Click Image to Enlarge

Due to the criticality of Industrial Control Systems (ICS) and the desire to make process and business information available to anyone, anywhere, and at any time, the information that is exchanged between interested parties must meet the security requirements of the site. The OPC UA standards are designed to meet these security requirements while maintaining the level of flexibility and control that site administrators expect.

Security Objectives

Before we discuss how OPC UA can meet site security requirements, lets review the security objectives that apply to industrial control systems. These include:

• Auditability: This provides traceability on all actions performed within a system, with the goal of logging which user performed what action and when—as well as any attempts that have been made to compromise the system.
• Authentication: An ICS is comprised of hardware, software applications, and users. Each component must be able to prove its identity in order to be considered a trusted party.
• Authorization: Even though a party may be trusted, components should be given the minimum access needed to perform their functions.
• Availability: This ensures the ICS is fully operational by limiting factors that may impact its execution.
• Confidentiality: The information exchanged between trusted parties must be hidden from those that are not trusted or have no reason to view the information. This requires that the sender and receiver of information must be able to encrypt and decrypt the data they exchange.
• Integrity: The information exchanged between trusted parties must not be modifiable.

By meeting each of these security objectives, a site will be able to ensure that only the applications, devices, and users who are authorized to interact with the system are allowed to do so. In addition, this removes the possibility for non-authorized applications, devices, and users to impact the operation of the system or gain access to critical data.

Security Threats

Though not comprehensive of all possible threats, some that have plagued ICS over the years are as follows:

• Compromising User Credentials
• Eavesdropping
• Malformed Messages
• Message Alteration/Spoofing
• Message Flooding
• Message Replay
• Profiling
• Session Hijacking

By implementing a security strategy for a site, an administrator can thwart the above threats and achieve the security objectives needed to protect critical infrastructure.

Site Security

Most sites will incorporate a Cyber Security Management System (CSMS) to address security-related requirements. These requirements may range from the adoption of security policies around physical and electronic boundaries, auditing, and preventative and response procedures. In order to address the threats discussed earlier, a security risk assessment will be initiated and appropriate security measures will be implemented. A good implementation will follow a “defense–in-depth” strategy, where there will be multiple layers of protection. This may include a combination of firewalls, intrusion detection/prevention systems (IDS/IPS), patch-management systems, and IT rules for what is allowed and what is not allowed within the context of the system.

OPC UA can adapt to a site’s CSMS by allowing the administrator complete control on how communications are setup and managed. OPC UA’s client/server architecture also bodes well with a defense-in-depth strategy, as UA-aware applications can act as an intermediary between different layers within a site and limit the amount of information that can be exposed or manipulated.

OPC UA Security Architecture

To mitigate against security threats, OPC UA has a multi-tier design that consists of an application layer, communications layer, and a transport layer.
The majority of OPC functionality is handled within the context of the application layer i.e. where clients and servers process UA information—operations like reading, writing, and browsing items. It is also where UA provides management for authentication and user authorization through the concept of a session between a client and server instances.

The secure channel that makes up the communications layer provides the functionality that allows for application authentication, confidentiality, and integrity. It does this by utilizing an appropriate level of encryption and decryption to maintain confidentiality of communication messages, by signing messages to ensure the integrity of data, and by utilizing digital certificates that provide application authentication. The resulting secured data is then passed on to the transport layer for further processing.

The transport layer handles the actual sending and receiving of the data over a communications infrastructure. The transport mechanism used (such as OPC UA Binary or XML Web Services via HTTP) impacts the implementation of the secured channel managed by the communications layer.

How It Works

Every OPC UA application has a unique digital (X.509) certificate assigned to it per installation that is referred to as an application instance certificate. This certificate is comprised of a public key that can be shared with other trusted parties, as well as a private key that is only known to the application instance. These keys vary in size, where the longer the key, the harder it is for a third party to guess.

When a client application connects to a server, it creates a secured channel. Only if an administrator has configured the client and server to trust each other’s certificates will the secured channel be established. This procedure provides application authentication.

In order to provide the identity of the user of an application, the client will next create a session that leverages the secure channel for communications. Applications may utilize this user information to limit or restrict access to certain operations, thus providing a level of user authorization.

From here on out, the client will encrypt all communications it sends to the server with the server’s public key, and will sign each message with its own private key. Upon receiving a message, the server will test the integrity of the message by validating the signature against the client’s public key and decrypt the message with its own private key. This ensures that all messages remain confidential and are not tampered with.

Mitigation of Threats

OPC UA’s secure channel/session model protects against potential threats in many ways. First of all OPC UA limits what actions a client can perform on a server before it is authenticated. Clients are limited to obtaining the security and connection requirements of a server and creating a secure channel. In the case of security and connection requirements, this information seldom changes after deployment and will require little processing time on the server. For the more processor-intensive secure channel creation, servers should monitor for repeated failed secure channel creation requests and intentionally delay the handling of future requests to minimize the impact of a potential attack. Servers should also allow administrators to limit the number of concurrent connections it will handle at any given time. These steps will prevent against message flooding. An additional benefit of limiting what an unauthenticated party can accomplish is that any known security vulnerabilities that could be compromised are limited, which minimizes the server profiling that could be done by an attacker.
Each message that is exchanged contains a session ID, secure channel ID, request ID, timestamp, and sequence numbers. Since these messages are not modifiable, applications can validate these values to ensure that an attacker has not captured a message to replay at some point in the future. Clients and servers also validate each message to ensure it is of the proper form. Together, this eliminates the concerns around message replay and reception of malformed messages.

Summary

OPC UA provides the industry with interoperability between software-based applications and hardware appliances from various vendors. This interoperability allows for the exchange of information that is critical to any industrial control system, as well as for the overall business. In order to make optimal operating and business decisions, the ability to obtain information from anywhere in the world is pivotal. Since this will require data to be transmitted over public domains, it must be done securely in order to protect the authenticity, integrity, and confidentiality of information. OPC UA’s adoption of today’s widespread IT principles and techniques makes this possible.