SZ
Uploaded bySadatulla Zishan
PDF, PPTX160 views

An Overview of OPC UA Security

The document provides an overview of OPC UA security, detailing its architecture, security objectives, and various security policies and solutions to protect data integrity and confidentiality. It highlights the role of Utthunga Technologies in securing industrial communication and emphasizes the importance of proper user authentication, encryption, and security governance. Additionally, it offers recommendations for optimizing security practices in both OEMs and end-users while promoting a proactive approach to managing security vulnerabilities.

Embed presentation

Download as PDF, PPTX
© Utthunga Technologies Pvt. Ltd. 2020 An Overview of OPC UA Security Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Company Overview Germany 500+ Professionals USA Japan 13 HQ & Development Centre Bangalore India © Utthunga Technologies Pvt. Ltd. 2020 SERVICES SOLUTIONSFOCUS Embedded Software & Hardware Product Engineering Digital Services Application Software Engineering Quality Engineering Process & Factory Power & Utilities IIoT, Cloud & Big Data Analytics Solutions Data Connectivity & Integration Solutions Custom Solutions Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Industry Associations  Part of various Special Interest Groups (Technical Specifications, Architecture, Test & Certification and Marketing)  Involved in reference Application Architecture, Design and Development  Technology Outsourcing Partner  PROFIBUS and PROFINET Competency Center  FDT Test & Certification Center  Part of Global Expert/Certified Community https://opcfoundation.org/about/opc-foundation/experts/ https://www.profibus.com/pi-organization/certified-people/ Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Speaker for Today  Sahan is a cyber-security specialist  6 years of experience in the industrial and security domain  Currently working in the R&D division at Utthunga  His proven areas of expertise are security testing and strategy, endpoint security, ethical hacking (VAPT), VMware virtualization, FDT/DTM and OPC UA  Sahan plays a critical role in Secure SDLC (SSDLC) and Secure DevOps implementation at Utthunga Sahan M Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 IIoT Era Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Source: OPC Foundation Utthunga for OPC Machine to machine communication protocol for industrial automation developed by the OPC Foundation. OPC UA (Open Platform Communications United Architecture)
© Utthunga Technologies Pvt. Ltd. 2020 Communication Requires more than Connectivity Reliable Secure Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 4. OPC UA Secure Data Connectivity 3. OPC UA Security Architecture 2. Security Objectives 1. OPC UA Security Focus 6. OPC UA Security Solutions for Attack Types 5. Secure Policies 7. Effectiveness of OPC UA Security Analysis 8. Recommendations Agenda Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Data At Rest Data in ProcessData in Motion OPC UA Security Focus OPC UA Security - Focus Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Security Objectives • Data only visible to intended recipients • Data is not modified • Data is available to authorized people when they need it • Identity of the people or systems is assured. • Controlled based on permissions • All requests and receipts of data are documented AAA CIA Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 OPC UA Security Architecture  OPC Unified Architecture uses a public key infrastructure to achieve secure communication.  A session in the Application Layer communicates over a Secure Channel that is created in the Communication Layer and relies upon it for secure communication.  The Communication Layer provides security mechanisms to meet Confidentiality, Integrity and application Authentication as security objectives. Source: OPC UA Spec. Security Model 1.04 Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 OPC UA Secure Data Connectivity  Supports enterprise wide secure data connectivity Mechanism Transport Two way One Way LAN WAN DMZ & Firewall E-to E Security Client- server TCP Y Y Y Y Y PubSub UDP Y Y Y Y PubSub MQTT Y Y Y Y Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Secure OPC UA Data Exchange Across Firewalls  In-bound firewall ports to be closed as this minimizes threats of external attacks  NIST and NERC are recommending their members that all in-bound Firewall ports to be closed Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Security Policies None No security Basic256Sha256 (Recommended) This policy option is enabled by default, acceptable and more likely to be supported by older applications. Aes128-Sha256-RsaOaep (Average) This policy option is enabled by default. It is faster than the most secure policies and offers good security. However, older applications will not support it. Aes256-Sha256-RsaPss (Recommended - Most Secure) This policy option is enabled by default. It is the most secure available; however, older applications will not support it. Basic256 (Deprecated) This policy has theoretical problems and is not recommended. Basic 128Rsa15 (Deprecated) This policy has known vulnerabilities and should not be used unless absolutely necessary. #PubSub-Aes 128-CTR Average security needs. #PubSub-Aes256-CTR High security needs.  