Table A.2 provides a mapping of ISA/IEC 62443 to OPC UA. Some topics inISA/IEC 62443
do not apply to OPC UA and are marked as “N”. ISA/IEC 62443 topics that do apply are marked as “Y”. For each topic that does apply the table lists the relevant OPC UA Parts and the Profiles/ ConformanceUnits that covers the functionality are listed.
Table A.2 – ISA/IEC 62443 to OPC UA Mapping
|
ISA-62443-4-2 SL2 CRs and Res |
Applies to OPC UA |
OPC UA Part # |
OPC UA Profile/ Facet/Conformance Unit (CU) |
|
CR 1.1: Human user identification and authentication |
Y |
Part 4 |
IssuedIdentityToken |
Part 6 |
JSON Web Token (JWT), JWT UserTokenPolicy |
Part 7 |
Security User JWT IssuedToken, Security User JWT Token Policy, OPC UA Authority Profile |
|
RE (1): Unique identification and Authentication |
Y |
Part 4 |
IssuedIdentityToken |
Part 6 |
JSON Web Token (JWT), JWT UserTokenPolicy |
Part 7 |
Security User JWT IssuedToken, Security User JWT Token Policy, OPC UA Authority Profile User Token JWT Server Facet, User Token JWT Client Facet |
|
CR 1.2: Software process and device identification and authentication |
Y |
Part 2 |
ApplicationAuthentication, X.509 v3 Security Certificates |
Part 4 |
ApplicationInstance Security Certificate |
Part 4 |
EndpointDescription, EndpointUrl, Hostname (Device) |
Part 7 |
Security Default ApplicationInstance Security Certificate, Global Security Certificate Management Server Facet |
|
CR 1.3: Account management |
N |
|
|
|
CR 1.4: Identifier management |
Y |
Part 4 |
UserIdentityToken, UserTokenPolicy |
Part 7 |
Security User JWT IssuedToken, Security User JWT Token Policy, OPC UA Authority Profile |
User Token JWT Server Facet, User Token JWT Client Facet |
|
CR 1.5: Authenticator management |
Y |
Part 4 |
UserIdentityToken, UserTokenPolicy |
Part 7 |
Security User JWT IssuedToken, Security User JWT Token Policy, OPC UA Authority Profile |
User Token JWT Server Facet, User Token JWT Client Facet |
|
CR 1.7: Strength of password based authentication |
N |
|
|
|
CR 1.8: Security certificates |
Y |
Part 2 |
Security Certificates, TrustLists (CertificateStore), OPC UA Security Services |
Part 4 |
Obtaining, validating, and installing Security Certificate services |
Part 6 |
Security Certificates |
Part 7 |
Security Administration, Global Security Certificate Management |
Part 12 |
Security Certificate Management Overview |
|
CR 1.9: Strength of public key-based authentication |
Y |
Part 2 |
Cryptographic Keys |
Part 4 |
Trusted Security Certificates |
Part 7 |
Security Profiles: Basic256_Limits, SecurityPolicy [B] – Basic256Sha256 |
|
CR 1.10: Authenticator feedback |
N |
|
|
|
CR 1.11: Unsuccessful login attempts |
N |
|
|
|
CR 1.12: System use notification |
N |
|
|
|
CR 1.14: Strength of symmetric key-based authentication |
Y |
Part 2 |
Symmetric Encryption |
Part 6 |
SymmetricEncryptionAlgorithm |
Part 7 |
Global Service Key Credential Pull/Push Facets, KeyCredential Service Server Facet, KeyCredential Service Client Facet |
Part 14 |
SecuritKeyService (SKS), SymmetricEncryptionAlgorithm |
|
CR 2.1: Authorization enforcement |
Y |
Part 2 |
UserAuthorization |
Part 4 |
Authorization Services, IssuedIdentityToken |
Part 6 |
AuthorizationService, JSON Web Token (JWT) |
Part 7 |
User Token – JWT Server Facet, User Token – JWT Client Facet |
|
RE (1): Authorization enforcement for all users (humans, software processes, and devices) |
Y |
Part 2 |
UserAuthorization |
Part 4 |
Authorization Services, IssuedIdentityToken |
Part 6 |
AuthorizationService, JSON Web Token (JWT) |
Part 7 |
User Token – JWT Server Facet, User Token – JWT Client Facet |
|
RE (2): Permission mapping to roles |
Y |
Part 2 |
Roles, JWT, and User Roles |
Part 5 (v1.04) Part 18 (V1.05) |
User Authorization, Role Type |
Part 6 |
RolePermissions |
Part 7 |
User Role Management Server/Client Facets |
|
CR 2.2: Wireless use control |
N |
|
|
|
SAR 2.4: Mobile code |
N |
|
|
|
RE (1): Mobile code authenticity check |
N |
|
|
|
