More Related Content
Similar to An Overview of OPC UA Security (20)
An Overview of OPC UA Security
- 2. © Utthunga Technologies Pvt. Ltd. 2020
Company Overview
Germany
500+
Professionals
USA
Japan 13
HQ & Development Centre
Bangalore India
© Utthunga Technologies Pvt. Ltd. 2020
SERVICES SOLUTIONSFOCUS
Embedded
Software &
Hardware
Product
Engineering
Digital
Services
Application
Software
Engineering
Quality
Engineering
Process &
Factory
Power &
Utilities
IIoT, Cloud &
Big Data
Analytics
Solutions
Data
Connectivity
& Integration
Solutions
Custom
Solutions
Utthunga for OPC
- 3. © Utthunga Technologies Pvt. Ltd. 2020
Industry Associations
Part of various Special Interest Groups (Technical Specifications, Architecture,
Test & Certification and Marketing)
Involved in reference Application Architecture, Design and Development
Technology Outsourcing Partner
PROFIBUS and PROFINET Competency Center
FDT Test & Certification Center
Part of Global Expert/Certified Community
https://opcfoundation.org/about/opc-foundation/experts/
https://www.profibus.com/pi-organization/certified-people/
Utthunga for OPC
- 4. © Utthunga Technologies Pvt. Ltd. 2020
Speaker for Today
Sahan is a cyber-security specialist
6 years of experience in the industrial and security domain
Currently working in the R&D division at Utthunga
His proven areas of expertise are security testing and strategy, endpoint security,
ethical hacking (VAPT), VMware virtualization, FDT/DTM and OPC UA
Sahan plays a critical role in Secure SDLC (SSDLC) and Secure DevOps
implementation at Utthunga
Sahan M
Utthunga for OPC
- 6. © Utthunga Technologies Pvt. Ltd. 2020
Source: OPC Foundation
Utthunga for OPC
Machine to machine communication protocol for industrial automation developed by the OPC Foundation.
OPC UA (Open Platform Communications United Architecture)
- 7. © Utthunga Technologies Pvt. Ltd. 2020
Communication Requires more than Connectivity
Reliable Secure
Utthunga for OPC
- 8. © Utthunga Technologies Pvt. Ltd. 2020
4. OPC UA Secure Data Connectivity
3. OPC UA Security Architecture
2. Security Objectives
1. OPC UA Security Focus
6. OPC UA Security Solutions for Attack Types
5. Secure Policies
7. Effectiveness of OPC UA Security Analysis
8. Recommendations
Agenda
Utthunga for OPC
- 9. © Utthunga Technologies Pvt. Ltd. 2020
Data At Rest Data in ProcessData in Motion
OPC UA Security Focus
OPC UA Security - Focus
Utthunga for OPC
- 10. © Utthunga Technologies Pvt. Ltd. 2020
Security Objectives
• Data only visible to intended recipients
• Data is not modified
• Data is available to authorized people
when they need it
• Identity of the people or systems is assured.
• Controlled based on permissions
• All requests and receipts of data are
documented
AAA
CIA
Utthunga for OPC
- 11. © Utthunga Technologies Pvt. Ltd. 2020
OPC UA Security Architecture
OPC Unified Architecture uses a public key infrastructure to
achieve secure communication.
A session in the Application Layer communicates over a Secure
Channel that is created in the Communication Layer and relies
upon it for secure communication.
The Communication Layer provides security mechanisms to meet
Confidentiality, Integrity and application Authentication as
security objectives.
Source: OPC UA Spec. Security Model 1.04
Utthunga for OPC
- 12. © Utthunga Technologies Pvt. Ltd. 2020
OPC UA Secure Data Connectivity
Supports enterprise wide secure data connectivity
Mechanism Transport Two
way
One
Way
LAN WAN DMZ &
Firewall
E-to E
Security
Client-
server
TCP Y Y Y Y Y
PubSub UDP Y Y Y Y
PubSub MQTT Y Y Y Y
Utthunga for OPC
- 13. © Utthunga Technologies Pvt. Ltd. 2020
Secure OPC UA Data Exchange Across Firewalls
In-bound firewall ports to be closed as this minimizes threats of
external attacks
NIST and NERC are recommending their members that all in-bound
Firewall ports to be closed
Utthunga for OPC
- 14. © Utthunga Technologies Pvt. Ltd. 2020
Security Policies
None No security
Basic256Sha256
(Recommended)
This policy option is enabled by default, acceptable and more likely to be supported by
older applications.
Aes128-Sha256-RsaOaep
(Average)
This policy option is enabled by default. It is faster than the most secure policies and offers
good security. However, older applications will not support it.
Aes256-Sha256-RsaPss
(Recommended - Most Secure)
This policy option is enabled by default. It is the most secure available; however, older
applications will not support it.
Basic256 (Deprecated) This policy has theoretical problems and is not recommended.
Basic 128Rsa15 (Deprecated) This policy has known vulnerabilities and should not be used unless absolutely necessary.
#PubSub-Aes 128-CTR Average security needs.
#PubSub-Aes256-CTR High security needs.
OPC UA server should identify and support the security policies
OPC UA client will choose these security policies to connect the server
Note: OPC Foundation deprecates the security policies
and updates the support for policies to maintain the
effective security policy
Utthunga for OPC
- 15. © Utthunga Technologies Pvt. Ltd. 2020
OPC UA Security Solutions for Attack Type : Encryption
OPC UA addresses unauthorized disclosure of any
sensitive information by doing encryption, when
the data is in transit
OPC UA addresses Eavesdropping, which impacts
Confidentiality directly
Utthunga for OPC
- 16. © Utthunga Technologies Pvt. Ltd. 2020
OPC UA Security Solutions for Attack Type : Message Signing
The signing of messages prevent an unauthorized third
party from changing the contents of a message
Signing a message helps to ensure the following:
Data Integrity – The message was not altered from its
original form
Non-repudiation – The sender cannot deny the
authenticity of the message they sent and signed
Proof of Origin – The message actually came from the
legitimate sender
OPC UA addresses Message Spoofing, Message
Alteration Information by signing the messages.
