A Security Model based Authorization Concept for OPC Unified Architecture

Abstract

Cybersecurity becomes ever more important since the industry is transforming towards an Industrial Internet of Things (IIoT). Essential parts of the whole security concept are securing the communication between clients and servers on different business layers, like plant floor network and enterprise network, separation of information model and authorization model and to keep the management of security policies as easy as possible. A widespread used service-oriented architecture for the IIoT is Open Platform Communications Unified Architecture (OPC UA) which supports confidentiality, integrity, application authentication, user authentication and user authorization.We present a novel security model based authorization concept for OPC UA where a Privilege Management Infrastructure (PMI) is used to grant user authorizations. Furthermore, drawbacks of OPC UA revision 1.04 are pointed out and security models are introduced which extract the security dependencies from the information model to improve maintainability, usability and transparency. Security models are implemented within OPC UA, so no additional technologies are needed and the OPC UA specification remains backward compatible.