One of the main goals of the OPC Unified Architecture is to provide a consistent mechanism for the integration of process control and management systems. Security is a fundamental aspect of computer systems, in particular those dedicated to enterprise and process management. In this kind of application, security must be robust and effective. Security infrastructure should also be flexible enough to support a variety of security policies required by different organizations. OPC UA may be deployed in diverse environments – from clients and servers residing on the same hosts, throughout hosts located on the same operation network protected by the security boundary protections that separate the operation network from external connections, up to applications running in global environments using also Internet as a public network to establish interoperability. Depending on the environment and application requirements, the communication services must provide different protections measures to make the solution secure, therefore OPC UA specification must offer scalability.
We can observe rapid development of globally scoped applications for domains like health, banking, safety, etc. The globalization process is also observed in control engineering. The secure transfer of process control data over the Internet must, therefore, be addressed as the most important prerequisite of this kind of applications.
OPC UA Security is concerned with the authentication of clients and servers, the authorization of users, the integrity and confidentiality of their communications and the auditing of client-server interactions. To meet this goal, security is integrated into all aspects of the design and implementation of OPC UA Servers and Clients. The OPC Foundation has also addressed the security issues that arise from implementation. This includes independent reviews of all aspects of security starting from the design of in-depth security provided by the specification (which is built and modeled on the WS* specifications) to the actual implementation provided by the OPC Foundation. The OPC Foundation has chosen to use industry standard security algorithms and industry standard security libraries to implement OPC UA Security (see the OPC UA eBook).
Security is a “collaboration” of technology and rules describing how to apply this technology to improve protection of a system/network against malicious users. To deploy security the following functionality must be provided:
- Authentication – to identify users and software;
- Authorization – to limit the activity to that granted to the user or application;
- Data integrity – to protect the data from being corrupted;
- Data encryption – to protect information from being accessed by any unauthorized user or application;
- Digital signature – to determine the data source.
From the list above we can conclude that authentication is a basic component that decides about the quality and robustness of security. Authentication is a process of recognition and confirmation of the identity of someone or something. It is used not only for deploying security. For example applications (including operating systems) use authentication to determine the execution context.
Generally speaking, authentication can be done on the basis of:
- something you must know
- something you must have
Username and password is something you know and must keep secrete (at least the password, but it is recommended both).
A certificate is an example of something you must have – no secret information is contained therein. Any certificate is a digitally signed record of identification data.
To use knowledge for authentication you must distribute it (distribute secret) everywhere the identity is confirmed (e.g. hundred of services use credentials to define the execution context).
The certificate is confirmed by the certificate issuer, i.e. Certificate Authority (CA). It is one single point where it is verified and, therefore, it is much easier to protect authentication process against abusing it. We must keep this fact in mind when considering whether use or neglect Public Key Infrastructure (PKI), which is all about issuing, distributing, using, and revoking of certificates.
To summarize, using PKI we can benefit from two very important capabilities offered by it:
- Certificates may be distributed without limits; on the other hand it is almost impossible to control distribution propagation of secret knowledge as there is no evidence of its existence;
- It is much easier to control the validation process of something if it is not distributed over many places.
Security mechanisms can be provided by diverse communication layers. Transport-level security is a solution limited to point-to-point messaging. In this case messages can be protected by establishing a secure connection (association) between two hosts using for example Transport Layer Security (TLS) or IPSec protocols. But, if intermediaries are present when using a secure transport, the initial sender and the ultimate receiver need to trust those intermediaries to help provide end-to-end security, because each hop is secured separately. In addition, to explicit trust of all intermediaries, other risks such as local storage of messages and the potential for an intermediary to be compromised must be considered. Thus, using only transport security limits the richness of the security solution to transport-specific features. OPC UA is a session centric communication. Hence, a security association must survive beyond a single transport connection.
To meet the above requirements, the OPC UA security architecture is defined as a generic solution that allows implementation of the required security features at various places in the application architecture. The OPC UA security architecture is structured in an application layer and a communication layer atop the transport layer.
The routine work of a client application and a server application to transmit plant information, settings, and commands is done in a session in the application layer. The application layer also manages user authentication and user authorization. OPC UA Client and Server applications identify and authenticate themselves with X.509 Certificates. Clients pass a user identity token to the OPC UA Server. The OPC UA Server authenticates the user token. Applications accept tokens in any of the following three forms: username/password, an X.509v3 certificate or a WS-SecurityToken.
A session in the application layer communicates over a secure channel that is created in the communication layer and relies upon it for secure communication. All of the session data is passed to the communication layer for further processing. The secure channel is responsible for messages integrity, confidentiality and applications authentication.
OPC UA uses symmetric and asymmetric encryption to protect confidentiality as a security objective. OPC UA relies upon the site cyber security management system to protect confidentiality on the network and system infrastructure, and utilizes the Public Key Infrastructure to manage keys used for symmetric and asymmetric encryption. OPC UA uses symmetric and asymmetric signatures to address integrity as a security objective.