7.2.4 Integrated security concept
The topic of data security and access protection have become increasingly important in
the industrial environment. The increased networking of entire industrial systems to the
network levels within the company together with the functions of remote maintenance
have all served to increase vulnerability. Threats can arise from internal manipulation like
technical errors, operator and program errors respectively from external manipulation like
software viruses and worms, trojans and password phishing.
The most important precautions to prevent manipulation and loss of data security in the
industrial environment are:
n
Encrypting the data traffic by means of certificates.
n
Filtering and inspection of the traffic by means of VPN - "Virtual Private Networks".
n
Identification of the nodes by "Authentication" via save channels.
n
Segmenting in protected automation cells, so that only devices in the same group can
exchange data.
With the "VDI/VDE 2182 sheet 1", Information Security in the Industrial Automation - Gen-
eral procedural model, VDI guidelines, the VDI/VDE society for measuring and automa-
tion engineering has published a guide for implementing a security architecture in the
industrial environment. The guideline can be found at www.vdi.de PROFIBUS &
PROFINET International (PI) can support you in setting up security standards by means
of the "PROFINET Security Guideline". More concerning this can be found at the corre-
sponding web site such as www.profibus.com
n
Verifying the identity of
OPC UA
servers and clients.
n
Checking the identity of the users.
n
Signed and encrypted data exchange between
OPC UA
server and clients.
n
In the connection settings in the
OPC UA Configurator
, you can specify how a user of
an
OPC UA
client must legitimize access to the
OPC UA
server.
Safety rules:
n
Only activate
‘Anonymous-Login’
or
‘Unsecured data traffic’
in exceptional cases.
n
Only allow access to variables and data blocks via
OPC UA
if it is actually required.
Activate only security guidelines that are compatible with the protection
concept for your machine or Application. Deactivate all other security
guidelines.
OPC UA
has integrated security mechanisms in multiple layers. An important component
here are X.509 certificates, which are also used in the PC world. When using certificates,
the
OPC UA
server delivers data to the client only if the security certificate has been
accepted as valid on both sides. An X.509 certificate includes the following information:
n
Version and serial number of the certificate.
n
Name of the certification authority.
n
Information about the algorithm used by the certification authority to sign the certifi-
cate.
n
Start and end of the validity of the certificate.
n
Name of the program, person, or organization for which the certificate was signed by
the certification authority.
n
The public key of the program, person or organization.
Generals to data security
Guidelines for information
security
Security mechanisms in
OPC UA
X.509 certificates
VIPA System SLIO
Deployment OPC UA
Basics OPC UA > Integrated security concept
HB300 | CPU | 013-CCF0R00 | en | 19-30
189