Skip Navigation

Automating Industrial IoT Security

Posted on April 20, 2018

Principal Software Engineering Lead

Industrial IoT is the largest IoT opportunity. At Microsoft, we serve this vertical by offering an Industrial IoT Cloud Platform Reference Architecture, which we have conveniently bundled into an open-source Azure IoT Suite solution called Connected Factory and launched it at HMI 2017 a year ago.

Since then, we continued our collaboration with the OPC Foundation, the non-profit organization developing the OPC UA Industrial Interoperability Standard, and added many new open-source contributions to their Github page, further extending our lead as the largest contributor of open-source software to the OPC Foundation by a factor of 10. We have also successfully certified the open-source, cross-platform .Net Standard OPC UA reference stack for compliance. This was a crucial step in our open-source OPC UA journey as Connected Factory uses this stack internally. We also managed to reduce the monthly Azure consumption cost of Connected Factory due to the new pricing structure of Azure IoT Hub recently announced.

Although Connected Factory is extremely popular with both machine builders and manufacturers, we hear from time to time that it is still difficult to connect real machines to it and at the same time make these machines secure for IoT applications. Therefore, we have added several new modules and services to Connected Factory, which make connectivity and security fully automatic! We are pleased to announce that we are launching these new modules and services at HMI this year.

In detail, we added:

  • An automatic machine/asset discovery Azure IoT Edge module called OPC Twin, which detects OPC UA Servers on the OT network and automatically registers them with Azure IoT Hub. The OPC Twin can also be controlled and managed from the cloud using a companion OPC Twin microservice running on Azure.
  • The OPC Twin also creates a Device Twin for each OPC UA server, complete with OPC UA metadata. This allows interaction with each individual OPC UA server from the cloud using native IoT Hub APIs.
  • Also, the OPC Twin performs an automatic security assessment for each individual OPC UA server and highlights security weaknesses to the user.
  • Furthermore, we added a cloud-assisted OPC UA Global Discovery Server, again packaged as an IoT Edge module. It handles automatic security configuration of OPC Servers and like the OPC Twin, has a companion Azure-based micro service for control and management from the cloud. The micro service also interacts with Azure Key Vault and is called GDS Vault. GDS Vault uses Key Vault for securely storing and managing X.509 certificates and private keys used by OPC UA. Through its cloud-based interface, operators can manage the security settings of OPC UA servers on a global scale for the first time and no longer need to manually exchange OPC UA certificates for each OPC UA client and server on each factory floor they are responsible for. The GDS therefore represents the world’s first truly global GDS.

Needless to say, we will provide an open-source integration of all of the above in Connected Factory on GitHub shortly.

We are proud that both the OPC Foundation and the Platform Industry 4.0 recommend the use of a Global Discovery Server for security management of OPC UA servers. Both organizations have released whitepapers (1) (2) describing the details.

Here is a diagram of our new Connected Factory architecture:

I would also like to quote from an article by John Rinaldi from Real Time Automation, written in response to our announcement that we contributed an open-source Global Discovery Server to the OPC Foundation:

Global Discovery Server will make all the difference in adoption. GDS implementations have been lacking for OPC UA and it has been one of the weak points of the architecture. Microsoft products vastly improves the OPC UA technology and solidifies Microsoft’s position on the factory floor. Most, if not all, factory floor implementations will need the GDS to handle the certificate management and that means that nearly all OPC UA installations will have a Microsoft presence.

But wait, there’s more!

We are also proud to announce that we have extended Azure IoT Central with the power of OPC UA, making a non-intrusive connection to on-premises machines also possible for IoT Central customers.

As you can see, we continue to invest to support you with the right Industrial IoT Cloud Platform at every step of your digital transformation journey in manufacturing:


We can’t wait to see what new products you will build using it!