The Global Discovery Server (GDS) is a special OPC UA Serverthat provides Discovery services for a plant or entire system. In addition, it can provide certificate management functionality (see Part 12)
There are multiple methods of accessing a GDS:
- Serverscan register with the Discovery Server
- Clientscan query the GDS for available Servers
- Clientscan pull certificates from the GDS
- Serverscan pull certificates from the GDS
- The GDS can push certificates to a Server
- The GDS can access other discovery Serversto build a list of available Servers.
Several types of threats need to be discussed with regard to the available access methods:
Threats where a rogue GDS is in a system.
Threats against the certificate management functionality provided by a GDS.
The following guidelines are important to remember when dealing with a GDS:
- It is important that Serversregister with the Discovery Serverthey are configured to register with and that Serversdo not blindly register with a GDS that it has not been configured to register with. Servershave to be aware that a Discovery Servermight be a rogue Server.
- A Serverregisters all endpoints that it provides, ensuring that the list provided by the Discovery Serverand the Servermatch. This ensures that Clientscan determine if the Discovery Serverprovided valid information.
- Clientsshould be aware of rogue Discovery Serversthat might direct them to rogue Servers. Clientscan use the SSL/TLS server certificate (if available) to verify that the Discovery Serveris a Serverthat they trust and/or ensure that they trust any Serverprovided by the Discovery Server.
- As described in Part 4, Clientsalways verify that they trust the Servercertificate and that the EndpointUrl matches the HostNames specified in the certificate before it creates a Sessionwith a Server. After it creates a Session,it looks at the EndpointDescriptionsreturned by the Serverand verifies that it used the best security possible and that the Server’sCertificate matches the one that the Clientused to connect. The EndpointDescriptionprovided by the Serverincludes a relative SecurityLevelthat is used to determine if the most secure endpoint was used.
As described in Part 4, the FindServersOnNetwork Servicecan be used without security and is therefore vulnerable to denial of service (DOS) attacks. A Discovery Servershould minimize the amount of processing required to send the response for this Service. This can be achieved by preparing the result in advance.
A GDS, that also provides certificate management, supports User Access security as described in Part 12. This includes restricting all certificate management functionality to administrators. Furthermore, the list of Clientsthat are allowed to access management functionality may be limited.
Certificate management includes a provisioning phase and run time phase. The provisioning phase is when the GDS is providing initial certificate(s) to Clientsor Serversthat are just entering the system. The runtime phase is the day to day operation of system and includes providing updated CRLs, certificate renewals and updated TrustLists.
The provisioning of systems is inherently not secure, but can be very useful in providing a greatly simplified deployment of a complex system. Provisioning in a GDS is not enabled by default, but requires an administrative action to enable. It is also recommended that the provisioning feature, when enabled, will only stay enabled for a limited time.
The runtime phase of GDS certificate operations can be performed in a very secure manner, since all Serversand Clientsalready have certificates to ensure a secure connection. For the push model of certificate management, the GDS establishes a secure channel using the highest security level available in the target Server. It does not provide updated CRLs, Certificates or TrustListsvia an endpoint that has a lower security level than the security level of the updates. For example, if a 4096 certificate is to be updated it cannot be updated using a 2048 channel, but a 2048 certificate can be updated using a 4096 channel. If a new higher-level certificate needs to be deployed, it is handled in the same manner as the provisioning of a new server.