SPONSORED BY: KEPWARE PTC
Today’s industrial control systems leverage the latest OPC Unified Architecture (UA) standards, which provide cross-platform interoperability between software applications and devices. This allows for the vendor-independent exchange of real-time, alarm and condition, historical, and many other types of data. Due to the criticality of Industrial Control Systems (ICS) and the desire to make process and business information available to anyone, anywhere, and at any time, the information that is exchanged between interested parties must meet the security requirements of the site. The OPC UA standards are designed to meet these security requirements while maintaining the level of flexibility and control that site administrators expect.
Most sites will incorporate a Cyber Security Management System (CSMS) to address security-related requirements. These requirements may range from the adoption of security policies around physical and electronic boundaries, auditing, and preventive and response procedures. In order to address the threats discussed earlier, a security risk assessment will be initiated and appropriate security measures will be implemented. A good implementation will follow a “defense–in-depth” strategy, where there will be multiple layers of protection. This is necessary because there are no one-size-fits-all solutions that will protect against all security threats. Instead, many security threat- specific appliances will be deployed to protect a site. This may include a combination of firewalls, intrusion detection/prevention systems (IDS/IPS), patch-management systems, and IT rules for what is allowed and what is not allowed within the context of the system.
To mitigate against security threats, OPC UA has a multitier design that consists of an application layer, communications layer, and a transport layer.
Through its flexible security model, OPC UA can adapt to a site’s CSMS by allowing the administrator complete control on how communications are setup and managed. OPC UA’s client/server architecture also bodes well with a defense-in-depth strategy, as UA-aware applications can act as an intermediary between different layers within a site and limit the amount of information that can be exposed or manipulated.