by Frans van Dorsselaer, Fox-IT
OPC UA is gaining ground. The attendance at the Interoperability Workshop in Nürnberg last month was higher than ever. The product variety is also increasing; we recognized controlling devices, gateways to legacy and proprietary protocols, operational HMIs, historians, and back office integration products. Fox-IT was present with their Fox DataDiode security product, in order to test it with all available servers and clients.
Security is becoming more and more important now that OPC UA is being implemented in products at different business levels. The OPC Foundation has recognized this and has specified security features in the standard from the onset. The world of security is constantly changing, with new increasingly sophisticated threats and concerns surfacing every year. This has already led to amendments to the OPC UA standard. During this year’s interoperability workshop a new authentication mechanism was presented, a Global Discovery Service (GDS), intended to augment the LDS and LDS-ME mechanisms of today. GDS, together with cryptographically secured communication, provides for security within the same trust domain. Crossing boundaries between different trust domains, however, remains a security challenge.
Fox-IT builds innovative high technology security solutions, especially for the most critical assets of the infrastructure. The Fox DataDiode, a one-way network connection guarantees 100% integrity protection between two nodes in the network by physically restricting the communication to one direction. The device or subnet providing the data (at the operational level), can in no way be influenced or attacked by the device or subnet that is monitoring the data (at the monitoring/office level). This assures full guaranteed separation between security trust domains. Fox-IT has been invited to take a seat in the security subgroup, working together with the OPC Foundation to stay on top of the latest security developments.
Diagram: A Fox DataDiode protects critical safety sensors within the operational layer. A second Fox DataDiode protects the entire operational layer from the business IT layer; the latter being connected to the Internet.
From a technical perspective, the Fox DataDiode acts as an OPC UA client on the higher trust level and exposes a replica OPC UA server on the lower trust level. During testing, the Fox DataDiode replication process reported a few inconsistencies in the data exposed by some products participating in the workshop. Most of these were fixed during the workshop by their respective developers. The OPC Interoperability Workshop has proven to be an invaluable opportunity to smooth out the glitches that every product has when implementing a relatively new standard like OPC UA. Fox-IT will certainly be present next year, seeking to repeat the success of last month’s workshop and test even more products from different vendors.