SlideShare a Scribd company logo

Security in OPC UA ppt

Download as PPTX, PDF
Mallikarjuna Y C
Mallikarjuna Y C

This presentation talks about 'Security in OPC UA’. Mr. Sahan from an expert at Utthunga Technologies has spoken about Security in OPC UA on Wednesday, 14th August 2019. He has discussed on the below points, 1. How common security objectives are met by OPC UA? 2. How OPC UA establishes trust between systems trying to exchange data? 3. How OPC UA is encountering common threats? For more details visit us at www.utthunga.com or you can write to us at contact@utthunga.com Follow us on LinkedIn - https://www.linkedin.com/company/utth... Facebook - https://www.facebook.com/Utthunga Copyright © 2019 Utthunga Technologies

Technology
1 of 18
© Utthunga Technologies Pvt. Ltd. 2019 Security In OPC UA By Sahan M, August 14 – 4PM to 5PM IST Welcome to the Webinar
© Utthunga Technologies Pvt. Ltd. 2019 Agenda OPC UA Security Environment OPC UA Security Architecture Attack Types Addressed by OPC UA Recommendations for using OPC UA in Secure Way Effectives of OPC UA Security Analysis In A Nutshell Security Objectives
© Utthunga Technologies Pvt. Ltd. 2019 OPC UA provides flexible set of security mechanisms, Some OPC UA applications are on the same host and can be easily protected from external attack. Some OPC UA applications are on different hosts in the same operations network and might be protected by the security boundary protections. Some OPC UA applications run in relatively open environments, where users and applications might be difficult to control. OPC UA Security Environment 2 Source: OPC UA Spec. Security Model 1.04
© Utthunga Technologies Pvt. Ltd. 2019 Authentication Authorization Confidentiality IntegrityNon-Repudiation Auditability Availability Security Objectives Security Objectives Authentication: The identity of an entity such as a Client, Server, or User. Authorization: Assures the access is granted only the information that is intended to function. Confidentiality: The data being encrypted, which is in unreadable format. Integrity: Receivers receive the same information that the original sender sent, without the data being changed during transmission. Non Repudiation: Non-Repudiation assures that something that actually occurred cannot be claimed as having not occurred. Availability: Running all the time and available to respond with valid information. Auditability: Actions taken by a application must be recorded in order to provide evidence to stakeholders. 3
© Utthunga Technologies Pvt. Ltd. 2019 OPC UA Security Architecture OPC Unified Architecture uses a public key infrastructure to achieve secure communication. A session in the Application Layer communicates over a Secure Channel that is created in the Communication Layer and relies upon it for secure communication. The Communication Layer provides security mechanisms to meet Confidentiality, Integrity and application Authentication as security objectives. 4 Source: OPC UA Spec. Security Model 1.04
© Utthunga Technologies Pvt. Ltd. 2019 Security Configuration Security Policies Security Modes None No security Basic256Sha256 (Recommended) This policy is acceptable and more likely to be supported by older applications. This option is enabled by default. Aes128-Sha256-RsaOaep (Recommended - Fastest) This policy offers good security and is faster than the most secure policies; however, older applications will not support it. This option is enabled by default. Aes256-Sha256-RsaPss (Recommended - Most Secure) This policy is the most secure available; however, older applications will not support it. This option is enabled by default. Basic256 (Not Recommended) This policy has theoretical problems and is not recommended. Basic 128Rsa15 (Not Recommended) This policy has known vulnerabilities and should not be used unless absolutely necessary. Allow communication with no security (None) Not recommended as it does not use a certificate to secure communications between client and server. For use only in a non-production environment. Allow secure communication without data privacy (SignOnly) All messages between the client and server are signed but not encrypted. Allow secure communication with data privacy (SignAndEncrypt) All messages between the client and server are signed and encrypted. 5
© Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Encryption OPC UA addresses unauthorized disclosure of any sensitive information by doing encryption, when the data is in transit. OPC UA addresses Eavesdropping, which impacts Confidentiality directly. 6
© Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Message Signing The signing of messages prevent a third party from changing the contents of a message. Signing a message helps to ensure the following, • Data Integrity – The message was not altered from its original form • Non-repudiation – The sender cannot deny the authenticity of the message they sent and singed • Proof of Origin – The message actually came from the legitimate sender OPC UA addresses Message Spoofing, Message Alteration Information by signing the messages. Additionally, the messages will always contain a valid Session ID, Secure Channel ID, Request ID, Timestamp, and Sequence No. 7
© Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Application Authentication Ensuring that the application we are communicating to is trusted by having application Instance certificate Authentication of applications • Application instance certificates • Certificate Authority (CA) OPC UA encounters Rogue server, session hijacking, and server profiling attacks by ensuring the application used is trusted and known to user. 8
© Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: User Authentication and Authorization Authentication of users can be done, • Username / password, WS-Security Token or X.509 certificates • Fits into existing infrastructures like Active Directory Authorization will help to control the access to the specific operations and information. Authorization (Server Specific) • Fine-granular information in address space (Read, Write, Browse) • Writing of meta data, calling methods OPC UA encounters Rogue server, and session hijacking by ensuring only authenticated and authorized user is allowed to perform an action. 9
© Utthunga Technologies Pvt. Ltd. 2019 Certificate Handling 10 To ensure a secure communication channel, The Public key of Server from its trusted certificate store are Copied to Client trusted certificate store. Similarly, The Public key of Client from its trusted certificate store are copied to server trusted certificate store. While establishing a session, Client shall send its private key and server shall validate with a public key of that client which is available in the server trusted certificate store. Source: OPC UA Spec. Security Model 1.04
© Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Auditability When multiple systems are communicating to the server then we can define what is important to us in terms of debugging and security and log those information. Auditability is very useful and important because in OPC, we can aggregate different servers and establish different sessions for a channel with different vendors. Used for post analysis and forensic analysis especially when something goes wrong. 11
© Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Availability OPC UA Servers reject the sessions that exceed their specified maximum number. Minimize processing of packets before they are authenticated. OPC UA encounter the threats like Denial of service, message flooding attack (Bandwidth approach, Resource approach). 12
© Utthunga Technologies Pvt. Ltd. 2019 Effectives of OPC UA Security Analysis 13
© Utthunga Technologies Pvt. Ltd. 2019 Security Reconciliation Threats Summary The OPC UA successfully passed these tests that were run for the German Federal Government (BSI). 14
© Utthunga Technologies Pvt. Ltd. 2019 Recommendations for using OPC UA in Secure Way Do not leave your secrets lying around  Never store private keys or the corresponding certificate files (.pfx/p12) on an unencrypted file system Do not automatically trust certificates  Do not accept connections, which do not provide the trusted certificates. User Authentication  Avoid use of anonymous Identifiers  When this generic identifier is used, it is not possible to trace who has changed Security Mode ‘None’ should not be used  It does not provide any protection  The Security Mode used should be ‘SignAndEncrypt’ or ‘Sign’ Selection of cryptographic algorithms  At a minimum, the Security Policy ‘Basic256Sha256’ should be chosen provided technically possible  Weaker security policies use outdated algorithms such as SHA-1 and should not be used Managing and maintaining certificates  Use certificate trust lists and certificate revocation lists to manage valid certificates. 15
© Utthunga Technologies Pvt. Ltd. 2019 • OPC UA is Secure By Design addressing all the Security Objectives. • OPC UA allows different levels of security. • OPC UA Security is standard based and developed with industry security experts from multiple company. • Security as a reminder, OPC UA alone will not secure your systems. In a Nutshell 16
© Utthunga Technologies Pvt. Ltd. 2019 Name: SAHAN.M Email: sahan.m@utthunga.com Utthunga Technologies Pvt. Ltd. No. 8, 27th Cross, 2nd Stage, Banashankari, Bangalore – 560 070 Phone: +91-80-68151900

Recommended

An Overview of OPC UA Security
An Overview of OPC UA SecurityAn Overview of OPC UA Security
An Overview of OPC UA Security
Sadatulla Zishan
 
OPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on SolutionsOPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on Solutions
team-WIBU
 
OPC UA Inside Out, Part 1 - Introduction and Playing Field
OPC UA Inside Out, Part 1 - Introduction and Playing FieldOPC UA Inside Out, Part 1 - Introduction and Playing Field
OPC UA Inside Out, Part 1 - Introduction and Playing Field
Sadatulla Zishan
 
