Simplifying OPC UA security for everyone

Опубликовано 18 сентября, 2017

Partner Director, Azure Internet of Things

At the IoT Expo in Taipei, we were excited to announce our contribution of an open-source, cross-platform OPC UA Global Discovery Server (GDS) to the OPC Foundation. As we have done with our UA-.Net Standard cross-platform reference stack contribution, we will check it in to the OPC Foundations’ GitHub in the next couple of weeks. While an OPC UA GDS also manages OPC UA server configuration and handles centralized discovery, the greatest value of a GDS deployment is its certificate management capability and is described here.

The most important aspect of the digital factory and other connected industrial infrastructure is security. A defense-in-depth security approach is needed on premises and the air gap traditionally used to protect the Operational Technology infrastructure (i.e. the factory floor) from the Information Technology infrastructure (i.e. the back office and public Internet), which was proven insufficient over 7 years ago. For example, Stuxnet managed to “jump” the air gap by infecting laptops of engineers working in the factory who hand-carried the virus on premises. Defense-in-depth means that each machine on the factory floor handles its own security and doesn’t rely on a perimeter security concept alone.

Until now, there are no open-source GDS reference implementations available to the public. Due to this limitation, it is not surprising that the majority of factory operators turn off security (i.e. authentication and encryption) on their machines altogether or rely on a complicated and time-intensive manual exchange of self-signed OPC UA certificates (one per machine/server and one per connecting client). To make this process easier to manage, operators also use insecure locations to store certificates, such as file shares and USB keys. Furthermore, self-signed certificates not only have the disadvantage of being management-intensive, they also rely on the factory operator to make trust decisions based on hard-to-understand information located in the certificate and which additionally can be easily spoofed, as a self-signed certificate cannot be independently validated. Self-signed certificates are therefore not recommended for establishing trust and should not be used. On the other hand, Certificate Authority (CA)-signed certificates as provided by a GDS can be validated (via the certificate “chain” leading back to the root CA) and manual exchange of certificates is eliminated as all certificates signed by a certain CA are trusted by an application trusting the CA. A GDS can also handle the automatic installation of a CA-signed certificate on the machine.

Now, we realize that not everyone will be able to download, compile and run a GDS reference implementation from GitHub. We have therefore decided that we will additionally offer an Azure IoT Edge-based GDS, integrated with our upcoming Azure IoT Hub Device Provisioning Service. This fully cloud-managed GDS will also be available open-source on GitHub and as a Docker container on Docker Hub and will be the first truly global GDS, containing data from a customer’s worldwide industrial OPC UA-enabled machine deployments.

As you can see, we continue to invest in making the factory of the future more secure by simplifying and supporting the leading open industrial interoperability standard OPC UA.