Highly Secure in Non-Secure Networks With OPC UA
How do IT security experts evaluate the networking of plants and machinery with OPC UA? And is OPC UA also suitable for critical infrastructures and sensitive plant segments? Steve Schoner, Product Marketing Manager, and Markus Maier, Product Owner for Industrial Products at the IT-security company genua, explain in an expert interview how industry can resolve the conflict between networking and security.
Industrial networks must satisfy ever increasing requirements to meet the needs of Industry 4.0. In demand are comprehensive and secure network architectures that can be dynamically scaled, offer standardized interfaces, and enable simple machine integration. Within this complex framework, OPC UA, as an open standard, is an important component for secure and platform-neutral industrial communication.
Why is the topic of OPC UA so important for Industry 4.0?
Markus Maier: OPC UA is the industrial protocol of the future, at least for the German and European markets. As an open, platform-independent communication standard, it is independent of the transmission layer, regardless of whether TCP IP or real-time capable protocols such as TSN. And it functions on small controllers and enterprise servers alike. This applies not only for information exchange but also for services made available by the devices. How devices communicate with one another is thereby standardized.
Steve Schoner: Industry 4.0 and digitization require strong networking, and OPC UA makes exactly this possible. Instead of transforming proprietary, manufacturer-specific protocols across industrial network borders and needing to worry about how data is exchanged in networks or application layers, with OPC UA a single protocol can be used, from the sensor to the cloud. With OPC UA, I can map a large portion of the horizontal and vertical layers. We at genua see ourselves as independent IT security experts. We therefore support OPC UA as a leading standard protocol. With OPC UA, the customer is not restricted to a single provider that he must select on a layer transition in the automation pyramid. He can opt for any service provider.
Can you name an example of services that are typically integrated in Industry 4.0?
Markus Maier: The classic network services, e.g., for device diagnosis, is one example. There are also device-specific groups – so-called companion specifications – by means of which it is, e.g., possible to standardize which services a robot offers. Manufacturers of certain device or machine categories join forces and develop their own extensions for the OPC UA standard.
Open Platform Communications Unified Architecture, abbreviated OPC UA, is a manufacturer- and platform-independent standard for industrial communication in the context of Industry 4.0. It enables the access of data and applications in the vertical direction, i.e., of machines or field devices, all the way to the cloud as well as on a horizontal level, from machine to machine (M2M).
The open communication standard is independent of the operating system, of the application and of the programming language. This allows for secure communication directly in the protocol and without additional hardware. The bandwidth spans from OPC UA components integrated in devices, plants or machinery to enterprise servers. OPC UA also integrates security mechanisms for encryption, digital signing and authentication. OPC UA thereby offers good conditions for the successful networking and digitization of industry.
The manufacturer- and platform-independent standard was developed by the OPC Foundation, which was founded in 1996. The OPC Foundation is a global non-profit organization with more than 450 members from all areas of industry including, as of recently, genua. It works closely together with users and manufacturers to constantly further develop the OPC UA open standard and to adapt it to the needs of the market.
The networking of devices, plants and machinery, brings with it basic security risks. The issue of IT security was therefore given consideration as part of the OPC UA standard. An integrated security layer for authentication and encryption is taken into account in the design. In practice, however, the user is dependent on the quality of the implementation of the given manufacturer. For sensitive plants and network segments, supplementary safety solutions may therefore be useful.
From the perspective of IT security, what fundamental questions arise if a secure network is to be set up for Industry 4.0?
Steve Schoner: First, you should be aware of what assets are located in the network – that perhaps the network grew organically over the years and was not always throughly documented. Our cognitix Threat Defender can help answer this question by using asset detection or asset tracking to analyze which transmitters and receivers communicate with one another. Other important questions include:
How should the network be structured?
How can networking be performed securely?
What do you want to network together?
As IT security experts, how do you assess the networking of plants and machinery with OPC UA? Is that first and foremost useful or risky?
Markus Maier: Under the rubric of networking and digitization, the standard is useful for industry in any case. The topic of security plays a fundamental role, of course. IT security is part of the OPC UA standard – a separate security layer was specified for this purpose. This defines mechanisms such as how services or devices identify themselves, how data is encrypted and how the authentication of this data is ensured. It also allows secured sessions between an OPC UA client and server and offers auditing services in the spirit of "when did which device or which client, server or user use certain services." OPC UA also defines an information model specifying how data can be accessed in a structured manner, such as machine data, machine states or alarms. A separate data model exists for this purpose. Thus, the interpretation of the data is standardized as well.
Steve Schoner: The OPC UA protocol thereby does in fact ensure security. It defines uniform interfaces for how data and applications are accessed.
Markus Maier: You also need to be aware that you are dependent on the security of the implementation of the OPC UA protocol or stack. With a given stack, you also need to work with its weaknesses. Anyone who wants to eliminate these risks should consider supplementary security solutions like our high-security cyber-diode. This diode itself allows only unidirectional communication, for example, to channel data from sensitive industrial plants into the IT-security layer of non-secure environments, such as the Internet or a cloud. If the OPC UA stack is compromised due to vulnerabilities, this does not affect the integrity of the industrial plant. In this case, attackers have no access to the plants or machinery. We also supply an encrypted data channel via IPsec from the classified data sector, independent of the OPC UA encryption.
Does this mean that OPC UA significantly simplifies communication in industrial networks but, with respect to IT security, increases the risk of a compromise?
Markus Maier: You can't put it quite like that. The OPC UA standard does, in fact, address the aspect of IT security and, as already explained, does take an integrated security layer for authentication and encryption into account in the design. The problem is that the user is dependent on the implementation of the OPC UA stack of the respective manufacturer. This difficult-to-assess security risk can be intercepted very well by our solutions, e.g., by means of network segmentation or a strict network separation between sensitive and non-secure areas. With the Industrial Firewall genuwall, segmentation, authentication and automation are available to the customer for checking whether a user or a machine is authorized to use a specific OPC-UA server service. And the cyber-diode strictly separates highly critical networks in which standard firewalls do not provide sufficient protection. It offers a reliable communication channel to the Internet without leaving itself vulnerable from the outside.
genua is the IT-security specialist. What expertise can the company contribute to Industry 4.0?
Steve Schoner: When everything is networked to everything else, the question arises as to how individual segments can be effectively secured. This is the area in which genua has its expertise. Our solutions secure domain and segment transitions. What distinguishes our products from those of other IT-security providers is that we offer not only stateful firewalls but also have an OPC UA application filter that queries authorization layers, e.g., to determine whether someone is permitted to send a message to a certain target system. We can offer network segmentation not only on the TCP/IT layer like classic firewalls but also on the application layer. Moreover, we also enable edge computing, i.e., data preprocessing and analysis on a secure platform with flexible docker apps in your own network before the data is diverted vertically for further processing.