OPC UA server should identify and support the security policies  OPC UA client will choose these security policies to connect the server Note: OPC Foundation deprecates the security policies and updates the support for policies to maintain the effective security policy Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : Encryption  OPC UA addresses unauthorized disclosure of any sensitive information by doing encryption, when the data is in transit  OPC UA addresses Eavesdropping, which impacts Confidentiality directly Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : Message Signing  The signing of messages prevent an unauthorized third party from changing the contents of a message  Signing a message helps to ensure the following:  Data Integrity – The message was not altered from its original form  Non-repudiation – The sender cannot deny the authenticity of the message they sent and signed  Proof of Origin – The message actually came from the legitimate sender  OPC UA addresses Message Spoofing, Message Alteration Information by signing the messages. Additionally, the messages will always include a valid Session ID, Secure Channel ID, Request ID, Timestamp, and Sequence No Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : Application Authentication  OPC UA encounters Rogue server, session hijacking, and server profiling attacks by ensuring the application used is trusted and authorized by the user  Ensures that the application we are communicating to is trusted by having application Instance certificate  Authentication of applications  Application instance certificates  Certificate Authority (CA) Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : User Authentication and Authorization  OPC UA encounters Rogue server and session hijacking by ensuring only authenticated and authorized user is allowed to perform an action.  User Authentication can be done via  Username / password, WS-Security Token or X.509 certificates  Implemented into existing IAM infrastructures like Active Directory  Authorization will help to control access to the specific operations and information.  Authorization (Server Specific)  Fine-granular information in address space (Read, Write, Browse)  Writing of meta data, calling methods Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 OPC UA Security Solutions for Attack Type: Availability  OPC UA encounter threats like Denial of service, message flooding attack (Bandwidth approach, Resource approach)  OPC UA Servers reject the sessions that exceed their specified maximum number  Minimize processing of packets before they are authenticated  Configure Alarm Incidents Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : Auditability  When multiple systems are communicating to the server then we can define what is important to us in terms of debugging and security and log those information  Auditability is very important and useful due to the aggregation feature of OPC servers that helps to communicate and established connections with multiple servers and/or establish different sessions for a channel with different vendors  Used for post analysis and forensic analysis especially when something goes wrong Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Certificates  Ensures a secure communication channel between the OPC UA server and OPC UA client  The Public key of Server from its trusted certificate store are copied to Client trusted certificate store.  Similarly, The Public key of Client from its trusted certificate store are copied to Server trusted certificate store.  The OPC UA Server uses its private key to decrypt the encoded message Source: Beckhoff Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Effectiveness of OPC UA Security Analysis  The OPC UA successfully passed these tests that were run for the German Federal Government (BSI). Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Effectiveness of OPC UA Security Analysis Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Utthunga for OPC  Define and include the security specific goals for your OPC product/application  Choose the right SDK  Secure SDL (Security Development Lifecycle)  Third-Party Libraries  Secure storing of Private keys  Certificates and user account management work flow  Get Certified by Foundation Test Lab  Security specific UpgradingPatching  Other General Security Aspects Security Recommendations for OEMS
© Utthunga Technologies Pvt. Ltd. 2020 Utthunga for OPC  Opt for certified products application that support required security policies  Security specific UpgradingPatching  Certificates and user account management process & guidelines  Support  Other General Security Aspects Security Recommendations for End Users
© Utthunga Technologies Pvt. Ltd. 2020 Security Recommendations  Do not leave your secrets lying around  Never store private keys or the corresponding certificate files (.pfx/p12) on an unencrypted file system  Do not automatically trust certificates  Do not accept connections, which do not provide the trusted certificates.  User Authentication  Avoid use of anonymous Identifiers  When this generic identifier is used, it is not possible to trace who has changed  Security Mode ‘None’ should not be used  It does not provide any protection  The Security Mode used should be ‘SignAndEncrypt’ or ‘Sign’  Instead ‘SignAndEncrypt’ or ‘Sign’ Security Mode should be used  Selection of cryptographic algorithms  At a minimum, the Security Policy ‘Basic256Sha256’ should be chosen provided its technically possible  Weaker security policies use outdated algorithms such as SHA-1 and should not be used  Managing and maintaining certificates  Use certificate trust lists and certificate revocation lists to manage valid certificates. Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 In a Nutshell Utthunga for OPC  OPC UA is Secure By Design  OPC UA allows different levels of security  OPC UA Security is standard based and developed with industry security experts from multiple company  Defense in Depth  Security as a reminder, OPC UA alone will not secure your systems.
© Utthunga Technologies Pvt. Ltd. 2020© Utthunga Technologies Pvt. Ltd. 2020 Time for Audience Q&A Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 OPC – Upcoming Webinar Calendar 1. An Overview of OPC UA Security – 10th September, 2020 2. FDT/OPC UA – 30th September, 2020 Utthunga for OPC
© Utthunga Technologies Pvt. Ltd. 2020 Utthunga Technologies Pvt. Ltd. No. 8, 27th Cross, 2nd Stage, Banashankari, Bangalore – 560 070 Phone: +91-80-68151900 Mail: contact@utthunga.com

