Security Check Performed by German Federal Office for Information Security

Industrie 4.0 has included OPC UA as a key part of their reference architecture, such that any supplier or end-user supporting Industrie 4.0 must have OPC UA as part of their solution.  As a result, the BSI (German Federal Office for Security in information Technology) initiated a project Security evaluation of OPC UA focusing on an analysis of the OPC UA security specifications and corresponding reference implementation. As a result, the BSI has issued the following statement:

“An extensive analysis of the security functions in the specification of OPC UA confirmed that OPC UA was designed with a focus on security and does not contain systematic security vulnerabilities.”
— BSI statement

OPC UA is one of the most important modern standards for industrial facilities and many further scenarios in an intelligent and connected world. OPC UA is considered a central building block on the way towards Industrie 4.0. It enables integration between various layers of the automation pyramid from sensor up to the ERP system. It is the first time a unified, worldwide recognized industrial protocol can be employed that allocates necessary cryptographic mechanisms for a secure smart factory. In order to assess the quality of the security mechanisms of OPC UA, BSI has conducted a comprehensive and independent security check.

2000px-Bundesamt_für_Sicherheit_in_der_Informationstechnik_Logo.svgAn extensive analysis of the security functions in the specification of OPC UA confirmed that OPC UA was designed with a focus on security and does not contain systematic security vulnerabilities. Additionally, a selected reference stack (ANSI C, Linux, Intel- 32bit, single thread) was assessed regarding the implementation of the security functionality. No crash could be generated during many tests of the communication stack. A list of security enhancements of the reference implementation was submitted to the OPC Foundation. At all times, the OPC Foundation supported BSI in their security check effort.

The only communication technology in the factory, with implicit security features and the potential for the challenges posed by Industrie 4.0, that I am aware of today, is OPC UA.
— Holger Junker, Head of Division C12, BSI

A full report is now available detailing the tests run by the BSI and their results. Currently, it is only available in German language, but will soon be made available in English as well.

Read the Report (German language)