4 OPC UA security architecture ToC Previous Next

4.5 OPC UA security architecture ToC Previous Next

4.5.3 Publish-Subscribe ToC Previous Next

4.5.3.1 Overview ToC

The PubSub can be deployed in two environments, one in which a broker exists and one which is broker less. For a detailed describe of this model see OPC 10000-14The two environments have different security considerations associated with them, and each will be described separately.

4.5.3.2 Broker-less ToC

The broker-less PubSub communication model provides Confidentiality and Integrity. This is accomplished using Symmetric Encryption and signature algorithms. The required symmetric keys are distributed by a Security Key Server (SKS) (see OPC 10000-14 for additional details). The SKS makes use of the standard Client/Server security described in the previous section to establish application Authentication as well as user Authentication. This approach allows all applications (Publishers and/or Subscribers) in a SecurityGroup to share information

A benefit of using shared symmetric keys is the high performance they offer, but a drawback is that for a group of applications that use a shared symmetric key, all of the applications in the group have the same rights. All applications must trust all other applications in the group. Any application (Publisher or Subscriber) in the group can publish a message and any application (Publisher or Subscriber) in the group can decode the message.

For example, a system might be composed of a shared symmetric group that is composed of a controller (Publisher) and three Subscribers (say HMI’s). The controller is publishing messages and the HMIs are receiving the messages. If one of the HMIs is compromised, it might start publishing messages also. The other two HMIs will not be able to tell that the message was not sent from the controller. One possible solution to this situation could be if the shared symmetric group is composed of just the controller and one HMI. Additional groups would be created for each HMI, then no HMI could affect the other HMIs. Other possible solutions could also involve the network architecture and services, such as unicast restricted network communication, but these are outside the scope of the of OPC UA specification. The configuration of SecurityGroups requires careful consideration when deploying systems to ensure security.

4.5.3.3 Broker ToC

When using a Broker in the PubSub model, the same shared symmetric key concepts as defined in 4.5.3.2 can be used to provide Confidentiality and Integrity. Furthermore, communication to the Broker can be secured according the rules defined for the Broker. These rules are not defined in the OPC Foundation specification but are defined by the Middleware. In many cases the Middleware requires the authorization of both the Publishers and the Subscribers before they can interact with the Broker. The Broker interactions can provide security mechanisms to meet Confidentiality, Integrity and application or user Authentication as security objectives. If the published message is not secured using the shared symmetric key concepts, the message content is visible to the Broker which creates some risk of man-in-the-middle attacks. The use of the shared symmetric keys eliminates this risk.

Previous Next