OPC UA Clientand Serverproducts are certified against Profilesthat are defined in OPC 10000-7. Some of the Profilesspecify security functions and others specify other functionality that is not related to security. The Profilesimpose requirements on the certified products but they do not impose requirements on how the products are used. A consistent minimum level of security is required by the various Profiles. However, different Profilesspecify different details such as which encryption algorithms are required for which OPC UA functions. If a problem is found in one encryption algorithm then the OPC Foundation can define a new Profilethat is similar, but that specifies a different encryption algorithm that does not have a known problem. OPC 10000-7is the normative specification of the Profiles, but Profilesare maintained in an on-line application (https://profiles.opcfoundation.org) allowing for updating of Profiles, especially security related profiles, in a more timely manner than allowed by documentation publication cycles.
Policies refer to many of the same security choices as Profiles; however the policy specifies which of those choices to use in the Session. The policy does not specify the range of choices that the product offers, they are described in the Profiles that it supports.
These policies are included in Certification Testing associated with OPC UA Applications. The Certification Testing ensures that the standard is followed and that the appropriate security algorithms are supported.
Each security mechanism in OPC UA is provided in OPC UA Applicationsin accordance with the Profileswith which the OPC UA Applicationcomplies. At the site, however, the security mechanisms may be deployed optionally. In this way each individual site has all of the OPC UA security functions available and can choose which of them to use to meet its security objectives.