1. Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

2. Introducing Myself Dick Oyen, IndustrialSysDev, Inc. Editor of the Security part of OPC UA ISA SP99 contributor Developed control systems as a Sr R&D Engineer with ABB and Bailey Controls since 1977 Started IndustrialSysDev in Sept 2006

3. Who are you in the audience? You … 1.have heard of OPC? 2.know that UA replaces DA, AE, HDA? 3.know something about SSL/TLS or PKI?

4. Topics What OPC UA is Security objectives OPC UA security architecture UA meets the objectives

5. Topics  What OPC UA is Security objectives OPC UA security architecture UA meets the objectives

6. OPC until Now A client-server standard for communicating process information Until now, an object model based on COM –uses DCOM Three parallel standards –OPC DA –OPC AE –OPC HDA

7. Starting now; OPC UA “Unified Architecture” Unifies the three OPC standards Web Services based –Move to improved and current base standard –To be system-independent Now being prototyped

8. Topics What OPC UA is  Security objectives OPC UA security architecture UA meets the objectives  What OPC UA is Security objectives OPC UA security architecture UA meets the objectives

9. Security Requirements Site Requirements UA-Certified Product console network device OPC UA Certification Security

10. Site Requirements Could include: Policy Procedures Physical boundaries Network zones Access control Malware countermeasures

11. OPC UA Product Requirements OPC UA certified products –must provide the OPC UA security functions OPC UA security functions –are optional at the site –support site requirements

12. OPC UA Security Objectives Authentication Authorization Confidentiality Integrity Auditability Availability

13. Authentication UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthN user UA Client UnAuth N user UnAuthN UA Client

14. Authorization UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client UnAuth Z user UnAuthZ UA Client

15. Confidentiality UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client Eavesdropper

16. Integrity UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client Hacker

17. Auditability UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client Hacker UnAuth N user UnAuth Z user Ugly

18. Availability UA Server console network UPC UA SecurityObjectives Authentication Authorization Confidentiality Integrity Auditability Availability AuthZ user UA Client HackerMalware

19. Topics What OPC UA is Security objectives  OPC UA security architecture UA meets the objectives What OPC UA is  Security objectives OPC UA security architecture UA meets the objectives

20. OPC UA Security Architecture

21. Objectives met by Layers Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x

22. Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x Communication Layer Security

23. Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x XML Web Services Mapping Mappings: XML WS UA Native

24. XML Web Services Stack

25. WS-Security Specifies a SOAP header with info on –Authentication using any of Username/password Kerberos X.509 –Signature XML Signature –Encryption XML Encryption

26. WS-Trust Validate credentials Request and issue security tokens

27. WS-SecureConversation Security context establishment and sharing Session key derivation

28. Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x UA Native Mapping Mappings: XML WS UA Native

29. UA Native Mapping UA Native Mapping available when WS is not (controllers, etc.) The product supplier develops the implementations of these layers Manages secure channel

30. App Authentication – UA Native Application X.509 Certificates are exchanged when the secure channel is established

31. Integrity – UA Native No messages altered –sign the messages HMAC or RSA encryption SHA1 hash –change the key periodically Message sequence not altered –Nonce –Time stamp

32. Confidentiality – UA Native Options –Encrypt only channel management –Encrypt all messages Encryption –AES if symmetric –RSA if asymmetric

33. Layer AppCommTrans Confidentiality x Integrity x App AuthN x User AuthN x Authorization x Auditability x Availability x Application Layer Security Mappings: XML WS UA Native

34. User Authentication OPC UA defines optional user security token types –X.509 –Username / password Server application can validate the user’s token

35. User Authorization Application product developer –specifies user authorization scheme –implements scheme in client application

36. Auditing All security events are recorded Traceable through intermediate nodes For interoperability –Minimum required set of logged parameters

37. Availability Depends primarily on the Site for protection Minimum processing before authentication

38. Topics What OPC UA is Security objectives OPC UA security architecture  UA meets the objectives What OPC UA is Security objectives  OPC UA security architecture UA meets the objectives

39. UA meets Objectives Authentication –Certificates –Challenge-response Authorization –Implemented per product Confidentiality –Encryption Integrity –Changing keys Auditability –Traceable log entries Availability –Minimal processing before AuthN

40. Further Info Tom Burke presentation at 2:00 today www.OPCFoundation.org –Articles for non-members –UA specifications for members dick_oyen@hotmail.com