Annex E Initial security setup of components and setting up a Vending Machine (Informative)

E.1 Overview

This informative annex describes how components vendors can distribute their components in some initial configuration and mechanisms system integrators can use to configure those components in order to allow them to communicate via OPC UA.

E.2 Initial configuration of Components

All components defined in this specification contain an OPC UA server part and according to the defined profiles implement the global certificate management server facet that allows a GDS (see OPC 10000-12) to configure the security certificates of the component via the OPC UA server. Those components can be shipped in a provisioning mode (see OPC 10000-12) that allows an initial Client (of the GDS) to connect and do the configuration of the certificates. Typically, a component does not provide its intended functionality while in provisioning mode in order to force a correct configuration of security.

E.3 Initial integration of Components

When setting up a Vending Machine the components of the Vending Machine need to be configured with respect to their security certificates in order to allow them to communicate with each other. The components implement the global certificate management server facet (see E.2) that allows the configuration via an off-the-shelf GDS product or tailored applications to configure a vending machine, using the standardized OPC UA interfaces (see OPC 10000-12). When using this, it is reasonable to use the concept of a CA (certificate authority) to sign certificates instead of using self-signed certificates. That implies, that all components trust the CA and get their certificates signed by the CA, and thereby they trust each other. More precise, an GDS can manage several certificate groups. The scope of such a group can be handled differently. The most restrictive configuration would be to put all components of a Vending Machine into a certificate group. This guarantees that only the components of the Vending Machine can communicate to each other. But other settings are possible, as well. For example, an Operator may choose to put all its components into one certificate group or all components of a specific type of Vending Machine, etc. This is decreasing the security to a certain degree, but simplifies the usage.

All components of a Vending Machine need to be integrated into the same certificate group, and switched from provisioning mode into normal operation mode (that may be done by restarting the component after the certificates have been configured). Afterwards, they will be able to communicate to each other. The Vending Machine can be configured and deployed in its intended destination.

E.4 What needs to be considered during runtime?

A GDS or tailored application is not required to run 24/7 and access the OPC UA servers it manages all the time. When only considering the certificate management, its only tasks after the initial configuration is to renew the certificates before they expire and to update the CRL (certificate revocation list: certificates, that have been signed, have still a valid lifetime but should not be trusted anymore).

The lifetime of a certificate can be configured in the GDS. Typically, this is rather short (1-3 month) in order to avoid that the CRL gets too large. If the scope of a certificate group is a Vending Machine, where typically components are not coming and going, the length of certificates may be made much longer (years), since the CRL will often not have any entries at all.

That implies that a GDS does neither need to run inside a Vending Machine nor have remote access to the Vending Machine under normal operations. It may need to be available when reconfiguring a Vending Machine or replacing components (see E.5). And it needs to be used to renew the certificates before expiring, which depends on the configured lifetime of the certificates and may be executed during normal maintenance operations of a Vending Machine or remotely, if the Vending Machine is connected to the Internet. OPC UA defines an CertificateExpirationAlarmType (see OPC 10000-12) that can be used to warn before the certificate expires.

E.5 Adding / removing / replacing Components into a configured Vending Machine

When a component should be added to an existing Vending Machine it needs to be added to the certificate group by the GDS or specialized application. This does not require access by the GDS to the other components of the Vending Machine, i.e., this could be done on a workbench before the technician travels to the location of the Vending Machine. By signing the certificate, the new component will be accepted as communication partner from the other components of the Vending Machine.

When a component gets removed from the Vending Machine, ideally it should be removed from the certificate group and therefore be added to the CRL, while the lifetime of the signed certificate is still valid. This requires, that the GDS or specialized application has access to all the other components of the Vending Machine. This is the most secure option. Alternatively, the component gets reset and the reset reliably removes the certificate (including the private key) from the component. If this process is trusted, the component can be removed and reset in order to disable it talking to the other components of the Vending Machine. If the component gets removed because it is broken and cannot be reset, the memory section should be physically destroyed in order to avoid security risks.

Replacing a component is combining adding and removing a component, so the above text can be applied.