OPC Unified Architecture – Part 2: Security Model
Go
v1.05.06
1
Scope
2
Normative References
3
Terms, definitions, abbreviated terms and conventions
3.1
Terms and definitions
3.1.1
Untitled
3.1.2
Untitled
3.1.3
Untitled
3.1.4
Untitled
3.1.5
Untitled
3.1.6
Untitled
3.1.7
Untitled
3.1.8
Untitled
3.1.9
Untitled
3.1.10
Untitled
3.1.11
Untitled
3.1.12
Untitled
3.1.13
Untitled
3.1.14
Untitled
3.1.15
Untitled
3.1.16
Untitled
3.1.17
Untitled
3.1.18
Untitled
3.1.19
Untitled
3.1.20
Untitled
3.1.21
AuthenticatedEncryption
3.1.22
Untitled
3.1.23
Untitled
3.1.24
Untitled
3.1.25
Untitled
3.1.26
Untitled
3.1.27
Untitled
3.1.28
Untitled
3.1.29
Untitled
3.1.30
Untitled
3.1.31
Untitled
3.1.32
Untitled
3.1.33
Untitled
3.1.34
Untitled
3.1.35
Untitled
3.1.36
Untitled
3.1.37
Untitled
3.1.38
Untitled
3.1.39
Untitled
3.1.40
Untitled
3.1.41
Untitled
3.1.42
Untitled
3.1.43
Untitled
3.1.44
Untitled
3.1.45
Untitled
3.1.46
Untitled
3.1.47
Untitled
3.1.48
Untitled
3.1.49
Untitled
3.1.50
Untitled
3.1.51
Untitled
3.1.52
Untitled
3.1.53
Untitled
3.1.54
Untitled
3.1.55
Untitled
3.1.56
Untitled
3.1.57
Untitled
3.1.58
Untitled
3.1.59
Untitled
3.1.60
Untitled
3.1.61
Untitled
3.1.62
Untitled
3.1.63
Untitled
3.1.64
Untitled
3.2
Abbreviated terms
3.3
Conventions for security model figures
4
OPC UA security architecture
4.1
OPC UA security environment
4.2
Security objectives
4.2.1
Overview
4.2.2
Authentication
4.2.3
Authorization
4.2.4
Confidentiality
4.2.5
Integrity
4.2.6
Non- Repudiation
4.2.7
Auditability
4.2.8
Availability
4.2.9
Perfect Forward Secrecy
4.3
Security threats to OPC UA systems
4.3.1
Overview
4.3.2
Denial of service
4.3.2.1
Overview
4.3.2.2
Message flooding
4.3.2.3
Resource Exhaustion
4.3.2.4
Application Crashes
4.3.3
Eavesdropping
4.3.4
Message spoofing
4.3.5
Message alteration
4.3.6
Message replay
4.3.7
Malformed Messages
4.3.8
Server profiling
4.3.9
Session hijacking
4.3.10
Rogue Server
4.3.11
Rogue Publisher
4.3.12
Rogue Local Discover Server
4.3.13
Compromising user credentials
4.3.14
Compromising identity services
4.3.15
Repudiation
4.3.16
Message suppression
4.3.17
Downgrade Attack
4.3.18
Network Infrastructure attacks
4.4
OPC UA relationship to site security
4.5
OPC UA security architecture
4.5.1
Overview
4.5.2
Client / Server
4.5.2.1
Overview
4.5.2.2
Session application layer
4.5.2.3
Session communication layer
4.5.2.4
Transport layer
4.5.2.5
Session-less Service invocation
4.5.3
Publish-Subscribe
4.5.3.1
Overview
4.5.3.2
Broker-less
4.5.3.3
Broker
4.6
SecurityPolicies
4.7
Security Profiles
4.8
Security Mode settings
4.9
User Authentication
4.10
Application Authentication
4.11
User Authorization
4.12
Roles
4.13
OPC UA security related Services
4.14
Auditing
4.14.1
General
4.14.2
Single Client and Server
4.14.3
Aggregating Server
4.14.4
Aggregation through a non-auditing Server
4.14.5
Aggregating Server with service distribution
5
Security reconciliation
5.1
Reconciliation of threats with OPC UA security mechanisms
5.1.1
Overview
5.1.2
Denial of Service
5.1.2.1
Overview
5.1.2.2
Message flooding
5.1.2.3
Resource exhaustion
5.1.2.4
Application Crashes
5.1.3
Eavesdropping
5.1.4
Message spoofing
5.1.5
Message alteration
5.1.6
Message replay
5.1.7
Malformed Messages
5.1.8
Server profiling
5.1.9
Session hijacking
5.1.10
Rogue Server or Publisher
5.1.11
Rogue Local Discover Server
5.1.12
Compromising user credentials
5.1.13
Repudiation
5.1.14
Message Suppression
5.1.15
Downgrade Attack
5.1.16
Network Infrastructure attacks
5.2
Reconciliation of objectives with OPC UA security mechanisms
5.2.1
Overview
5.2.2
Application Authentication
5.2.3
User Authentication
5.2.4
Authorization
5.2.5
Confidentiality
5.2.6
Integrity
5.2.7
Auditability
5.2.8
Availability
6
Implementation and deployment considerations
6.1
Overview
6.2
Appropriate timeouts:
6.3
Strict Message processing
6.4
Random number generation
6.5
Special and reserved packets
6.6
Rate limiting and flow control
6.7
Administrative access
6.8
Cryptographic Keys
6.9
Alarm related guidance
6.10
Program access
6.11
Audit event management
6.12
OAuth2, JWT and User roles
6.13
HTTPS, TLS & Websockets
6.14
Reverse Connect
6.15
Passwords
6.16
Additional Security considerations
6.17
Least privilege principle
6.18
Zero trust environments
6.19
Diagnostic related issues
6.20
Changing Users in OPC UA
7
Unsecured Services
7.1
Overview
7.2
Discovery
7.3
Multicast Discovery
8
GlobalDiscoveryServer Security
8.1
Overview
8.2
Rogue GDS
8.3
Threats against a GDS
8.4
Certificate management threats
9
Certificate management
9.1
Overview
9.2
Self signed certificate management
9.3
CA Signed Certificate management
9.4
GDS Certificate Management
9.4.1
Overview
9.4.2
Certificate management for developers
Annex A
Mapping to ISA/IEC 62443-4-2 (informative)
Annex B
ECC vs RSA
B.1
Overview
B.2
RSA
B.3
ECC
3.1.37
Untitled
↑
↓
✕
OPC Unified Architecture – Part 2: Security Model
OPC Unified Architecture – Part 2: Security Model