OPC UA Inside Out Part 3 - Edge Devices
OPC UA Inside Out Part 3 - Edge DevicesOPC UA Inside Out Part 3 - Edge Devices
OPC UA Inside Out Part 3 - Edge Devices
Sadatulla Zishan
 
IIB Manufacturing Pack v1001
IIB Manufacturing Pack v1001IIB Manufacturing Pack v1001
IIB Manufacturing Pack v1001
Dominic Storey
 
OPC UA for Embedded & Constrained Devices
OPC UA for Embedded & Constrained Devices OPC UA for Embedded & Constrained Devices
OPC UA for Embedded & Constrained Devices
Sadatulla Zishan
 
OPC UA Connectivity with InduSoft and the OPC Foundation
OPC UA Connectivity with InduSoft and the OPC FoundationOPC UA Connectivity with InduSoft and the OPC Foundation
OPC UA Connectivity with InduSoft and the OPC Foundation
AVEVA
 
OPC UA: Ready for realtime
OPC UA: Ready for realtimeOPC UA: Ready for realtime
OPC UA: Ready for realtime
Miodrag Veselic
 

Recommended

An Overview of OPC UA Security
An Overview of OPC UA SecurityAn Overview of OPC UA Security
An Overview of OPC UA Security
Sadatulla Zishan
 
OPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on SolutionsOPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on Solutions
team-WIBU
 
OPC UA Inside Out, Part 1 - Introduction and Playing Field
OPC UA Inside Out, Part 1 - Introduction and Playing FieldOPC UA Inside Out, Part 1 - Introduction and Playing Field
OPC UA Inside Out, Part 1 - Introduction and Playing Field
Sadatulla Zishan
 
OPC UA Inside Out Part 3 - Edge Devices
OPC UA Inside Out Part 3 - Edge DevicesOPC UA Inside Out Part 3 - Edge Devices
OPC UA Inside Out Part 3 - Edge Devices
Sadatulla Zishan
 
IIB Manufacturing Pack v1001
IIB Manufacturing Pack v1001IIB Manufacturing Pack v1001
IIB Manufacturing Pack v1001
Dominic Storey
 
OPC UA for Embedded & Constrained Devices
OPC UA for Embedded & Constrained Devices OPC UA for Embedded & Constrained Devices
OPC UA for Embedded & Constrained Devices
Sadatulla Zishan
 
OPC UA Connectivity with InduSoft and the OPC Foundation
OPC UA Connectivity with InduSoft and the OPC FoundationOPC UA Connectivity with InduSoft and the OPC Foundation
OPC UA Connectivity with InduSoft and the OPC Foundation
AVEVA
 
OPC UA: Ready for realtime
OPC UA: Ready for realtimeOPC UA: Ready for realtime
OPC UA: Ready for realtime
Miodrag Veselic
 
View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni... View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
MongoDB
 
open62541 - Open Source OPC UA on Steroids
open62541 - Open Source OPC UA on Steroidsopen62541 - Open Source OPC UA on Steroids
open62541 - Open Source OPC UA on Steroids
Julius Pfrommer
 
OPC UA Inside Out Part 4 - OPC Tunneller
OPC UA Inside Out Part 4 - OPC TunnellerOPC UA Inside Out Part 4 - OPC Tunneller
OPC UA Inside Out Part 4 - OPC Tunneller
Sadatulla Zishan
 
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPT
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPTManaging Your ROI & TCO In Automation Testing | V&V Webinar PPT
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPT
Sadatulla Zishan
 
OPC UA Inside Out Part 5 - Cloud Connectivity
OPC UA Inside Out Part 5 - Cloud ConnectivityOPC UA Inside Out Part 5 - Cloud Connectivity
OPC UA Inside Out Part 5 - Cloud Connectivity
Sadatulla Zishan
 
FDT/DTM Introduction Webinar
FDT/DTM Introduction WebinarFDT/DTM Introduction Webinar
FDT/DTM Introduction Webinar
Sadatulla Zishan
 
OPC Foundation and InduSoft
OPC Foundation and InduSoftOPC Foundation and InduSoft
OPC Foundation and InduSoft
AVEVA
 
InduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA ConnectivityInduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA Connectivity
AVEVA
 
OPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
OPC UA Inside Out Part 6 - Brownfield and Greenfield WebinarOPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
OPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
Sadatulla Zishan
 
Digital Transformation with FDT 3.0 Webinar
Digital Transformation with FDT 3.0 WebinarDigital Transformation with FDT 3.0 Webinar
Digital Transformation with FDT 3.0 Webinar
Sadatulla Zishan
 
FDT 3.0 and OPC UA : Key to Interoperability
FDT 3.0 and OPC UA : Key to InteroperabilityFDT 3.0 and OPC UA : Key to Interoperability
FDT 3.0 and OPC UA : Key to Interoperability
Sadatulla Zishan
 
InduSoft OPC Webinar 2012
InduSoft OPC Webinar 2012InduSoft OPC Webinar 2012
InduSoft OPC Webinar 2012
AVEVA
 
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | UtthungaFDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
Sadatulla Zishan
 
Engineer Sensors For Digital Transformation Webinar PPT
Engineer Sensors For Digital Transformation Webinar PPTEngineer Sensors For Digital Transformation Webinar PPT
Engineer Sensors For Digital Transformation Webinar PPT
Sadatulla Zishan
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
Revolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT HarmonizationRevolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT Harmonization
Sadatulla Zishan
 
ISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software ComponentsISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software Components
Real-Time Innovations (RTI)
 
987650-6032
987650-6032987650-6032
987650-6032
George J. Kairys, P. Eng.
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
Shiu-Fun Poon
 
Forti os ngfw
Forti os ngfwForti os ngfw
Forti os ngfw
Nicolas su
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
satyasekhar123
 
A talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda TamlyA talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda Tamly
null - The Open Security Community
 

More Related Content

What's hot

View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni... View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
MongoDB
 
open62541 - Open Source OPC UA on Steroids
open62541 - Open Source OPC UA on Steroidsopen62541 - Open Source OPC UA on Steroids
open62541 - Open Source OPC UA on Steroids
Julius Pfrommer
 
OPC UA Inside Out Part 4 - OPC Tunneller
OPC UA Inside Out Part 4 - OPC TunnellerOPC UA Inside Out Part 4 - OPC Tunneller
OPC UA Inside Out Part 4 - OPC Tunneller
Sadatulla Zishan
 
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPT
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPTManaging Your ROI & TCO In Automation Testing | V&V Webinar PPT
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPT
Sadatulla Zishan
 
OPC UA Inside Out Part 5 - Cloud Connectivity
OPC UA Inside Out Part 5 - Cloud ConnectivityOPC UA Inside Out Part 5 - Cloud Connectivity
OPC UA Inside Out Part 5 - Cloud Connectivity
Sadatulla Zishan
 
FDT/DTM Introduction Webinar
FDT/DTM Introduction WebinarFDT/DTM Introduction Webinar
FDT/DTM Introduction Webinar
Sadatulla Zishan
 
OPC Foundation and InduSoft
OPC Foundation and InduSoftOPC Foundation and InduSoft
OPC Foundation and InduSoft
AVEVA
 
InduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA ConnectivityInduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA Connectivity
AVEVA
 
OPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
OPC UA Inside Out Part 6 - Brownfield and Greenfield WebinarOPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
OPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
Sadatulla Zishan
 
Digital Transformation with FDT 3.0 Webinar
Digital Transformation with FDT 3.0 WebinarDigital Transformation with FDT 3.0 Webinar
Digital Transformation with FDT 3.0 Webinar
Sadatulla Zishan
 
FDT 3.0 and OPC UA : Key to Interoperability
FDT 3.0 and OPC UA : Key to InteroperabilityFDT 3.0 and OPC UA : Key to Interoperability
FDT 3.0 and OPC UA : Key to Interoperability
Sadatulla Zishan
 
InduSoft OPC Webinar 2012
InduSoft OPC Webinar 2012InduSoft OPC Webinar 2012
InduSoft OPC Webinar 2012
AVEVA
 
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | UtthungaFDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
Sadatulla Zishan
 