EDR 2.4: Mobile code |
N |
|
|
|
RE (1): Mobile code authenticity check |
N |
|
|
|
HDR 2.4: Mobile code |
N |
|
|
|
RE (1): Mobile code authenticity check |
N |
|
|
|
CR 2.5: Session lock |
N |
|
|
|
CR 2.6: Remote session termination |
N |
|
|
|
CR 2.8: Auditable events |
Y |
Part 2 |
Auditability, Auditing, Audit Event Management |
Part 4 |
Auditing |
Part 5 |
AuditSecurityEventType |
Part 7 |
Auditing Server Facet, Auditing Client Facet, Best Practice – Audit Events |
|
CR 2.9: Audit storage capacity |
N |
|
|
|
CR 2.10: Response to audit processing failures |
N |
|
|
|
CR 2.11: Timestamps |
Y |
Part 2 |
Message replay, Timestamps,SecureChannelID |
Part 4 |
TimestampsToReturn |
Part 5 |
AuditEventType |
Part 7 |
Auditing Server Facet |
|
RE (1): Time synchronization |
Y |
Part 2 |
Cryptographic Keys (time validity of security profile) |
Part 4 |
SourceTimestamp, VersionTime, Redundant Server Set Requirements |
Part 6 |
Time Synchronization |
Part 7 |
Security Time Synchronization |
|
CR 2.12: Non-repudiation |
Y |
Part 2 |
Message alteration, Server Profiling, System Hijacking, Repudiation, Audit Event Management |
Part 4 |
Signing, GetEndpoints, SecureChannel, Auditing, Proof of Possession, UserTokenPolicy (user), SecurityPolicy |
|
CR 2.12: Non-repudiation |
Y |
Part 2 |
Message alteration, Server Profiling, System Hijacking, Repudiation, Audit Event Management |
Part 4 |
Signing, GetEndpoints, SecureChannel, Auditing, Proof of Possession, |
Part 7 |
User Token – JWT Server/Client Facets, Auditing Server Facet, Auditing Client Facet, Best Practice – Audit Events |
|
EDR 2.13: Use of physical diagnostic and test interfaces |
N |
|
|
|
CR 3.1: Communication integrity |
Y |
Part 2 |
Secure Channel – OpenSecureChannel |
Part 4 |
Secure Channel Service Set |
Part 6 |
Secure Channel, SecurityProtocol |
Part 7 |
Security Policy Required, Security Policy [A] & [B] |
|
RE (1): Communication authentication |
Y |
Part 2 |
Secure Channel – OpenSecureChannel |
Part 4 |
Secure Channel Service Set |
Part 6 |
Secure Channel |
Part 7 |
Security Policy Required, Security |
|
SAR 3.2: Protection from malicious code |
N |
|
|
|
EDR 3.2: Protection from malicious code |
N |
|
|
|
HDR 3.2: Protection from malicious code |
N |
|
|
|
RE (1): Report version of code protection |
N |
|
|
|
CR 3.3: Security functionality verification |
Y |
Part 2 |
Identity Provider, SecurityKeyService, Secure Channel, TLS |
Part 4 |
OpenSecureChannel, CreateSession, Write |
Part 6 |
OPC UA Secure Conversation (UASC), Verifying Message Security, Token Policy, Bad_SecureChannel |
Part 7 |
User Token – JWT Server/Client facets, Security Policy [A] & [B] |
|
CR 3.4: Software and information integrity |
Y |
Part 2 |
ApplicationInstance Security Certificate |
Part 4 |
SoftwareCertificates |
Part 6 |
ApplicationInstance Security Certificate, X.509 v3 |
Part 7 |
Security ApplicationInstance Security Certificate, Global Security Certificate Management Server/Client Profiles |
|
RE (1): Authenticity of software and information |
N |
|
|
|
CR 3.5: Input validation |
N |
|
|
|
CR 3.6: Deterministic output |
N |
|
|
|
CR 3.7: Error handling |
Y |
Part 4 |
Request/Response Service |
Part 5 |
SessionDiagnosticsObjectType |
Part 6 |
MessageChunks, Error Handling, Error Message, CloseSecureChannel |
Part 7 |
Security Policy Required, Security Policy [A] & [B] |
|
CR 3.8: Session integrity |
Y |
Part 2 |
Secure Channel, Session ID |
Part 4 |
Session Service Set, Creating a Session, Auditing Session Service, SessionAutenticationToken |
Part 7 |
Session Services Facets, Standard UA Client 2017 Profile, Base Server Behavior Facet |
|
CR 3.9: Protection of audit information |
N |
|
|
|
EDR 3.10: Support for updates |
N |
|
|
|
RE (1): Update authenticity and integrity |
N |
|
|
|
HDR 3.10: Support for updates |
N |
|
|
|
RE (1): Update authenticity and integrity |
N |
|
|
|
EDR 3.11: Physical tamper resistance and detection |
N |
|
|
|
HDR 3.11: Physical tamper resistance and detection |
