Table A.2provides a mapping of ISA/IEC 62443to OPC UA. Some topics in ISA/IEC 62443do not apply to OPC UA and are marked as “N”. ISA/IEC 62443topics that do apply are marked as “Y”. For each topic that does apply the table lists the relevant OPC UA Parts and the Profiles/ ConformanceUnitsthat covers the functionality are listed.

Table A.2– IEC62443 to OPC UA Mapping

ISA-62443-4-2 SL2

CRs and Res

Applies to OPC UA

OPC UA Part #

OPC UA Profile/ Facet/Conformance Unit (CU)

CR 1.1: Human user identification and authentication

Y

Part 4

IssuedIdentityToken

Part 6

JSON Web Token (JWT), JWT UserTokenPolicy

Part 7

Security User JWT IssuedToken, Security User JWT Token Policy, OPC UA Authority Profile

RE (1): Unique identification and Authentication

Y

Part 4

IssuedIdentityToken

Part 6

JSON Web Token (JWT), JWT UserTokenPolicy

Part 7

Security User JWT IssuedToken, Security User JWT Token Policy, OPC UA Authority Profile

User Token JWT Server Facet, User Token JWT Client Facet

CR 1.2: Software process and device identification and authentication

Y

Part 2

ApplicationAuthentication, X.509 v3 Security Certificates

Part 4

ApplicationInstance Security Certificate

Part 4

EndpointDescription, EndpointUrl, Hostname (Device)

Part 7

Security Default ApplicationInstance Security Certificate, Global Security Certificate Management Server Facet

CR 1.3: Account management

N

CR 1.4: Identifier management

Y

Part 4

UserIdentityToken, UserTokenPolicy

Part 7

Security User JWT IssuedToken, Security User JWT Token Policy, OPC UA Authority Profile

User Token JWT Server Facet, User Token JWT Client Facet

CR 1.5: Authenticator management

Y

Part 4

UserIdentityToken, UserTokenPolicy

Part 7

Security User JWT IssuedToken, Security User JWT Token Policy, OPC UA Authority Profile

User Token JWT Server Facet, User Token JWT Client Facet

CR 1.7: Strength of password based authentication

N

CR 1.8: Security certificates

Y

Part 2

Security Certificates, TrustLists (CertificateStore), OPC UA Security Services

Part 4

Obtaining, validating, and installing Security Certificate services

Part 6

Security Certificates

Part 7

Security Administration, Global Security Certificate Management

Part 12

Security Certificate Management Overview

CR 1.9: Strength of public key-based authentication

Y

Part 2

Cryptographic Keys

Part 4

Trusted Security Certificates

Part 7

Security Profiles: Basic256_Limits, SecurityPolicy [B] – Basic256Sha256

CR 1.10: Authenticator feedback

N

CR 1.11: Unsuccessful login attempts

N

CR 1.12: System use notification

N

CR 1.14: Strength of symmetric key-based authentication

Y

Part 2

Symmetric Encryption

Part 6

SymmetricEncryptionAlgorithm

Part 7

Global Service Key Credential Pull/Push Facets, KeyCredential Service Server Facet, KeyCredential Service Client Facet

Part 14

SecuritKeyService (SKS), SymmetricEncryptionAlgorithm

CR 2.1: Authorization enforcement

Y

Part 2

UserAuthorization

Part 4

Authorization Services, IssuedIdentityToken

Part 6

AuthorizationService, JSON Web Token (JWT)

Part 7

User Token – JWT Server Facet, User Token – JWT Client Facet

RE (1): Authorization enforcement for all users (humans, software processes, and devices)

Y

Part 2

UserAuthorization

Part 4

Authorization Services, IssuedIdentityToken

Part 6

AuthorizationService, JSON Web Token (JWT)

Part 7

User Token – JWT Server Facet, User Token – JWT Client Facet

RE (2): Permission mapping to roles

Y

Part 2

Roles, JWT, and User Roles

Part 5 (v1.04)

Part 18 (V1.05)