Engineer Sensors For Digital Transformation Webinar PPT
Engineer Sensors For Digital Transformation Webinar PPTEngineer Sensors For Digital Transformation Webinar PPT
Engineer Sensors For Digital Transformation Webinar PPT
Sadatulla Zishan
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
Revolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT HarmonizationRevolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT Harmonization
Sadatulla Zishan
 
ISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software ComponentsISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software Components
Real-Time Innovations (RTI)
 
987650-6032
987650-6032987650-6032
987650-6032
George J. Kairys, P. Eng.
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
Shiu-Fun Poon
 
Forti os ngfw
Forti os ngfwForti os ngfw
Forti os ngfw
Nicolas su
 

What's hot (20)

View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni... View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
View Page Update Presentation Close Internet of Things Cologne 2015: OPC Uni...
 
open62541 - Open Source OPC UA on Steroids
open62541 - Open Source OPC UA on Steroidsopen62541 - Open Source OPC UA on Steroids
open62541 - Open Source OPC UA on Steroids
 
OPC UA Inside Out Part 4 - OPC Tunneller
OPC UA Inside Out Part 4 - OPC TunnellerOPC UA Inside Out Part 4 - OPC Tunneller
OPC UA Inside Out Part 4 - OPC Tunneller
 
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPT
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPTManaging Your ROI & TCO In Automation Testing | V&V Webinar PPT
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPT
 
OPC UA Inside Out Part 5 - Cloud Connectivity
OPC UA Inside Out Part 5 - Cloud ConnectivityOPC UA Inside Out Part 5 - Cloud Connectivity
OPC UA Inside Out Part 5 - Cloud Connectivity
 
FDT/DTM Introduction Webinar
FDT/DTM Introduction WebinarFDT/DTM Introduction Webinar
FDT/DTM Introduction Webinar
 
OPC Foundation and InduSoft
OPC Foundation and InduSoftOPC Foundation and InduSoft
OPC Foundation and InduSoft
 
InduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA ConnectivityInduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA Connectivity
 
OPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
OPC UA Inside Out Part 6 - Brownfield and Greenfield WebinarOPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
OPC UA Inside Out Part 6 - Brownfield and Greenfield Webinar
 
Digital Transformation with FDT 3.0 Webinar
Digital Transformation with FDT 3.0 WebinarDigital Transformation with FDT 3.0 Webinar
Digital Transformation with FDT 3.0 Webinar
 
FDT 3.0 and OPC UA : Key to Interoperability
FDT 3.0 and OPC UA : Key to InteroperabilityFDT 3.0 and OPC UA : Key to Interoperability
FDT 3.0 and OPC UA : Key to Interoperability
 
InduSoft OPC Webinar 2012
InduSoft OPC Webinar 2012InduSoft OPC Webinar 2012
InduSoft OPC Webinar 2012
 
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | UtthungaFDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
FDT Mobility Secures Open Automation for Industrie 4 0 | FDT Group | Utthunga
 
Engineer Sensors For Digital Transformation Webinar PPT
Engineer Sensors For Digital Transformation Webinar PPTEngineer Sensors For Digital Transformation Webinar PPT
Engineer Sensors For Digital Transformation Webinar PPT
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
Revolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT HarmonizationRevolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT Harmonization
 
ISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software ComponentsISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software Components
 
987650-6032
987650-6032987650-6032
987650-6032
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
Forti os ngfw
Forti os ngfwForti os ngfw
Forti os ngfw
 

Similar to Security in OPC UA ppt

MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
satyasekhar123
 
A talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda TamlyA talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda Tamly
null - The Open Security Community
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
Array Networks
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
F-Secure Corporation
 
5 Best Practices To Make Your API More Protected Against Attackers.pdf
5 Best Practices To Make Your API More Protected Against Attackers.pdf5 Best Practices To Make Your API More Protected Against Attackers.pdf
5 Best Practices To Make Your API More Protected Against Attackers.pdf
Probely
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
Bui Kiet
 
OAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration PresentationOAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration Presentation
Knoldus Inc.
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...
APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...
APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...
apidays
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
Inductive Automation
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
Integral university, India
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
Evident.io
 
Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The Cloud
Tu Pham
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 
Check point nerc cip compliance
Check point nerc cip complianceCheck point nerc cip compliance
Check point nerc cip compliance
Ivan Carmona
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate Management
AppViewX
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdf
Pankaj Goyal
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdf
PankajGoyal164048
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
Shamun Mahmud
 

Similar to Security in OPC UA ppt (20)

MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
 
A talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda TamlyA talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda Tamly
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
5 Best Practices To Make Your API More Protected Against Attackers.pdf
5 Best Practices To Make Your API More Protected Against Attackers.pdf5 Best Practices To Make Your API More Protected Against Attackers.pdf
5 Best Practices To Make Your API More Protected Against Attackers.pdf
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
OAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration PresentationOAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration Presentation
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...
APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...
APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
 
Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The Cloud
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
Check point nerc cip compliance
Check point nerc cip complianceCheck point nerc cip compliance
Check point nerc cip compliance
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate Management
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdf
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdf
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
 

Recently uploaded

Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Jeffrey Haguewood
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 

Recently uploaded (20)

Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 

Security in OPC UA ppt

  • 1. © Utthunga Technologies Pvt. Ltd. 2019 Security In OPC UA By Sahan M, August 14 – 4PM to 5PM IST Welcome to the Webinar
  • 2. © Utthunga Technologies Pvt. Ltd. 2019 Agenda OPC UA Security Environment OPC UA Security Architecture Attack Types Addressed by OPC UA Recommendations for using OPC UA in Secure Way Effectives of OPC UA Security Analysis In A Nutshell Security Objectives
  • 3. © Utthunga Technologies Pvt. Ltd. 2019 OPC UA provides flexible set of security mechanisms, Some OPC UA applications are on the same host and can be easily protected from external attack. Some OPC UA applications are on different hosts in the same operations network and might be protected by the security boundary protections. Some OPC UA applications run in relatively open environments, where users and applications might be difficult to control. OPC UA Security Environment 2 Source: OPC UA Spec. Security Model 1.04
  • 4. © Utthunga Technologies Pvt. Ltd. 2019 Authentication Authorization Confidentiality IntegrityNon-Repudiation Auditability Availability Security Objectives Security Objectives Authentication: The identity of an entity such as a Client, Server, or User. Authorization: Assures the access is granted only the information that is intended to function. Confidentiality: The data being encrypted, which is in unreadable format. Integrity: Receivers receive the same information that the original sender sent, without the data being changed during transmission. Non Repudiation: Non-Repudiation assures that something that actually occurred cannot be claimed as having not occurred. Availability: Running all the time and available to respond with valid information. Auditability: Actions taken by a application must be recorded in order to provide evidence to stakeholders. 3
  • 5. © Utthunga Technologies Pvt. Ltd. 2019 OPC UA Security Architecture OPC Unified Architecture uses a public key infrastructure to achieve secure communication. A session in the Application Layer communicates over a Secure Channel that is created in the Communication Layer and relies upon it for secure communication. The Communication Layer provides security mechanisms to meet Confidentiality, Integrity and application Authentication as security objectives. 4 Source: OPC UA Spec. Security Model 1.04
  • 6. © Utthunga Technologies Pvt. Ltd. 2019 Security Configuration Security Policies Security Modes None No security Basic256Sha256 (Recommended) This policy is acceptable and more likely to be supported by older applications. This option is enabled by default. Aes128-Sha256-RsaOaep (Recommended - Fastest) This policy offers good security and is faster than the most secure policies; however, older applications will not support it. This option is enabled by default. Aes256-Sha256-RsaPss (Recommended - Most Secure) This policy is the most secure available; however, older applications will not support it. This option is enabled by default. Basic256 (Not Recommended) This policy has theoretical problems and is not recommended. Basic 128Rsa15 (Not Recommended) This policy has known vulnerabilities and should not be used unless absolutely necessary. Allow communication with no security (None) Not recommended as it does not use a certificate to secure communications between client and server. For use only in a non-production environment. Allow secure communication without data privacy (SignOnly) All messages between the client and server are signed but not encrypted. Allow secure communication with data privacy (SignAndEncrypt) All messages between the client and server are signed and encrypted. 5