N |
|
|
|
EDR 3.12: Provisioning product supplier roots of trust |
N |
Part 21, RC Xxx |
|
|
HDR 3.12: Provisioning product supplier roots of trust |
N |
Part 21, RC Xxx |
|
|
EDR 3.13: Provisioning asset owner roots of trust |
N |
Part 21, RC Xxx |
|
|
HDR 3.13: Provisioning asset owner roots of trust |
N |
Part 21, RC Xxx |
|
|
EDR 3.14: Integrity of the boot process |
N |
|
|
|
RE (1): Authenticity of the boot process |
N |
|
|
|
HDR 3.14: Integrity of the boot process |
N |
|
|
|
RE (1): Authenticity of the boot process |
N |
|
|
|
CR 4.1: Information confidentiality |
Y |
Part 2 |
Confidentiality, Confidentiality, Eavesdropping, Client/Server, PubSub, Confidentiality |
Part 4 |
SecureChannel Service Set |
Part 6 |
OPC UA HTTPS, WebSockets (Security) |
Part 7 |
Security Policy Required, Security Policy [A] & [B] |
|
CR 4.2: Information persistence |
N |
|
|
|
CR 4.3: Use of cryptography |
Y |
Part 2 |
Asymmetric Cryptography, Cryptography, Symmetric Cryptography, SecurityPolicies, Random Number Generation, Security Certificate Management |
Part 4 |
GetEndpoints, OpenSecureChannel |
Part 6 |
Security Handshake, Security Certificates, AccessTokens, Security Header, Deriving Keys (Table 49) |
Part 7 |
AccessToken Request Client Facet, Security User Access Control Base Profile, Best Practice – Random Numbers, Global Discovery and Security Certificate Management 2017 Server, Global Security Certificate Management Client 2017 Profile |
|
CR 4.3: Use of cryptography |
Y |
Part 2 |
Asymmetric Cryptography, Cryptography, Symmetric Cryptography, SecurityPolicies, Random Number Generation, Security Certificate Management |
Part 4 |
GetEndpoints, OpenSecureChannel |
Part 6 |
Security Handshake, Security Certificates, AccessTokens, Security Header, Deriving Keys (Table 49) |
Part 7 |
AccessToken Request Client Facet, Security User Access Control Base Profile, Best Practice – Random Numbers, Global Discovery and Security Certificate Management 2017 Server, Global Security Certificate Management Client 2017 Profile |
|
CR 5.1: Network segmentation |
Y |
Part 2 |
Network Segmentation, OpenSecureChannel |
Part 4 |
Transport Layer – LS, Communication Layer – Secure Channel, Application Layer – Session for Auth |
Part 7 |
Standard UA Client 2017 Profile, Base Server Behavior Facet |
|
CR 6.1: Audit log accessibility |
N |
|
|
|
CR 6.2: Continuous monitoring |
Y |
Part 7 |
Monitor Items, GetMonitoredItems Method, SetMonitoringMode. Subscription Server Facet, Standard UA Client 2017 Profile, Standard DataChange Subscription 2017 Server Facet |
|
CR 7.1: Denial of service protection |
Y |
Part 2 |
Application Crashes, Fuzz Testing, Certification |
Part 4 |
CreateSession, OpenSecureChannel, AuthenticationToken |
Part 7 |
Session Services Facets, Standard UA Client 2017 Profile, Base Server Behavior Facet |
|
RE (1): Manage communication load from component |
Y |
Part 2 |
Message flooding, GetEndpoints, OpenSecureChannel |
Part 4 |
CreateSession, OpenSecureChannel, AuthenticationToken |
Part 7 |
Session Services Facets, Standard UA Client 2017 Profile, Base Server Behavior Facet |
|
CR 7.2: Resource management |
Y |
Part 2 |
Resource exhaustion, ClientAuthentication, ServerAuditing, OpenSecureChannel |
Part 4 |
CreateSession, OpenSecureChannel, AuthenticationToken |
Part 7 |
Session Services Facets, Standard UA Client 2017 Profile, Base Server Behavior Facet |
|
CR 7.3: Control system backup |
N |
|
|
|
RE (1): Backup integrity verification |
N |
|
|
|
CR 7.4: Control system recovery and reconstitution |
N |
|
|
|
CR 7.6: Network and security configuration settings |
N |
|
|
|
CR 7.7: Least functionality |
N |
|
|
|
CR 7.8: Control system component inventory |
N |
|
|
The Open Group have given the OPC Foundation permission to incorporate the above table from their copyrighted documentation: O-PAS™ Standard, Version 2.1, Copyright© 2021 The Open Group. The table has been edited for format and structure.
______________