More Related Content

PPTX
Security in OPC UA ppt
byMallikarjuna Y C
 
PDF
OPC UA Inside Out, Part 1 - Introduction and Playing Field
bySadatulla Zishan
 
PDF
OPC UA Inside Out Part 3 - Edge Devices
bySadatulla Zishan
 
PDF
OPC UA for Embedded & Constrained Devices
bySadatulla Zishan
 
PDF
FDT/DTM Introduction Webinar
bySadatulla Zishan
 
PDF
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPT
bySadatulla Zishan
 
PPTX
Digital Transformation with FDT 3.0 Webinar
bySadatulla Zishan
 
PPTX
OPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
bySadatulla Zishan
 
Security in OPC UA ppt
byMallikarjuna Y C
 
OPC UA Inside Out, Part 1 - Introduction and Playing Field
bySadatulla Zishan
 
OPC UA Inside Out Part 3 - Edge Devices
bySadatulla Zishan
 
OPC UA for Embedded & Constrained Devices
bySadatulla Zishan
 
FDT/DTM Introduction Webinar
bySadatulla Zishan
 
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPT
bySadatulla Zishan
 
Digital Transformation with FDT 3.0 Webinar
bySadatulla Zishan
 
OPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
bySadatulla Zishan
 

What's hot

PDF
OPC UA Connectivity with InduSoft and the OPC Foundation
byAVEVA
 
PDF
OPC UA Inside Out Part 4 - OPC Tunneller
bySadatulla Zishan
 
PDF
RA TechED 2019 - SS08 - What's New and Coming Soon in Safety Automation Archi...
byRockwell Automation
 
PPTX
OPC UA Security: Native and Add-on Solutions
byteam-WIBU
 
PDF
Smart and Highly Scalable Lifecycle Management for Embedded Devices - Thomas ...
bymfrancis
 
PDF
View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
byMongoDB
 
PPTX
FDT 3.0 and OPC UA : Key to Interoperability
bySadatulla Zishan
 
PPT
OPC Unified Architecture
byVishwa Mohan
 
PDF
Engineer Sensors For Digital Transformation Webinar PPT
bySadatulla Zishan
 
PPTX
InduSoft Web Studio and OPC UA Connectivity
byAVEVA
 
PPTX
OPC PPT
byShivam Singh
 
PDF
ISO 26262 Approval of Automotive Software Components
byReal-Time Innovations (RTI)
 
PDF
OPC UA: Ready for realtime
byMiodrag Veselic
 
PPTX
OPC Foundation and InduSoft
byAVEVA
 
PPTX
Designing Machine-level HMI with Studio 5000 View Designer® Demonstration
byRockwell Automation
 
PDF
open62541 - Open Source OPC UA on Steroids
byJulius Pfrommer
 
PDF
OPC UA Inside Out Part 5 - Cloud Connectivity
bySadatulla Zishan
 
PDF
IIB Manufacturing Pack v1001
byDominic Storey
 
PDF
Revolutionizing I4.0 Security and IT/OT Harmonization
bySadatulla Zishan
 
PDF
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
bySadatulla Zishan
 
OPC UA Connectivity with InduSoft and the OPC Foundation
byAVEVA
 
OPC UA Inside Out Part 4 - OPC Tunneller
bySadatulla Zishan
 
RA TechED 2019 - SS08 - What's New and Coming Soon in Safety Automation Archi...
byRockwell Automation
 