  • 7. © Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Encryption OPC UA addresses unauthorized disclosure of any sensitive information by doing encryption, when the data is in transit. OPC UA addresses Eavesdropping, which impacts Confidentiality directly. 6
  • 8. © Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Message Signing The signing of messages prevent a third party from changing the contents of a message. Signing a message helps to ensure the following, • Data Integrity – The message was not altered from its original form • Non-repudiation – The sender cannot deny the authenticity of the message they sent and singed • Proof of Origin – The message actually came from the legitimate sender OPC UA addresses Message Spoofing, Message Alteration Information by signing the messages. Additionally, the messages will always contain a valid Session ID, Secure Channel ID, Request ID, Timestamp, and Sequence No. 7
  • 9. © Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Application Authentication Ensuring that the application we are communicating to is trusted by having application Instance certificate Authentication of applications • Application instance certificates • Certificate Authority (CA) OPC UA encounters Rogue server, session hijacking, and server profiling attacks by ensuring the application used is trusted and known to user. 8
  • 10. © Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: User Authentication and Authorization Authentication of users can be done, • Username / password, WS-Security Token or X.509 certificates • Fits into existing infrastructures like Active Directory Authorization will help to control the access to the specific operations and information. Authorization (Server Specific) • Fine-granular information in address space (Read, Write, Browse) • Writing of meta data, calling methods OPC UA encounters Rogue server, and session hijacking by ensuring only authenticated and authorized user is allowed to perform an action. 9
  • 11. © Utthunga Technologies Pvt. Ltd. 2019 Certificate Handling 10 To ensure a secure communication channel, The Public key of Server from its trusted certificate store are Copied to Client trusted certificate store. Similarly, The Public key of Client from its trusted certificate store are copied to server trusted certificate store. While establishing a session, Client shall send its private key and server shall validate with a public key of that client which is available in the server trusted certificate store. Source: OPC UA Spec. Security Model 1.04
  • 12. © Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Auditability When multiple systems are communicating to the server then we can define what is important to us in terms of debugging and security and log those information. Auditability is very useful and important because in OPC, we can aggregate different servers and establish different sessions for a channel with different vendors. Used for post analysis and forensic analysis especially when something goes wrong. 11
  • 13. © Utthunga Technologies Pvt. Ltd. 2019 Attack Types Addressed by OPC UA: Availability OPC UA Servers reject the sessions that exceed their specified maximum number. Minimize processing of packets before they are authenticated. OPC UA encounter the threats like Denial of service, message flooding attack (Bandwidth approach, Resource approach). 12
  • 14. © Utthunga Technologies Pvt. Ltd. 2019 Effectives of OPC UA Security Analysis 13
  • 15. © Utthunga Technologies Pvt. Ltd. 2019 Security Reconciliation Threats Summary The OPC UA successfully passed these tests that were run for the German Federal Government (BSI). 14
  • 16. © Utthunga Technologies Pvt. Ltd. 2019 Recommendations for using OPC UA in Secure Way Do not leave your secrets lying around  Never store private keys or the corresponding certificate files (.pfx/p12) on an unencrypted file system Do not automatically trust certificates  Do not accept connections, which do not provide the trusted certificates. User Authentication  Avoid use of anonymous Identifiers  When this generic identifier is used, it is not possible to trace who has changed Security Mode ‘None’ should not be used  It does not provide any protection  The Security Mode used should be ‘SignAndEncrypt’ or ‘Sign’ Selection of cryptographic algorithms  At a minimum, the Security Policy ‘Basic256Sha256’ should be chosen provided technically possible  Weaker security policies use outdated algorithms such as SHA-1 and should not be used Managing and maintaining certificates  Use certificate trust lists and certificate revocation lists to manage valid certificates. 15
  • 17. © Utthunga Technologies Pvt. Ltd. 2019 • OPC UA is Secure By Design addressing all the Security Objectives. • OPC UA allows different levels of security. • OPC UA Security is standard based and developed with industry security experts from multiple company. • Security as a reminder, OPC UA alone will not secure your systems. In a Nutshell 16
  • 18. © Utthunga Technologies Pvt. Ltd. 2019 Name: SAHAN.M Email: sahan.m@utthunga.com Utthunga Technologies Pvt. Ltd. No. 8, 27th Cross, 2nd Stage, Banashankari, Bangalore – 560 070 Phone: +91-80-68151900