How the OPC UA Standard Enables Security in Industrial Environments
Join Florian Handke, Director Industrial Security at Campus Schwarzwald and Consultant for Keyfactor, and Sven Rajala, International PKI Man of Mystery, as they dig into the topic of Certificate Management for OPC UA. Learn how certificates, PKI, and signing are used today and best practices for implementation.
Key Takeaways
- Adopt Secure Practices: Avoid the "None" security policy and prefer signed and encrypted modes to ensure secure communication.
- Leverage Standards: Use standardized PKI protocols (CMP, EST) to maximize compatibility and avoid vendor lock-in.
- Crypto Agility/Modernize Crypto: Add the ability to move beyond algorithms like RSA to support future-proof systems.
- Centralized Management: Utilize an external PKI with your GDS for efficient certificate management to maintain security across industrial devices and other use cases.
Watch video on YouTube
The following section offers further insights and a detailed summary of the topics covered by Florian and Sven during this KEYMASTER episode.
What is OPC UA?
- OPC UA (Open Platform Communications Unified Architecture) is both a protocol and an information model used primarily in industrial ecosystems, including IoT and IIoT.
- It allows users to define data structures and communicate with OEMs or vendors using a standard protocol.
- Its open nature enables easy integration across different industries (e.g., robotics, injection molding), ensuring aligned and reusable data structures.
Key Features of OPC UA
- Information Model: Maintains consistent data structures across industries.
- Protocol Flexibility: Supports both data modeling and device communication.
- Security Support: Provides options for signing and encryption, although "None" (unsecured) is still widely used in practice.
PKI’s Role in OPC UA
- PKI ensures mutual device authentication and, in addition, data origin and trustworthiness, which is critical in industrial applications. The protocol used is specified in OPC UA, e.g., OPC UA Secure Conversation (UA-SC).
- OPC UA's security policies recommend signed and encrypted modes for robust protection, though adoption in OT environments is still evolving.
Challenges and Practices
- Many systems rely on self-signed certificates, often with long validity periods (20+ years) and soon outdated algorithms (e.g., RSA-only support).
- This approach lacks agility for future cryptographic changes, leading to potential vulnerabilities.
Certificate Management in OPC UA
- OPC UA employs the Global Discovery Server (GDS), a centralized system for managing security and certificate logistics within an OPC UA environment.
- GDS integrates with external PKIs.
Standardized Protocols
- Standardized protocols like CMP (Certificate Management Protocol) and EST (Enrollment over Secure Transport) ensure interoperability and avoid vendor lock-in.
- Leading industrial players like Siemens and Phoenix Contact use these standards to drive open and interoperable solutions.
Read more about Securing your Industrial IoT with PKI