Additionally, the messages will always include a valid
Session ID, Secure Channel ID, Request ID, Timestamp,
and Sequence No
Utthunga for OPC
- 17. © Utthunga Technologies Pvt. Ltd. 2020
OPC UA Security Solutions for Attack Type : Application Authentication
OPC UA encounters Rogue server, session hijacking, and
server profiling attacks by ensuring the application used
is trusted and authorized by the user
Ensures that the application we are communicating to is
trusted by having application Instance certificate
Authentication of applications
Application instance certificates
Certificate Authority (CA)
Utthunga for OPC
- 18. © Utthunga Technologies Pvt. Ltd. 2020
OPC UA Security Solutions for Attack Type : User Authentication and
Authorization
OPC UA encounters Rogue server and session hijacking by
ensuring only authenticated and authorized user is allowed to
perform an action.
User Authentication can be done via
Username / password, WS-Security Token or X.509
certificates
Implemented into existing IAM infrastructures like Active
Directory
Authorization will help to control access to the specific
operations and information.
Authorization (Server Specific)
Fine-granular information in address space (Read, Write,
Browse)
Writing of meta data, calling methods
Utthunga for OPC
- 19. © Utthunga Technologies Pvt. Ltd. 2020
OPC UA Security Solutions for Attack Type: Availability
OPC UA encounter threats like Denial of service,
message flooding attack (Bandwidth approach,
Resource approach)
OPC UA Servers reject the sessions that exceed
their specified maximum number
Minimize processing of packets before they are
authenticated
Configure Alarm Incidents
Utthunga for OPC
- 20. © Utthunga Technologies Pvt. Ltd. 2020
OPC UA Security Solutions for Attack Type : Auditability
When multiple systems are communicating to the
server then we can define what is important to us in
terms of debugging and security and log those
information
Auditability is very important and useful due to the
aggregation feature of OPC servers that helps to
communicate and established connections with
multiple servers and/or establish different sessions for
a channel with different vendors
Used for post analysis and forensic analysis especially
when something goes wrong
Utthunga for OPC
- 21. © Utthunga Technologies Pvt. Ltd. 2020
Certificates
Ensures a secure communication channel between the OPC
UA server and OPC UA client
The Public key of Server from its trusted certificate store are
copied to Client trusted certificate store.
Similarly, The Public key of Client from its trusted certificate
store are copied to Server trusted certificate store.
The OPC UA Server uses its private key to decrypt the
encoded message
Source: Beckhoff
Utthunga for OPC
- 22. © Utthunga Technologies Pvt. Ltd. 2020
Effectiveness of OPC UA Security Analysis
The OPC UA successfully passed these tests that were run for the German Federal Government (BSI).
Utthunga for OPC
- 24. © Utthunga Technologies Pvt. Ltd. 2020 Utthunga for OPC
Define and include the security specific goals for your OPC
product/application
Choose the right SDK
Secure SDL (Security Development Lifecycle)
Third-Party Libraries
Secure storing of Private keys
Certificates and user account management work flow
Get Certified by Foundation Test Lab
Security specific UpgradingPatching
Other General Security Aspects
Security Recommendations for OEMS
- 25. © Utthunga Technologies Pvt. Ltd. 2020 Utthunga for OPC
Opt for certified products application that support
required security policies
Security specific UpgradingPatching
Certificates and user account management process &
guidelines
Support
Other General Security Aspects
Security Recommendations for End Users
- 26. © Utthunga Technologies Pvt. Ltd. 2020
Security Recommendations
Do not leave your secrets lying around
Never store private keys or the corresponding certificate files (.pfx/p12) on an unencrypted file system
Do not automatically trust certificates
Do not accept connections, which do not provide the trusted certificates.
User Authentication
Avoid use of anonymous Identifiers
When this generic identifier is used, it is not possible to trace who has changed
Security Mode ‘None’ should not be used
It does not provide any protection
The Security Mode used should be ‘SignAndEncrypt’ or ‘Sign’
Instead ‘SignAndEncrypt’ or ‘Sign’ Security Mode should be used
Selection of cryptographic algorithms
At a minimum, the Security Policy ‘Basic256Sha256’ should be chosen provided its technically possible
Weaker security policies use outdated algorithms such as SHA-1 and should not be used
Managing and maintaining certificates
Use certificate trust lists and certificate revocation lists to manage valid certificates.
Utthunga for OPC
- 27. © Utthunga Technologies Pvt. Ltd. 2020
In a Nutshell
Utthunga for OPC
OPC UA is Secure By Design
OPC UA allows different levels of security
OPC UA Security is standard based and
developed with industry security experts
from multiple company
Defense in Depth
Security as a reminder, OPC UA alone will
not secure your systems.
- 28. © Utthunga Technologies Pvt. Ltd. 2020© Utthunga Technologies Pvt. Ltd. 2020
Time for
Audience Q&A
Utthunga for
OPC
- 29. © Utthunga Technologies Pvt. Ltd. 2020
OPC – Upcoming Webinar Calendar
1. An Overview of OPC UA Security – 10th September, 2020
2. FDT/OPC UA – 30th September, 2020
Utthunga for OPC
- 30. © Utthunga Technologies Pvt. Ltd. 2020
Utthunga Technologies Pvt. Ltd.
No. 8, 27th Cross, 2nd Stage,
Banashankari, Bangalore – 560 070
Phone: +91-80-68151900
Mail: contact@utthunga.com