OPC UA Security: Native and Add-on Solutions
byteam-WIBU
 
Smart and Highly Scalable Lifecycle Management for Embedded Devices - Thomas ...
bymfrancis
 
View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
byMongoDB
 
FDT 3.0 and OPC UA : Key to Interoperability
bySadatulla Zishan
 
OPC Unified Architecture
byVishwa Mohan
 
Engineer Sensors For Digital Transformation Webinar PPT
bySadatulla Zishan
 
InduSoft Web Studio and OPC UA Connectivity
byAVEVA
 
OPC PPT
byShivam Singh
 
ISO 26262 Approval of Automotive Software Components
byReal-Time Innovations (RTI)
 
OPC UA: Ready for realtime
byMiodrag Veselic
 
OPC Foundation and InduSoft
byAVEVA
 
Designing Machine-level HMI with Studio 5000 View Designer® Demonstration
byRockwell Automation
 
open62541 - Open Source OPC UA on Steroids
byJulius Pfrommer
 
OPC UA Inside Out Part 5 - Cloud Connectivity
bySadatulla Zishan
 
IIB Manufacturing Pack v1001
byDominic Storey
 
Revolutionizing I4.0 Security and IT/OT Harmonization
bySadatulla Zishan
 
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
bySadatulla Zishan
 

Similar to An Overview of OPC UA Security

PPTX
Security in OPC UA ppt
byUtthunga Technologies Pvt Ltd
 
PPTX
Webinar: OPC UA Clients on Linux Systems with InduSoft Web Studio-InduSoft Pr...
byAVEVA
 
PDF
Platform independent secure data exchange not only for RFID
byPeter Seeberg
 
PPTX
Webinar: OPC UA Clients on Linux Systems with InduSoft Web Studio-OPC Foundat...
byAVEVA
 
PDF
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
byDevOps.com
 
PDF
Open platform communication
byRasika Joshi
 
PPSX
opcua_121710.ppsxthsrtuhrbxdtnhtdtndtyty
byMuthupriyadharshini1
 
PDF
Opc e book_2021_3rd_edition_lay06
byTiago Oliveira
 
PPTX
OPC OLE for Process Control (OPC)
byMostafa Ragab
 
PDF
OPC UA Open Platform Communications.pdf
byJawaidAbdulHameed
 
PDF
Transforming IIoT Data Interoperability with OPC UA
bymicrolandland
 
PDF
LAS16-306: Exploring the Open Trusted Protocol
byLinaro
 
PDF
How is Python Useful for Cybersecurity in 2024
byriyak40
 
PDF
practical-guide-to-opcua.pdf
byssuser357595
 
PPTX
Opc ua
byNaushad Warsi
 
PPTX
Removing Security Roadblocks to IoT Deployment Success
byMicrosoft Tech Community
 
PPTX
CWIN17 Toulouse / Opc ua, the de facto interoperability standard for industry...
byCapgemini
 
PDF
Transforming IIoT Data Interoperability with OPC UA
bymicrolandland
 
PPTX
integration standards requirements for systems
byHoudaBoulif
 
PPT
INT529 zero lecture.pptdsfsdffewwretetrtetretr
bySanjeevKumarSinha13
 
Security in OPC UA ppt
byUtthunga Technologies Pvt Ltd
 
Webinar: OPC UA Clients on Linux Systems with InduSoft Web Studio-InduSoft Pr...
byAVEVA
 
Platform independent secure data exchange not only for RFID
byPeter Seeberg
 
Webinar: OPC UA Clients on Linux Systems with InduSoft Web Studio-OPC Foundat...
byAVEVA
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
byDevOps.com
 
