectives OPC UA security architecture UA meets the objectives
OPC until Now A client-server standard for communicating process information Until now, an object model based on COM –uses DCOM Three parallel standards –OPC DA –OPC AE –OPC HDA
Starting now; OPC UA “Unified Architecture” Unifies the three OPC standards Web Services based –Move to improved and current base standard –To be system-independent Now being prototyped
Topics What OPC UA is Security objectives OPC UA security architecture UA meets the objectives What OPC UA is Security objectives OPC UA security architecture UA meets the objectives
Security Requirements Site Requirements UA-Certified Product console network device OPC UA Certification Security
Site Requirements Could include: Policy Procedures Physical boundaries Network zones Access control Malware countermeasures
OPC UA Product Requirements OPC UA certified products –must provide the OPC UA security functions OPC UA security functions –are optional at the site –support site requirements
OPC UA Security Objectives Authentication Authorization Confidentiality Integrity Auditability Availability
Authentication UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthN user UA Client UnAuth N user UnAuthN UA Client
Authorization UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client UnAuth Z user UnAuthZ UA Client
Confidentiality UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client Eavesdropper
Integrity UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client Hacker
Auditability UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client Hacker UnAuth N user UnAuth Z user Ugly
Availability UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client HackerMalware
Topics What OPC UA is Security objectives OPC UA security architecture UA meets the objectives What OPC UA is Security objectives OPC UA security architecture UA meets the objectives
OPC UA Security Architecture
Objectives met by Layers Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x
Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x Communication Layer Security
Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x XML Web Services Mapping Mappings: XML WS UA Native
XML Web Services Stack
WS-Security Specifies a SOAP header with info on –Authentication using any of Username/password Kerberos X.509 –Signature XML Signature –Encryption XML Encryption
WS-Trust Validate credentials Request and issue security tokens
WS-SecureConversation Security context establishment and sharing Session key derivation
Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x UA Native Mapping Mappings: XML WS UA Native
UA Native Mapping UA Native Mapping available when WS is not (controllers, etc.) The product supplier develops the implementations of these layers Manages secure channel
App Authentication – UA Native Application X.509 Certificates are exchanged when the secure channel is established
Integrity – UA Native No messages altered –sign the messages HMAC or RSA encryption SHA1 hash –change the key periodically Message sequence not altered –Nonce –Time stamp
Confidentiality – UA Native Options –Encrypt only channel management –Encrypt all messages Encryption –AES if symmetric –RSA if asymmetric
Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x Application Layer Security Mappings: XML WS UA Native
User Authentication OPC UA defines optional user security token types –X.509 –Username / password Server application can validate the user’s token
User Authorization Application product developer –specifies user authorization scheme –implements scheme in client application
Auditing All security events are recorded Traceable through intermediate nodes For interoperability –Minimum required set of logged parameters
Availability Depends primarily on the Site for protection Minimum processing before authentication
Topics What OPC UA is Security objectives OPC UA security architecture UA meets the objectives What OPC UA is Security objectives OPC UA security architecture UA meets the objectives
UA meets Objectives Authentication –Certificates –Challenge-response Authorization –Implemented per product Confidentiality –Encryption Integrity –Changing keys Auditability –Traceable log entries Availability –Minimal processing before AuthN
Further Info Tom Burke presentation at 2:00 today –Articles for non-members –UA specifications for members