CLC/TR 62541-2:2010
(Main)OPC unified architecture - Part 2: Security model
OPC unified architecture - Part 2: Security model
IEC/TR 62541-2:2010(E) describes the OPC Unified Architecture (OPC UA) security model. It describes the security threats of the physical, hardware and software environments in which OPC UA is expected to run. It describes how OPC UA relies upon other standards for security. It gives an overview of the security features that are specified in other parts of the OPC UA specification. It references services, mappings, and profiles that are specified normatively in other parts of this series of standards. It is directed to readers who will develop OPC UA client or server applications or implement the OPC UA services layer.
OPC Unified Architecture - Teil 2: Modell für die IT-Sicherheit
Architecture unifiée OPC - Partie 2: Modèle de sécurité
Poenotena arhitektura OPC - 2. del: Zaščitni model (IEC/TR 62541-2:2010)
Ta del IEC 62541 opisuje zaščitni model poenotene arhitekture OPC (OPC UA). Opisuje grožnje za varnostne fizičnih strojnih in programskih okolij, v katerih se pričakuje delovanje OPC UA. Opisuje kako se OPC UA navezuje na druge standarde za varnost. Podaja pregled varnostnih lastnosti, ki so opredeljene v drugih delih OPC UA specifikacije. Sklicuje se na storitve, preslikave in profile, ki so normativno določeni v drugih delih standardov teh serije. Opozoriti je treba, da je veliko različnih vidikov varnosti, ki jih je potrebno nasloviti, kadar razvijamo aplikacije. Vendar, odkar OPC UA določa komunikacijski protokol, je poudarek na zaščiti podatkov med aplikacijami. To ne pomeni, da lahko razvijalec aplikacije zanemari ostale varnostne vidike, kot je varovanje obstojnih podatkov pred nedovoljenim spreminjanjem. Pomembno je, da razvijalec pregleda vse varnostne vidike in odloči, kako se jih lahko obravnava v tej aplikaciji. Ta del IEC 62541 je usmerjen k bralcem, ki bojo razvijali OPC UA aplikacije za kliente ali strežnike ali uvajali storitveno plast OPC UA. Predvideva se, da je bralec seznanjen s spletnimi storitvami in XML/SOAP. Informacije o teh tehnologijah se nahajajo v 1. delu in 2. delu SOAP.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-december-2010
3RHQRWHQDDUKLWHNWXUD23&GHO=DãþLWQLPRGHO,(&75
OPC unified architecture - Part 2: Security model (IEC/TR 62541-2:2010)
OPC Unified Architecture - Teil 2: Modell für die IT-Sicherheit (IEC/TR 62541-2:2010)
Architecture unifiée OPC - Partie 2: Modèle de sécurité (CEI/TR 62541-2:2010)
Ta slovenski standard je istoveten z: CLC/TR 62541-2:2010
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
35.100.01 Medsebojno povezovanje Open systems
odprtih sistemov na splošno interconnection in general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL REPORT
CLC/TR 62541-2
RAPPORT TECHNIQUE
August 2010
TECHNISCHER BERICHT
ICS 25.040.40; 35.100.01
English version
OPC unified architecture -
Part 2: Security model
(IEC/TR 62541-2:2010)
Architecture unifiée OPC - OPC Unified Architecture -
Partie 2: Modèle de sécurité Teil 2: Modell für die IT-Sicherheit
(CEI/TR 62541-2:2010) (IEC/TR 62541-2:2010)
This Technical Report was approved by CENELEC on 2010-06-25.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus,
the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
Spain, Sweden, Switzerland and the United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Management Centre: Avenue Marnix 17, B - 1000 Brussels
© 2010 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. CLC/TR 62541-2:2010 E
Foreword
The text of the Technical Report IEC/TR 62541-2:2010, prepared by SC 65E, Devices and integration
in enterprise systems, of IEC TC 65, Industrial-process measurement, control and automation, was
submitted to vote and was approved by CENELEC as CLC/TR 62541-2 on
2010-06-25.
Annex ZA has been added by CENELEC.
