Key OPC UA Security Concepts

Written by: Thomas Gaudet
7/25/2022

Protecting the security and integrity of your industrial data is paramount. Yet in today’s increasingly connected factories and other industrial facilities, sharing data and keeping OPC servers online are critical concerns. However, whether in transit or at rest, these key OPC UA Security concepts will help you understand how your data is protected.

What is OPC UA? How does OPC UA protect your data?

OPC UA stands for OPC Unified Architecture, which has been designed as platform-agnostic standard created to easily facilitate the secure exchange of data between industrial machines. OPC Unified Architecture (OPC UA) was designed with security in mind. One of the key OPC UA security concepts is ensuring the integrity and confidentially of messages through message encryption and signing.

Although this sounds fancy, the technologies OPC UA uses to achieve this have a direct impact on how end users interact with OPC UA products. Let’s explore this concept and outline details how to use it to make secure OPC UA connections.

What are the Layers of the OPC UA security model?

There are three key layers within the OPC UA security model, including:

1. OPC UA Transport Layer

The transport layer is the first line of defense for the OPC UA. This layer focuses primarily on the IP address of the machine, as well as relevant ports. In addition, defenses such as user access lists or firewalls to manage connections exist here.

 2. OPC UA Communication Layer

At the communication layer, the UPC UA client connects to the server and exchanges certificates to authenticate connections, as well as encrypt and sign messages sent.

3. OPC UA Application Layer

In the UA application layer, this is where verification occurs that the user credentials accessing the Server have proper authority to access specific resources.

Overview of X509 certificates

OPC UA uses an IT technology called X509 certificates for message signing and encryption. Signing means when your application receives a message, you can know exactly who sent it by checking the message signature. This protects against rogue entities sending your client or server bogus requests. Message encryption provides confidentiality by guaranteeing that only the receiver is able to read a message. So how do X509 certificates provide OPC UA applications with message signing and encryption?

What are the Functions of OPC UA Security Certificates?

Key OPC UA security concepts can be understood by taking a closer look at key security certificate functions:

 

OPC UA Message Signing Validates Message Integrity

Using a private key, the OPC UA message signing validates access. The application uses a private key to generate messages that can be validated by the public key certificate, thus establishing communications integrity.

OPC UA Message Encryption Keeps Message Secure

OPC UA uses a public key to encrypt a message that can only be decrypted when the related private key is entered.

OPC UA Application Layer Establishes Trust

Quickly establish trust by checking the audit information generated by each OPA UA certification including the application, date generated, user, what the certificate is for, validity period, and other factors.

What are the Different Types of OPC UA Encryption Methods?

One of the key OPC UA security concepts is leveraging different forms of encryption. To better understand how this works, let’s look at the two types of encryptions for OPC UA and how they work.

Symmetric Encryption Methods

Each OPC UA server or client gets an X509 certificate that contains a public key for the world, a private application key, and information on who owns the certificate. Each of these keys, large prime numbers that are hard to guess, are used to decrypt one another.

Asymmetric Encryption Methods

Asymmetric encryption is a method that connects an OPC UA client to a server. The server and client exchange and verify public keys. After connecting, they create a secure channel and encrypt the messages – the client with the server’s public key and sign with their private key. This multiple layered approach allows robust verification./p>

Using OPC UA for Secure Communications

OPC Unified Architecture has been part of a movement to create new standards that operate across platforms and offer next-level security. With OPC UA, each connection goes through host identification, authorization, and encryption by exchanging certificates. This automated process brings the latest in secure connections to the table.

What Are the Key Recommendations When Designing Your OPC UA Security Model?

When designing your OPC UA security model, keep a few strategic questions to ask include:

  • What certificate configurations will you rely on? Can you validate if your endpoints are configured for security?
  • Does your situation suggest a better fit for symmetric or asymmetric encryption?
  • Would streamlined tools that help you manage OPC UA security policies simplify the administration?

Guide: OPC UA Client and Server Conditions

That’s it. By making just a few key choices, you can ensure that your most important industrial automation data is protected. Since, setting up trust relationships between every client and server can be a bit of a burden at times, automation is key.

Exploring OPC UA Security Concepts

Exploring OPC UA - Key Concepts of a Layered Security Model

 

 

To learn more about best-of-breed, single-source connectivity solutions, contact an industrial connectivity expert today.

Contact Us
Tags: Connected Devices Industrial Connectivity Industrial Internet of Things Kepware Industry 4.0 IT/OT Convergence

About the Author

Thomas Gaudet

As the Director of Product Management for the Kepware business at PTC, Tom brings seven years of engineering experience to his position. With the goal of expanding Kepware functionality to support enterprise organizations, he uses a pragmatic approach to fully understanding market initiatives and requirements. Tom is passionate about technology and learning how organizations collect, manage, and store data, and the implications it has on business. He enjoys sharing ideas and working with customers across a variety of industry verticals to find innovative solutions for their challenges.