OPC Foundation publishes Recommendations for Secure Configuration and Operation of OPC UA


How to realize secure data exchange and communication in industry? The OPC Foundation Security User Group answers this question by publishing its first whitepaper “Practical Security Recommendations”

Scottsdale, Nov 28, 2017 – The OPC Foundation published a set of practical guidelines for the secure configuration and use of OPC UA in industry. Written for busy professionals, this concise, easy to read brochure helps readers quickly understand what OPC UA security has to offer and how to best use it.

Rapid growth in the networking and digitization of industrial systems has introduced a host of new security challenges that must be addressed systematically to be effectively mitigated. In particular, beyond the need for implementing secure network infrastructures, it is essential to protect product and production data moving throughout the systems. Device vendors, engineers, and system integrators need to ensure they use these technologies in a secure way. While industry acknowledges the need for data security and that the OPC UA standard offers the means to do so – OT and IT professionals alike are often unsure on how to best get started.

“Currently, users and developers are overwhelmed with making security decisions during their daily job. Incorrect use of security features causes many security vulnerabilities, due to difficulties to use software and a lack of security knowledge. Documentation, tutorials, and good examples are often missing”, says Prof. Dr. Eric Bodden, professor of Software Engineering at Paderborn University and director of Software Engineering at Fraunhofer IEM.

To help address this challenge, the OPC Foundation established a security user group which is led by Uwe Pohlmann, Fraunhofer IEM and Prof. Dr.-Ing. Axel Sikora, Hochschule Offenburg. The aim of this group is to develop best practices and guidelines for typical OPC UA security use cases.

The document is available on the OPC Foundation Website:

The German government sanctioned Intelligent Technical Systems OstWestfalenLippe (it’s OWL) organization supplied the group with key use cases and requirements to help ensure output from the group best addresses users’ real-world orientation and practical knowledge needs.

“OPC UA is secure by design, but you actually have to use the security features it provides to reap the benefits”, says Erich Barnstedt, Principal Software Engineering Lead, Azure Industrial IoT at Microsoft. “The Security configuration task can be simplified dramatically when an OPC UA server is secure by default, i.e. all security features are already turned on when the customer takes the server out of the box for the first time. It is also important for the device vendors to make the security configuration as simple as possible, for example by providing wizards and easy to understand guidelines. We can’t expect OPC UA server users to be security experts.”

Members of the Security User Group are: Ascolab, Beckhoff Automation, DS Interoperability, exceet Secure Solutions, Fraunhofer IEM, Hochschule Offenburg, Microsoft Corporation, Software AG, Sparhawk Software Inc, and TE Connectivity.

A second whitepaper presenting best practices and selected use cases for a secure implementation and operation of OPC UA is expected to be released in 2018.


About OPC Foundation

The OPC Foundation is a nonprofit international standards organization dedicated to developing and maintaining the best specifications, technology and certification to achieve multivendor, multiplatform, secure, reliable information from embedded devices to the cloud. OPC Foundation started in 1995, and the OPC community is grown to over 4200 different companies building OPC products with over 47,000,000 installations. OPC specifications are available without membership and OPC reference implementations are open sourced on GitHub. The foundation has an open certification program enabling members and nonmembers to certify their products.


About OPC UA

OPC Unified Architecture (OPC UA) is a platform and vendor independent communication technology for a secure and reliable data exchange over the different levels of the automation pyramid. In addition, the information models of the OPC UA standard provide the foundation for a semantic interoperability.

Find more information here: www.opcfoundation.org

Uwe Pohlmann, Fraunhofer Research Institution for Mechatronic Systems Design IEM
Email: uwe.pohlmann@iem.fraunhofer.de

Prof. Dr. Ing Sikora, Embedded Systems und Kommunikationselektronik, Hochschule Offenburg Email: axel.sikora@hs-offenburg.de

Stefan Hoppe, Global Vice President, OPC Foundation
E-mail: stefan.hoppe@opcfoundation.org


Picture Pic1.jpg: Uwe Pohlmann, Fraunhofer IEM
Picture Pic3.jpg: Stefan Hoppe, OPC Foundation and Uwe Pohlmann, Fraunhofer IEM