How the OPC UA Standard Enables Security in Industrial Environments
Join Florian Handke, Director Industrial Security at Campus Schwarzwald and Consultant for Keyfactor, and Sven Rajala, International PKI Man of Mystery, as they dig into the topic of Certificate Management for OPC UA. Learn how certificates, PKI, and signing are used today and best practices for implementation.
Key Takeaways
Adopt Secure Practices: Avoid the "None" security policy and prefer signed and encrypted modes to ensure secure communication.
Leverage Standards: Use standardized PKI protocols (CMP, EST) to maximize compatibility and avoid vendor lock-in.
Crypto Agility/Modernize Crypto: Add the ability to move beyond algorithms like RSA to support future-proof systems.
Centralized Management: Utilize an external PKI with your GDS for efficient certificate management to maintain security across industrial devices and other use cases.
It allows users to define data structures and communicate with OEMs or vendors using a standard protocol.
Its open nature enables easy integration across different industries (e.g., robotics, injection molding), ensuring aligned and reusable data structures.
Key Features of OPC UA
Information Model: Maintains consistent data structures across industries.
Protocol Flexibility: Supports both data modeling and device communication.
Security Support: Provides options for signing and encryption, although "None" (unsecured) is still widely used in practice.
PKI’s Role in OPC UA
PKI ensures mutual device authentication and, in addition, data origin and trustworthiness, which is critical in industrial applications. The protocol used is specified in OPC UA, e.g., OPC UA Secure Conversation (UA-SC).
OPC UA's security policies recommend signed and encrypted modes for robust protection, though adoption in OT environments is still evolving.
Challenges and Practices
Many systems rely on self-signed certificates, often with long validity periods (20+ years) and soon outdated algorithms (e.g., RSA-only support).
This approach lacks agility for future cryptographic changes, leading to potential vulnerabilities.
Certificate Management in OPC UA
OPC UA employs the Global Discovery Server (GDS), a centralized system for managing security and certificate logistics within an OPC UA environment.
GDS integrates with external PKIs.
Standardized Protocols
Standardized protocols like CMP (Certificate Management Protocol) and EST (Enrollment over Secure Transport) ensure interoperability and avoid vendor lock-in.
Leading industrial players like Siemens and Phoenix Contact use these standards to drive open and interoperable solutions.
Read more about Securing your Industrial IoT with PKI
Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.
Manage your cookie-settings
Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.
Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.
Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.
Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.