Categories: Security

OPC UA and CodeMeter

OPC Unified Architecture (UA) is increasingly establishing itself as the accepted standard in the automation industry. The open IEC 62541 standard guarantees platform independence, object orientation, and type safety, and now adds IT security as another technological cornerstone. It is completely interoperable from the smallest device to enterprise-level IT, and even cloud solutions. As a world-leading protection and licensing technology, CodeMeter is an ideal partner for OPC UA, storing keys and certificates in secure hardware and adding not just greater security, but also new business opportunities with licensing for OPC UA devices.

OPC UA offers exceptional security on the protocol level

OPC UA is more than a communication protocol. The open standard covers:

  • Confidentiality: Encrypting data
  • Integrity: Signing data
  • Application authentication
  • User authentication
  • User authorization
  • Auditing
  • Availability

It offers authentication on the transport layer, with X.509 certificates and trust managed with a public key infrastructure. OPC UA also guarantees top security during data transmission.

Broad support 

OPC UA has won extensive support e.g. from the Industrial Internet Consortium
(IIC) the Chinese Alliance Industrial Internet (AII), and Plattform Industrie 4.0. Germany’s Federal Office of Information Security has evaluated its security. It will not be the only standard accepted around the world, as e.g. DDS by Object Management Group (OMG) is also available and as its use depends on the specific application.

Endpoint security

In a connected world, all endpoints need to be secure, whether they are sensors or actuators, controllers, or historians  in the cloud.

The Industrial Internet Security Framework (IISF) published in September 2016 describes the many elements of endpoint protection.

Holistic security does not stop at the protocol layer 

In addition to communication, the security of endpoints is just as important.

Endpoints are where operating systems, libraries, drivers, and applications are exposed to attacks. The consequences of compromised endpoints can be disastrous: Cryptographic keys can be stolen, the identity of the device affected, settings data like trust lists and certificates tampered with, applications manipulated, and invaluable know-how lost.

This calls for extensive protections. Many devices using OPC UA are still not protected enough, with private keys and trust lists stored in the regular file system and applications left unguarded against tampering. Attacks against endpoints might succeed and compromise entire infrastructures. Functionality, reliability, and know-how are all at risk.

OPC UA SDK, CmEmbedded, and CmDongles - A match made in heaven

CmEmbedded is a small-footprint modular runtime used to access the CodeMeter license container and the secure CmDongles. It supports many common operating systems out-of-the-box and can be extensively customized, as it is delivered as ANSI C source code.

The CmDongle hardware uses smart card chips made by Infineon that are Common Criteria (CC) EAL5+ certified, including the cryptographic libraries. All keys are securely stored and all cryptographic operations happen on this hardware.

The integration of CmEmbedded into the OPC UA SDKs offers additional security without additional effort and adds new licensing capabilities on top.

Making OPC UA more secure in the field

The private keys are stored securely in the CmDongle hardware, using RSA keys with up to 2048-bit and ECC with 224-bit. The encryption of the OPC UA software on the device prevents tampering and reverse engineering and makes sure that critical processes occur only on fully protected hardware.

Advantages of license management with OPC UA

More and more devices with OPC UA depend on software to realize their capabilities, be it PLCs, intelligent sensors, RFID readers, or engines and actuators. With CodeMeter, individual functions can be licensed and novel pay-per-use or subscription business models be introduced to develop new after-sales business. No physical changes are needed to set up the licenses in the devices, which is done simply via the OPC UA protocol.

Available today 

CodeMeter’s solutions, with CmEmbedded and CmASICs with USB/SPI communication, CmSticks for USB, or CmCards, are available as a module for the

Unified Automation ANSI C OPC UA SDK and for the High Performance OPC UA SDK. 

They have been tested and proven their worth in many projects, such as SmartFactoryKL, secure plug&work with the Fraunhofer Institute IOSB, OpSIT in the healthcare sector, and IUNO, the national reference project for IT security in Industrie 4.0 introduced by the German Ministry for Education and Research.

Summary

The IoT, IIoT, and Industrie 4.0 depend on fully interoperable and secure endpoint communication and semantics. OPC UA is supported by many organizations and players in the industry and can deliver what is required.

With its security and licensing capabilities, CodeMeter is a powerful enabler for new projects. Invaluable know-how is invested into flexible production processes, software, or technical and production data. Protecting these assets against theft and manipulation and seizing the opportunities of the digital age in new business models is CodeMeter’s mission.

 

KEYnote 33 – Edition Spring 2017

To top