Open platform communication
byRasika Joshi
 
opcua_121710.ppsxthsrtuhrbxdtnhtdtndtyty
byMuthupriyadharshini1
 
Opc e book_2021_3rd_edition_lay06
byTiago Oliveira
 
OPC OLE for Process Control (OPC)
byMostafa Ragab
 
OPC UA Open Platform Communications.pdf
byJawaidAbdulHameed
 
Transforming IIoT Data Interoperability with OPC UA
bymicrolandland
 
LAS16-306: Exploring the Open Trusted Protocol
byLinaro
 
How is Python Useful for Cybersecurity in 2024
byriyak40
 
practical-guide-to-opcua.pdf
byssuser357595
 
Opc ua
byNaushad Warsi
 
Removing Security Roadblocks to IoT Deployment Success
byMicrosoft Tech Community
 
CWIN17 Toulouse / Opc ua, the de facto interoperability standard for industry...
byCapgemini
 
Transforming IIoT Data Interoperability with OPC UA
bymicrolandland
 
integration standards requirements for systems
byHoudaBoulif
 
INT529 zero lecture.pptdsfsdffewwretetrtetretr
bySanjeevKumarSinha13
 

Recently uploaded

PPTX
Optimizing Plant Maintenance — Key Elements of a Successful Maintenance Plan ...
byMaintWiz Technologies Private Limited
 
PPT
Tutorial-security-privacy-cloud intro duction about cloud compting its services
byHEmansuSingh
 
PPTX
MODULE 1-UNIT_1.pptx MODULE 1-UNIT_1.pptx MODULE 1-UNIT_1.pptx
bypavanscholar123
 
PPTX
Optimizing Operations: Key Elements of a Successful Plant Maintenance Plan — ...
byMaintWiz Technologies Private Limited
 
PPTX
Preventive Maintenance Program for Compressors – Complete Guide
byMaintWiz Technologies Private Limited
 
PPTX
How to Create an Effective Monthly Preventive Maintenance Plan
byMaintWiz Technologies Private Limited
 
PPTX
2_Consequence of threats, E-mail threats, Web.pptx
bydolly475229
 
PPTX
Industrial Smart Ventilation system.pptx
byfsanjay42
 
PDF
Modeltomodel_Transformation_with_ATL (1).pdf
byISEMENSIAS
 
PPTX
UNIT -3 -DIGITAL AND MOBILE FORENSICS FORENSIC READINESS-.pptx
byjemimaa3
 
PPT
Intro AI DBATU.ppt ppt useful engineering
bydevinjon990
 
PPTX
22PEOIT4C Session 1 Introduction to AI and intelligent agents.pptx
bymailmegokilavani
 
PPTX
22PEOIT4C Session 4 Breath First Search & Depth First Search.pptx
bymailmegokilavani
 
DOCX
Buy Facebook Ads Accounts_ Boost Your Professional ....docx
bytopusapro.com
 
PPTX
22PEOIT4C Session 9 Local search in continuous space.pptx
bymailmegokilavani
 
PDF
Troubleshooting of Marine Refrigeration System - Part 4
byMahmoud Moghtaderi
 
PPTX
KTU 2024 SCHEME -PEMET 413 COMPOSITE MATERIALS MODULE 1 LECTURE 1.pptx
byVinayB68
 
PDF
22PEOIT4C Artificial Intelligence Syllab
bymailmegokilavani
 
PDF
TechSprint: Innovate for Impact Hackathon
byDeepakkumarSingh415123
 
PDF
Nostr : A protocol for freedom of speech
byEmre YILMAZ
 
Optimizing Plant Maintenance — Key Elements of a Successful Maintenance Plan ...
byMaintWiz Technologies Private Limited
 
Tutorial-security-privacy-cloud intro duction about cloud compting its services
byHEmansuSingh
 
MODULE 1-UNIT_1.pptx MODULE 1-UNIT_1.pptx MODULE 1-UNIT_1.pptx
bypavanscholar123
 
Optimizing Operations: Key Elements of a Successful Plant Maintenance Plan — ...
byMaintWiz Technologies Private Limited
 
Preventive Maintenance Program for Compressors – Complete Guide
byMaintWiz Technologies Private Limited
 
How to Create an Effective Monthly Preventive Maintenance Plan
byMaintWiz Technologies Private Limited
 
