OPC UA, Cybersecurity, and Smart Manufacturing


OT Data Challenges to Securely Executing a Smart Manufacturing Strategy

Data from automation systems used to stay put. It was produced by sensors, PLCs, and recorders; stored on local OPC servers and databases; and accessed by a few skilled operators and engineers. Although highly secure, data access was limited.

Smart Manufacturing and IoT are driving a variety of positive business outcomes and data must be shared with new systems, new networks, and a variety of tools for diverse users and roles. Determining the best security strategy for Smart Manufacturing efforts is a struggle, but this article offers a brief review of these key security issues:

  • New applications and data destinations
  • New user roles and expectations
  • Evolving threat landscape

Data collection and analysis represent a significant competitive advantage. Data is the new oil; access to data and expert analysis can drive significant cost savings and revenue increases. IoT buzzwords and ad-hoc technologies have given way to real solutions that drive measurable business outcomes. The challenge is to create and execute a digital transformation strategy to become a secure Smart Manufacturing environment.

Operations networks were walled gardens, managed by groups unrelated to those managing business infrastructure. Over the last twenty years, business intelligence, network analysis, data gathering, and real-time analytics have become commonplace. Data sharing and analysis from manufacturing systems can no longer stop at purpose-built software solutions, supervisory control applications, stand-alone statistical process control, process historians, and relational databases.

New applications enable digital transformation. They do not usually need to occupy layers 0/1/2/3 of a Purdue Model manufacturing network (nor should they!), but it’s imperative to obtain data from these layers. How do we securely enable access between business systems and process control networks? How do we secure data in the cloud?

Purdue and ISA define network layers, and many standards, protocols, and applications can move data securely. Especially for critical operations infrastructure, “air gaps” can be maintained while providing access to data. Custom hardware-based data diodes offer a physical air gap—true network isolation—through unidirectional physical mediums where not a single electron can pass back to the control network. These use custom protocols that flow over the unidirectional cable from diode input hardware to diode output hardware. In the output hardware, data server interfaces facilitate passage of data to upper-level applications like Kepware Server or the destination application. These interfaces might include HTTP/HTTPS, MQTT,  OPC DA, or OPC UA.

While a true data diode air gap is one of the best ways to prevent unintended access, it might be enough to implement data diodes using standard Ethernet hardware. Unidirectional protocols, such as Ethernet Global Data over UDP, can be sent over bidirectional mediums like CAT5 or CAT6 with the Ethernet infrastructure and networking rules, operating systems, and application stacks to prevent bidirectionality; inbound access to the control network is not permitted.

Transport Layer Security and Secure Socket Layer protocols have become common for bidirectional protocols from demilitarized zones (DMZ) or higher-level network segments interacting with systems on control networks. TLS and SSL offer unambiguous identification of requester and requestee, message authenticity, and message encryption. The ease of integration of plug-and-play protocols like OPC UA that need a single inbound open port in the control network firewall can outweigh the concerns about network access. Note: Protocols are only as secure as certificate maintenance and product update strategy. To stay secure, you must embrace the administrative overhead of reissuing certificates frequently and maintaining products with vendor-released updates. Despite the overhead and maintenance of the applications, protocols, and security practices around firewalls and network segmentation; it is relatively simple, low-cost, and secure. These solutions can create a foundation for secure communication from business management to plant floor; for operator feedback from manufacturing or real-time changes to PLC for process efficiency.

Once data is securely accessible, it must reach the right destination. If access is from a DMZ, access from applications within that network can typically be realized. Moving data between DMZs is typically accomplished through a bidirectional TLS-based protocol (such as OPC UA, HTTPS, MQTT, or a proprietary offering from a software vendor). If moving data to a public cloud, assuming the DMZ has an Internet-facing connection, MQTT or HTTPS can secure travel across the public Internet. Cloud vendors may offer software for the network segment with Internet access, gathering data from local systems using OPC UA, MQTT, HTTP, database, or file access and transferring the data to the cloud using HTTP, MQTT, AMQP, or custom solutions. VPNs may also be employed to increase security between data source and destination.

New users and roles demand data access and the secure infrastructure to provide it. Do these new users want fast refresh rates for real-time analytics or are they using historical data for trend analysis? If real-time isn’t necessary, a SQL replication from a relational database on the process control network to a relational database on the DMZ or secure OPC UA between control network and DMZ to populate a database on the DMZ may be adequate. Direct access to a control network’s protocol stream isn’t often necessary. Understand what these new users and roles need before designing to accommodate them.

Threats to industrial control systems occur with increasing frequency. It’s almost enough for this author to only recommend air gaps with hardware data diodes for any digital transformation effort! However, it’s unrealistic for all organizations, unnecessary for every environment, and still not a flawless guarantee of security! To quote Robert Rash, Principal Architect at solutions provider Microland:

“The greatest myth is the idea of air gapping. The idea that a separate network, VLAN, or segment that isn’t connected to the Internet stays that way and keeps them isolated and protected is almost always false. There’s always a technician, engineering station, or remote connection that provides connectivity to these “air gapped” networks and typically is done without any guidance or control and without the SecOps knowledge.”

With attack vectors even in isolated environments, it is more important than ever to secure and manage every aspect of networks. This includes training and behavior modifications for users, the use of only company-approved software and hardware, and multiple layers of authentication.

This article covered problems and solutions related to security in Smart Manufacturing initiatives. Data is critical to the future of business and proper use of technology and well-developed strategies can ensure a high degree of security while businesses transform.