The PubSubcan be deployed in two environments, one in which a broker exists and one which is broker less. For a detailed describe of this model see OPC 10000-14The two environments have different security considerations associated with them, and each will be described separately.

The broker-less PubSubcommunication model provides Confidentialityand Integrity.This is accomplished using Symmetric Encryptionand signature algorithms. The required symmetric keys are distributed by a Security Key Server (SKS) (see OPC 10000-14for additional details). The SKS makes use of the standard Client/Serversecurity described in 4.5.2to establish application Authentication as well as user Authentication. This approach allows all applications (Publishersand/or Subscribers) in a SecurityGroupto share information

A benefit of using shared symmetric keys is the high performance they offer, but a drawback is that for a group of applications that use a shared symmetric key, all of the applications in the group have the same rights. All applications must trust all other applications in the group. Any application (Publisheror Subscriber) in the group can publish a message and any application (Publisheror Subscriber) in the group can decode the message.

For example, a system might be composed of a shared symmetric group that is composed of a controller (Publisher) and three Subscribers(say HMI’s). The controller is publishing messages and the HMIs are receiving the messages. If one of the HMIs is compromised, it might start publishing messages also. The other two HMIs will not be able to tell that the message was not sent from the controller. One possible solution to this situation could be if the shared symmetric group is composed of just the controller and one HMI. Additional groups would be created for each HMI, then no HMI could affect the other HMIs. Other possible solutions could also involve the network architecture and services, such as unicast restricted network communication, but these are outside the scope of the of OPC UA specification. The configuration of SecurityGroups requires careful consideration when deploying systems to ensure security.

When using a Brokerin the PubSubmodel, the same shared symmetric key concepts as defined in 4.5.3.2can be used to provide Confidentialityand Integrity. Furthermore, communication to the Brokercan be secured according the rules defined for the Broker. These rules are not defined in the OPC UA specification but are defined by the Middleware. In many cases the Middlewarerequires the authorization of both the Publishersand the Subscribersbefore they can interact with the Broker. The Brokerinteractions can provide security mechanisms to meet Confidentiality, Integrityand application or user Authenticationas security objectives. If the published message is not secured using the shared symmetric key concepts, the message content is visible to the Brokerwhich creates some risk of man-in-the-middle attacks. The use of the shared symmetric keys eliminates this risk.