2_Consequence of threats, E-mail threats, Web.pptx
bydolly475229
 
Industrial Smart Ventilation system.pptx
byfsanjay42
 
Modeltomodel_Transformation_with_ATL (1).pdf
byISEMENSIAS
 
UNIT -3 -DIGITAL AND MOBILE FORENSICS FORENSIC READINESS-.pptx
byjemimaa3
 
Intro AI DBATU.ppt ppt useful engineering
bydevinjon990
 
22PEOIT4C Session 1 Introduction to AI and intelligent agents.pptx
bymailmegokilavani
 
22PEOIT4C Session 4 Breath First Search & Depth First Search.pptx
bymailmegokilavani
 
Buy Facebook Ads Accounts_ Boost Your Professional ....docx
bytopusapro.com
 
22PEOIT4C Session 9 Local search in continuous space.pptx
bymailmegokilavani
 
Troubleshooting of Marine Refrigeration System - Part 4
byMahmoud Moghtaderi
 
KTU 2024 SCHEME -PEMET 413 COMPOSITE MATERIALS MODULE 1 LECTURE 1.pptx
byVinayB68
 
22PEOIT4C Artificial Intelligence Syllab
bymailmegokilavani
 
TechSprint: Innovate for Impact Hackathon
byDeepakkumarSingh415123
 
Nostr : A protocol for freedom of speech
byEmre YILMAZ
 

An Overview of OPC UA Security

  • 1.
    © Utthunga TechnologiesPvt. Ltd. 2020 An Overview of OPC UA Security Utthunga for OPC
  • 2.
    © Utthunga TechnologiesPvt. Ltd. 2020 Company Overview Germany 500+ Professionals USA Japan 13 HQ & Development Centre Bangalore India © Utthunga Technologies Pvt. Ltd. 2020 SERVICES SOLUTIONSFOCUS Embedded Software & Hardware Product Engineering Digital Services Application Software Engineering Quality Engineering Process & Factory Power & Utilities IIoT, Cloud & Big Data Analytics Solutions Data Connectivity & Integration Solutions Custom Solutions Utthunga for OPC
  • 3.
    © Utthunga TechnologiesPvt. Ltd. 2020 Industry Associations  Part of various Special Interest Groups (Technical Specifications, Architecture, Test & Certification and Marketing)  Involved in reference Application Architecture, Design and Development  Technology Outsourcing Partner  PROFIBUS and PROFINET Competency Center  FDT Test & Certification Center  Part of Global Expert/Certified Community https://opcfoundation.org/about/opc-foundation/experts/ https://www.profibus.com/pi-organization/certified-people/ Utthunga for OPC
  • 4.
    © Utthunga TechnologiesPvt. Ltd. 2020 Speaker for Today  Sahan is a cyber-security specialist  6 years of experience in the industrial and security domain  Currently working in the R&D division at Utthunga  His proven areas of expertise are security testing and strategy, endpoint security, ethical hacking (VAPT), VMware virtualization, FDT/DTM and OPC UA  Sahan plays a critical role in Secure SDLC (SSDLC) and Secure DevOps implementation at Utthunga Sahan M Utthunga for OPC
  • 5.
    © Utthunga TechnologiesPvt. Ltd. 2020 IIoT Era Utthunga for OPC
  • 6.
    © Utthunga TechnologiesPvt. Ltd. 2020 Source: OPC Foundation Utthunga for OPC Machine to machine communication protocol for industrial automation developed by the OPC Foundation. OPC UA (Open Platform Communications United Architecture)
  • 7.
    © Utthunga TechnologiesPvt. Ltd. 2020 Communication Requires more than Connectivity Reliable Secure Utthunga for OPC
  • 8.
    © Utthunga TechnologiesPvt. Ltd. 2020 4. OPC UA Secure Data Connectivity 3. OPC UA Security Architecture 2. Security Objectives 1. OPC UA Security Focus 6. OPC UA Security Solutions for Attack Types 5. Secure Policies 7. Effectiveness of OPC UA Security Analysis 8. Recommendations Agenda Utthunga for OPC
  • 9.
    © Utthunga TechnologiesPvt. Ltd. 2020 Data At Rest Data in ProcessData in Motion OPC UA Security Focus OPC UA Security - Focus Utthunga for OPC
  • 10.
    © Utthunga TechnologiesPvt. Ltd. 2020 Security Objectives • Data only visible to intended recipients • Data is not modified • Data is available to authorized people when they need it • Identity of the people or systems is assured. • Controlled based on permissions • All requests and receipts of data are documented AAA CIA Utthunga for OPC
  • 11.
    © Utthunga TechnologiesPvt. Ltd. 2020 OPC UA Security Architecture  OPC Unified Architecture uses a public key infrastructure to achieve secure communication.  A session in the Application Layer communicates over a Secure Channel that is created in the Communication Layer and relies upon it for secure communication.  The Communication Layer provides security mechanisms to meet Confidentiality, Integrity and application Authentication as security objectives. Source: OPC UA Spec. Security Model 1.04 Utthunga for OPC
