The OPC Foundation Security User Group has published a whitepaper giving practical guideline for the secure configuration and use of OPC UA in industry.
The ‘Practical Security Recommendations’ is a brochure helping readers to quickly understand what OPC UA (Object Linking and Embedding for Process Control / Unified Architecture) security has to offer and how to best use it.
Rapid growth in the networking and digitisation of industrial systems has introduced a host of new security challenges that must be addressed systematically to be effectively mitigated.
In particular, beyond the need for implementing secure network infrastructures, it is essential to protect product and production data moving throughout the systems.
Device vendors, engineers, and system integrators need to ensure they use these technologies in a secure way.
While industry acknowledges the need for data security and that the OPC UA standard offers the means to do so – OT and IT professionals alike are often unsure on how to best get started.
Eric Bodden, Professor of Software Engineering at Paderborn University and director of Software Engineering at Fraunhofer IEM, said: “Currently, users and developers are overwhelmed with making security decisions during their daily job.
“Incorrect use of security features causes many security vulnerabilities, due to difficulties to use software and a lack of security knowledge. Documentation, tutorials, and good examples are often missing.”
To help address this challenge, the OPC Foundation established a security user group which is led by Uwe Pohlmann, Fraunhofer IEM and Prof. Dr.-Ing. Axel Sikora, Hochschule Offenburg. The aim of this group is to develop best practices and guidelines for typical OPC UA security use cases.
The German government sanctioned Intelligent Technical Systems OstWestfalenLippe (it’s OWL) organisation supplied the group with key use cases and requirements to help ensure output from the group best addresses users’ real-world orientation and practical knowledge needs.
Erich Barnstedt, Principal Software Engineering Lead, Azure Industrial IoT at Microsoft. “OPC UA is secure by design, but you actually have to use the security features it provides to reap the benefits.
“The Security configuration task can be simplified dramatically when an OPC UA server is secure by default, i.e. all security features are already turned on when the customer takes the server out of the box for the first time.
“It is also important for the device vendors to make the security configuration as simple as possible, for example by providing wizards and easy to understand guidelines. We can’t expect OPC UA server users to be security experts.”
Members of the Security User Group are: Ascolab, Beckhoff Automation, DS Interoperability, exceet Secure Solutions, Fraunhofer IEM, Hochschule Offenburg, Microsoft Corporation, Software AG, Sparhawk Software Inc, and TE Connectivity.
A second whitepaper presenting best practices and selected use cases for a secure implementation and operation of OPC UA is expected to be released in 2018.
OPC Unified Architecture (OPC UA) is a platform and vendor independent communication technology for a secure and reliable data exchange over the different levels of the automation pyramid.
In addition, the information models of the OPC UA standard provide the foundation for a semantic interoperability.