__________
Endorsement notice
The text of the Technical Report IEC/TR 62541-2:2010 was approved by CENELEC as a Technical
Report without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 62541-3 NOTE Harmonized as EN 62541-3.
IEC 62541-4 NOTE Harmonized as EN 62541-4.
IEC 62541-5 NOTE Harmonized as EN 62541-5.
IEC 62541-6 NOTE Harmonized as EN 62541-6.
__________
- 3 - CLC/TR 62541-2:2010
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
NOTE When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD
applies.
Publication Year Title EN/HD Year
IEC/TR 62541-1 2010 OPC unified architecture - CLC/TR 62541-1 2010
Part 1: Overview and concepts
IEC 62541 Series OPC unified architecture EN 62541 Series
IEC/TR 62541-2 ®
Edition 1.0 2010-02
TECHNICAL
REPORT
OPC Unified Architecture –
Part 2: Security Model
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
V
ICS 25.040.40; 35.100.01 ISBN 2-8318-1080-3
– 2 – TR 62541-2 © IEC:2010(E)
CONTENTS
FOREWORD.4
INTRODUCTION.6
1 Scope.7
2 Normative references .7
3 Terms, definitions, abbreviations and conventions.7
3.1 Terms and definitions .7
3.2 Abbreviations and symbols.11
3.3 Conventions concerning security model figures .11
4 OPC UA Security architecture .11
4.1 OPC UA security environment .11
4.2 Security objectives .12
4.2.1 General .12
4.2.2 Authentication .13
4.2.3 Authorization .13
4.2.4 Confidentiality .13
4.2.5 Integrity .13
4.2.6 Auditability .13
4.2.7 Availability.13
4.3 Security threats to OPC UA systems .13
4.3.1 General .13
4.3.2 Message flooding .13
4.3.3 Eavesdropping .14
4.3.4 Message spoofing .14
4.3.5 Message alteration .14
4.3.6 Message replay .14
4.3.7 Malformed messages.15
4.3.8 Server profiling .15
4.3.9 Session hijacking.15
4.3.10 Rogue server.15
4.3.11 Compromising user credentials.15
4.4 OPC UA relationship to site security.16
4.5 OPC UA security architecture.16
4.6 Security policies .18
4.7 Security profiles .18
4.8 User authorization .19
4.9 User authentication .19
4.10 Application authentication .19
4.11 OPC UA security related services.19
4.12 Auditing.20
4.12.1 General .20
4.12.2 Single client and server .21
4.12.3 Aggregating server .21
4.12.4 Aggregation through a non-auditing server .22
4.12.5 Aggregating server with service distribution.23
5 Security reconciliation .24
5.1 Reconciliation of threats with OPC UA security mechanisms .24
TR 62541-2 © IEC:2010(E) – 3 –
5.1.1 General .24
5.1.2 Message flooding .24
5.1.3 Eavesdropping .25
5.1.4 Message spoofing .25
5.1.5 Message alteration .25
5.1.6 Message replay .25
5.1.7 Malformed messages.26
5.1.8 Server profiling .26
5.1.9 Session hijacking.26
5.1.10 Rogue server.26
5.1.11 Compromising user credentials.26
5.2 Reconciliation of objectives with OPC UA security mechanisms .26
5.2.1 General .26
5.2.2 Authentication .27
5.2.3 Authorization .27
5.2.4 Confidentiality .27
5.2.5 Integrity .27
5.2.6 Auditability .28
5.2.7 Availability.28
6 Implementation considerations .28
6.1 General .28
6.2 Appropriate timeouts .28
6.3 Strict message processing.28
6.4 Random number generation .29
6.5 Special and reserved packets.29
6.6 Rate limiting and flow control .29
Bibliography.30
Figure 1 – OPC UA network model .12
Figure 2 – OPC UA security architecture.17
Figure 3 – Simple servers .21
Figure 4 – Aggregating servers .22
Figure 5 – Aggregation with a non-auditing server .23
Figure 6 – Aggregate server with service distribution .24
– 4 – TR 62541-2 © IEC:2010(E)
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
OPC UNIFIED ARCHITECTURE –
Part 2: Security Model
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organiza
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.