🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BSI PD CLC IEC/TR 62541-2:2021

BSI PD CLC IEC/TR 62541-2:2021

$198.66

OPC unified architecture – Security Model

Published By Publication Date Number of Pages
BSI 2021 54
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Categories: ,

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

This part of IEC 62541 describes the OPC Unified Architecture (OPC UA) security model. It describes the security threats of the physical, hardware, and software environments in which OPC UA is expected to run. It describes how OPC UA relies upon other standards for security. It provides definition of common security terms that are used in this and other parts of the OPC UA specification. It gives an overview of the security features that are specified in other parts of the OPC UA specification. It references services, mappings, and Profiles that are specified normatively in other parts of the OPC UA Specification. It provides suggestions or best practice guidelines on implementing security. Any seeming ambiguity between this part and one of the other normative parts does not remove or reduce the requirement specified in the other normative part.

It is important to understand that there are many different aspects of security that have to be addressed when developing applications. However, since OPC UA specifies a communication protocol, the focus is on securing the data exchanged between applications. This does not mean that an application developer can ignore the other aspects of security like protecting persistent data against tampering. It is important that the developers look into all aspects of security and decide how they can be addressed in the application.

This part is directed to readers who will develop OPC UA Client or Server applications or implement the OPC UA services layer. It is also for end Users that wish to understand the various security features and functionality provided by OPC UA. It also offers some suggestions that can be applied when deploying systems. These suggestions are generic in nature since the details would depend on the actual implementation of the OPC UA Applications and the choices made for the site security.

PDF Catalog

PDF Pages PDF Title
2 undefined
5 Annex ZA (normative)Normative references to international publicationswith their corresponding European publications
7 CONTENTS
10 FOREWORD
12 1 Scope
2 Normative references
13 3 Terms, definitions, and abbreviated terms
3.1 Terms and definitions
18 3.2 Abbreviated terms
4 OPC UA security architecture
4.1 OPC UA security environment
19 4.2 Security objectives
4.2.1 Overview
Figure 1 – OPC UA network example
20 4.2.2 Authentication
4.2.3 Authorization
4.2.4 Confidentiality
4.2.5 Integrity
4.2.6 Non-Repudiation
4.2.7 Auditability
4.2.8 Availability
4.3 Security threats to OPC UA systems
4.3.1 Overview
21 4.3.2 Denial of Service
22 4.3.3 Eavesdropping
4.3.4 Message spoofing
4.3.5 Message alteration
4.3.6 Message replay
23 4.3.7 Malformed Messages
4.3.8 Server profiling
4.3.9 Session hijacking
4.3.10 Rogue Server
4.3.11 Rogue Publisher
24 4.3.12 Compromising user credentials
4.3.13 Repudiation
4.4 OPC UA relationship to site security
25 4.5 OPC UA security architecture
4.5.1 Overview
Figure 2 – OPC UA security architecture – Client / Server
26 4.5.2 Client / Server
Figure 3 – OPC UA security architecture – Publisher-Subscriber
27 4.5.3 Publish-Subscribe
28 4.6 SecurityPolicies
29 4.7 Security Profiles
4.8 Security Mode Settings
4.9 User Authentication
4.10 Application Authentication
30 4.11 User Authorization
4.12 Roles
4.13 OPC UA security related Services
Figure 4 – Role overview
31 4.14 Auditing
4.14.1 General
32 4.14.2 Single Client and Server
Figure 5 – Simple Servers
33 4.14.3 Aggregating Server
4.14.4 Aggregation through a non-auditing Server
Figure 6 – Aggregating Servers
34 4.14.5 Aggregating Server with service distribution
Figure 7 – Aggregation with a non-auditing Server
35 5 Security reconciliation
5.1 Reconciliation of threats with OPC UA security mechanisms
5.1.1 Overview
Figure 8 – Aggregate Server with service distribution
36 5.1.2 Denial of Service
Table 1 – Security Reconciliation Threats Summary
37 5.1.3 Eavesdropping
5.1.4 Message spoofing
38 5.1.5 Message alteration
5.1.6 Message replay
5.1.7 Malformed Messages
5.1.8 Server profiling
5.1.9 Session hijacking
39 5.1.10 Rogue Server or Publisher
5.1.11 Compromising user credentials
5.1.12 Repudiation
5.2 Reconciliation of objectives with OPC UA security mechanisms
5.2.1 Overview
5.2.2 Application Authentication
40 5.2.3 User Authentication
5.2.4 Authorization
5.2.5 Confidentiality
5.2.6 Integrity
5.2.7 Auditability
41 5.2.8 Availability
6 Implementation and deployment considerations
6.1 Overview
6.2 Appropriate timeouts
6.3 Strict Message processing
42 6.4 Random number generation
6.5 Special and reserved packets
6.6 Rate limiting and flow control
6.7 Administrative access
43 6.8 Cryptographic Keys
6.9 Alarm related guidance
6.10 Program access
44 6.11 Audit event management
6.12 OAuth2, JWT and User roles
6.13 HTTPs, SSL/TLS & Websockets
6.14 Reverse Connect
45 7 Unsecured Services
7.1 Overview
7.2 Multicast Discovery
7.3 Global Discovery Server Security
7.3.1 Overview
7.3.2 Rogue GDS
46 7.3.3 Threats against a GDS
7.3.4 Certificate management threats
47 8 Certificate management
8.1.1 Overview
8.1.2 Self-signed certificate management
Figure 9 – Manual Certificate handling
48 8.1.3 CA Signed Certificate management
Figure 10 – CA Certificate handling
49 8.1.4 GDS Certificate Management
50 Figure 11 – Certificate handling
52 Bibliography

Related products

BSI PD CLC IEC/TR 62541-2:2021
$198.66