  • 12.
    © Utthunga TechnologiesPvt. Ltd. 2020 OPC UA Secure Data Connectivity  Supports enterprise wide secure data connectivity Mechanism Transport Two way One Way LAN WAN DMZ & Firewall E-to E Security Client- server TCP Y Y Y Y Y PubSub UDP Y Y Y Y PubSub MQTT Y Y Y Y Utthunga for OPC
  • 13.
    © Utthunga TechnologiesPvt. Ltd. 2020 Secure OPC UA Data Exchange Across Firewalls  In-bound firewall ports to be closed as this minimizes threats of external attacks  NIST and NERC are recommending their members that all in-bound Firewall ports to be closed Utthunga for OPC
  • 14.
    © Utthunga TechnologiesPvt. Ltd. 2020 Security Policies None No security Basic256Sha256 (Recommended) This policy option is enabled by default, acceptable and more likely to be supported by older applications. Aes128-Sha256-RsaOaep (Average) This policy option is enabled by default. It is faster than the most secure policies and offers good security. However, older applications will not support it. Aes256-Sha256-RsaPss (Recommended - Most Secure) This policy option is enabled by default. It is the most secure available; however, older applications will not support it. Basic256 (Deprecated) This policy has theoretical problems and is not recommended. Basic 128Rsa15 (Deprecated) This policy has known vulnerabilities and should not be used unless absolutely necessary. #PubSub-Aes 128-CTR Average security needs. #PubSub-Aes256-CTR High security needs.  OPC UA server should identify and support the security policies  OPC UA client will choose these security policies to connect the server Note: OPC Foundation deprecates the security policies and updates the support for policies to maintain the effective security policy Utthunga for OPC
  • 15.
    © Utthunga TechnologiesPvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : Encryption  OPC UA addresses unauthorized disclosure of any sensitive information by doing encryption, when the data is in transit  OPC UA addresses Eavesdropping, which impacts Confidentiality directly Utthunga for OPC
  • 16.
    © Utthunga TechnologiesPvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : Message Signing  The signing of messages prevent an unauthorized third party from changing the contents of a message  Signing a message helps to ensure the following:  Data Integrity – The message was not altered from its original form  Non-repudiation – The sender cannot deny the authenticity of the message they sent and signed  Proof of Origin – The message actually came from the legitimate sender  OPC UA addresses Message Spoofing, Message Alteration Information by signing the messages. Additionally, the messages will always include a valid Session ID, Secure Channel ID, Request ID, Timestamp, and Sequence No Utthunga for OPC
  • 17.
    © Utthunga TechnologiesPvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : Application Authentication  OPC UA encounters Rogue server, session hijacking, and server profiling attacks by ensuring the application used is trusted and authorized by the user  Ensures that the application we are communicating to is trusted by having application Instance certificate  Authentication of applications  Application instance certificates  Certificate Authority (CA) Utthunga for OPC
  • 18.
    © Utthunga TechnologiesPvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : User Authentication and Authorization  OPC UA encounters Rogue server and session hijacking by ensuring only authenticated and authorized user is allowed to perform an action.  User Authentication can be done via  Username / password, WS-Security Token or X.509 certificates  Implemented into existing IAM infrastructures like Active Directory  Authorization will help to control access to the specific operations and information.  Authorization (Server Specific)  Fine-granular information in address space (Read, Write, Browse)  Writing of meta data, calling methods Utthunga for OPC
  • 19.
