The Global Discovery Server (GDS) is a special OPC UA Server that provides Discovery Services for a plant or entire system. In addition, This Server can include CertificateManager, KeyCredentialService and AuthorizationService (defined in OPC 10000-12).
There are multiple methods of accessing a GDS:
- Servers can register with the Discovery Server
- Clients can query the GDS for available Servers
- Clients can pull certificates from the CertificateManager
- Servers can pull certificates from the CertificateManager
- The CertificateManager can push certificates to a Server
- The GDS can access other discovery Servers to build a list of available Servers.
Several types of threats will be discussed with regard to the available access methods:
Threats where a rogue GDS is in a system.
Threats against the GDS, including the presence of rogue Clients or Servers.
Threats against the certificate management functionality provided by a GDS.