User Authorization, Role Type

Part 6

RolePermissions

Part 7

User Role Management Server/Client Facets

CR 2.2: Wireless use control

N

SAR 2.4: Mobile code

N

RE (1): Mobile code authenticity check

N

EDR 2.4: Mobile code

N

RE (1): Mobile code authenticity check

N

HDR 2.4: Mobile code

N

RE (1): Mobile code authenticity check

N

CR 2.5: Session lock

N

CR 2.6: Remote session termination

N

CR 2.8: Auditable events

Y

Part 2

Auditability, Auditing, Audit Event Management

Part 4

Auditing

Part 5

AuditSecurityEventType

Part 7

Auditing Server Facet, Auditing Client Facet, Best Practice – Audit Events

CR 2.9: Audit storage capacity

N

CR 2.10: Response to audit processing failures

N

CR 2.11: Timestamps

Y

Part 2

Message replay, Timestamps,SecureChannelID

Part 4

TimestampsToReturn

Part 5

AuditEventType

Part 7

Auditing Server Facet

RE (1): Time synchronization

Y

Part 2

Cryptographic Keys (time validity of security profile)

Part 4

SourceTimestamp, VersionTime, Redundant Server Set Requirements

Part 6

Time Synchronization

Part 7

Security Time Synchronization

CR 2.12: Non-repudiation

Y

Part 2

Message alteration, Server Profiling,

System Hijacking, Repudiation, Audit

Event Management

Part 4

Signing, GetEndpoints, SecureChannel, Auditing, Proof of Possession, UserTokenPolicy (user), SecurityPolicy

CR 2.12: Non-repudiation

Y

Part 2

Message alteration, Server Profiling, System Hijacking, Repudiation, Audit Event Management

Part 4

Signing, GetEndpoints, SecureChannel, Auditing, Proof of Possession,

Part 7

User Token – JWT Server/Client Facets, Auditing Server Facet, Auditing Client Facet, Best Practice – Audit Events

EDR 2.13: Use of physical diagnostic and test interfaces

N

CR 3.1: Communication integrity

Y

Part 2

Secure Channel – OpenSecureChannel

Part 4

Secure Channel Service Set

Part 6

Secure Channel, SecurityProtocol

Part 7

Security Policy Required, Security

Policy [A] & [B]

RE (1): Communication authentication

Y

Part 2

Secure Channel – OpenSecureChannel

Part 4

Secure Channel Service Set

Part 6

Secure Channel

Part 7

Security Policy Required, Security

SAR 3.2: Protection from malicious code

N

EDR 3.2: Protection from malicious code

N

HDR 3.2: Protection from malicious code

N

RE (1): Report version of code protection

N

CR 3.3: Security functionality verification

Y

Part 2

Identity Provider, SecurityKeyService, Secure Channel, TLS

Part 4

OpenSecureChannel, CreateSession, Write

Part 6

OPC UA Secure Conversation (UASC), Verifying Message Security, Token Policy, Bad_SecureChannel

Part 7

User Token – JWT Server/Client facets, Security Policy [A] & [B]

CR 3.4: Software and information integrity

Y

Part 2

ApplicationInstance Security Certificate

Part 4

SoftwareCertificates

Part 6

ApplicationInstance Security Certificate, X.509 v3

Part 7

Security ApplicationInstance Security Certificate, Global Security Certificate Management Server/Client Profiles

RE (1): Authenticity of software and information

N

CR 3.5: Input validation

N

CR 3.6: Deterministic output

N

CR 3.7: Error handling

Y

Part 4

Request/Response Service

Part 5

SessionDiagnosticsObjectType

Part 6

MessageChunks, Error Handling, Error Message, CloseSecureChannel

Part 7

Security Policy Required, Security Policy [A] & [B]

CR 3.8: Session integrity

Y

Part 2

Secure Channel, Session ID

Part 4

Session Service Set, Creating a Session, Auditing Session Service, SessionAutenticationToken

Part 7

Session Services Facets, Standard UA Client 2017 Profile, Base Server Behavior Facet