    © Utthunga TechnologiesPvt. Ltd. 2020 OPC UA Security Solutions for Attack Type: Availability  OPC UA encounter threats like Denial of service, message flooding attack (Bandwidth approach, Resource approach)  OPC UA Servers reject the sessions that exceed their specified maximum number  Minimize processing of packets before they are authenticated  Configure Alarm Incidents Utthunga for OPC
  • 20.
    © Utthunga TechnologiesPvt. Ltd. 2020 OPC UA Security Solutions for Attack Type : Auditability  When multiple systems are communicating to the server then we can define what is important to us in terms of debugging and security and log those information  Auditability is very important and useful due to the aggregation feature of OPC servers that helps to communicate and established connections with multiple servers and/or establish different sessions for a channel with different vendors  Used for post analysis and forensic analysis especially when something goes wrong Utthunga for OPC
  • 21.
    © Utthunga TechnologiesPvt. Ltd. 2020 Certificates  Ensures a secure communication channel between the OPC UA server and OPC UA client  The Public key of Server from its trusted certificate store are copied to Client trusted certificate store.  Similarly, The Public key of Client from its trusted certificate store are copied to Server trusted certificate store.  The OPC UA Server uses its private key to decrypt the encoded message Source: Beckhoff Utthunga for OPC
  • 22.
    © Utthunga TechnologiesPvt. Ltd. 2020 Effectiveness of OPC UA Security Analysis  The OPC UA successfully passed these tests that were run for the German Federal Government (BSI). Utthunga for OPC
  • 23.
    © Utthunga TechnologiesPvt. Ltd. 2020 Effectiveness of OPC UA Security Analysis Utthunga for OPC
  • 24.
    © Utthunga TechnologiesPvt. Ltd. 2020 Utthunga for OPC  Define and include the security specific goals for your OPC product/application  Choose the right SDK  Secure SDL (Security Development Lifecycle)  Third-Party Libraries  Secure storing of Private keys  Certificates and user account management work flow  Get Certified by Foundation Test Lab  Security specific UpgradingPatching  Other General Security Aspects Security Recommendations for OEMS
  • 25.
    © Utthunga TechnologiesPvt. Ltd. 2020 Utthunga for OPC  Opt for certified products application that support required security policies  Security specific UpgradingPatching  Certificates and user account management process & guidelines  Support  Other General Security Aspects Security Recommendations for End Users
  • 26.
    © Utthunga TechnologiesPvt. Ltd. 2020 Security Recommendations  Do not leave your secrets lying around  Never store private keys or the corresponding certificate files (.pfx/p12) on an unencrypted file system  Do not automatically trust certificates  Do not accept connections, which do not provide the trusted certificates.  User Authentication  Avoid use of anonymous Identifiers  When this generic identifier is used, it is not possible to trace who has changed  Security Mode ‘None’ should not be used  It does not provide any protection  The Security Mode used should be ‘SignAndEncrypt’ or ‘Sign’  Instead ‘SignAndEncrypt’ or ‘Sign’ Security Mode should be used  Selection of cryptographic algorithms  At a minimum, the Security Policy ‘Basic256Sha256’ should be chosen provided its technically possible  Weaker security policies use outdated algorithms such as SHA-1 and should not be used  Managing and maintaining certificates  Use certificate trust lists and certificate revocation lists to manage valid certificates. Utthunga for OPC
  • 27.
    © Utthunga TechnologiesPvt. Ltd. 2020 In a Nutshell Utthunga for OPC  OPC UA is Secure By Design  OPC UA allows different levels of security  OPC UA Security is standard based and developed with industry security experts from multiple company  Defense in Depth  Security as a reminder, OPC UA alone will not secure your systems.
  • 28.
    © Utthunga TechnologiesPvt. Ltd. 2020© Utthunga Technologies Pvt. Ltd. 2020 Time for Audience Q&A Utthunga for OPC
  • 29.
    © Utthunga TechnologiesPvt. Ltd. 2020 OPC – Upcoming Webinar Calendar 1. An Overview of OPC UA Security – 10th September, 2020 2. FDT/OPC UA – 30th September, 2020 Utthunga for OPC
  • 30.
    © Utthunga TechnologiesPvt. Ltd. 2020 Utthunga Technologies Pvt. Ltd. No. 8, 27th Cross, 2nd Stage, Banashankari, Bangalore – 560 070 Phone: +91-80-68151900 Mail: contact@utthunga.com