CR 3.9: Protection of audit information

N

EDR 3.10: Support for updates

N

RE (1): Update authenticity and integrity

N

HDR 3.10: Support for updates

N

RE (1): Update authenticity and integrity

N

EDR 3.11: Physical tamper resistance and detection

N

HDR 3.11: Physical tamper resistance and detection

N

EDR 3.12: Provisioning product supplier roots of trust

N

Part 21, RC

Xxx

HDR 3.12: Provisioning product supplier roots of trust

N

Part 21, RC

Xxx

EDR 3.13: Provisioning asset owner roots of trust

N

Part 21, RC

Xxx

HDR 3.13: Provisioning asset owner roots of trust

N

Part 21, RC

Xxx

EDR 3.14: Integrity of the boot process

N

RE (1): Authenticity of the boot process

N

HDR 3.14: Integrity of the boot process

N

RE (1): Authenticity of the boot process

N

CR 4.1: Information confidentiality

Y

Part 2

Confidentiality, Confidentiality, Eavesdropping, Client/Server, PubSub, Confidentiality

Part 4

SecureChannel Service Set

Part 6

OPC UA HTTPS, WebSockets (Security)

Part 7

Security Policy Required, Security Policy [A] & [B]

CR 4.2: Information persistence

N

CR 4.3: Use of cryptography

Y

Part 2

Asymmetric Cryptography, Cryptography, Symmetric Cryptography, SecurityPolicies, Random Number Generation, Security Certificate Management

Part 4

GetEndpoints, OpenSecureChannel

Part 6

Security Handshake, Security Certificates, AccessTokens, Security Header, Deriving Keys (Table 49)

Part 7

AccessToken Request Client Facet, Security User Access Control Base Profile, Best Practice – Random Numbers, Global Discovery and Security Certificate Management 2017 Server, Global Security Certificate Management Client 2017 Profile

CR 4.3: Use of cryptography

Y

Part 2

Asymmetric Cryptography, Cryptography, Symmetric Cryptography, SecurityPolicies, Random Number Generation, Security Certificate Management

Part 4

GetEndpoints, OpenSecureChannel

Part 6

Security Handshake, Security Certificates, AccessTokens, Security Header, Deriving Keys (Table 49)

Part 7

AccessToken Request Client Facet, Security User Access Control Base Profile, Best Practice – Random Numbers, Global Discovery and Security Certificate Management 2017 Server, Global Security Certificate Management Client 2017 Profile

CR 5.1: Network segmentation

Y

Part 2

Network Segmentation, OpenSecureChannel

Part 4

Transport Layer – LS, Communication Layer – Secure Channel, Application Layer – Session for Auth

Part 7

Standard UA Client 2017 Profile, Base Server Behavior Facet

CR 6.1: Audit log accessibility

N

CR 6.2: Continuous monitoring

Y

Part 7

Monitor Items, GetMonitoredItems Method, SetMonitoringMode. Subscription Server Facet, Standard UA Client 2017 Profile, Standard DataChange Subscription 2017 Server Facet

CR 7.1: Denial of service protection

Y

Part 2

Application Crashes, Fuzz Testing, Certification

Part 4

CreateSession, OpenSecureChannel, AuthenticationToken

Part 7

Session Services Facets, Standard UA Client 2017 Profile, Base Server Behavior Facet

RE (1): Manage communication load from component

Y

Part 2

Message flooding, GetEndpoints, OpenSecureChannel

Part 4

CreateSession, OpenSecureChannel, AuthenticationToken

Part 7

Session Services Facets, Standard UA Client 2017 Profile, Base Server Behavior Facet

CR 7.2: Resource management

Y

Part 2

Resource exhaustion, ClientAuthentication, ServerAuditing, OpenSecureChannel

Part 4

CreateSession, OpenSecureChannel, AuthenticationToken

Part 7

Session Services Facets, Standard UA Client 2017 Profile, Base Server Behavior Facet

CR 7.3: Control system backup

N

RE (1): Backup integrity verification

N

CR 7.4: Control system recovery and reconstitution

N

CR 7.6: Network and security configuration settings

N

CR 7.7: Least functionality

N

CR 7.8: Control system component inventory

N

The Open Group, have given the OPC Foundation permission to incorporate the above table from their copyrighted documentation: O-PAS™ Standard, Version 2.1, Copyright© 2021 The Open Group. The table has been edited for format and structure.

______________