IEC TR 62541-2:2010 pdf – oPC Unified Architecture-Part 2: Security Model.
4.2.2 Authentication
entities such as clients, servers, and users should prove their identities Authentication can be based on something the entity is, has, or knows.
4.2.3 Authorization
The access to read, write, or execute resources should be authorized for Only those entitles that have a need for that access within the requirements of the system. Authonzation can be as coarse-grained as allowing or disallowing a client to call a server or it could be much finer grained, such as allowing specific actions on specific information items by specific users.
4.2.4 Confidentiality
Data shall be protected from passive attacks, such as eavesdropping, whether the data is being transmitted, in memory, or being stored. To provide CorIidenhsality data encryption algorithms using special secrets for securing data are used together with authentication and authorization mechanisms for accessing that secret.
4.2.5 Integrity
Receivers shall receive the same information that the sender sent, without the data being changed during transmission.
4.2.6 Auditability
Actions taken by a system have to be recorded in order to provide evidence to stakeholders that this system works as intended and to identify the initiator of certain actions.
4.2.7 Availability
Availability is impaired when the execution of software that needs to run is turned off or when software or the communication system is overwhelmed processing input. Impaired Availability In OPC UA can appear as slowing down of subscription performance or inability to add sessions for example.
4.3 Security threats to OPC UA systems
4.3.1 General
OPC UA provides countermeasures to resist the threats to the security of the information that is communicated. The following subclauses list the currently known threats to environments in which OPC UA will be deployed. Following the subclauses that describe the OPC UA security architecture and functions, subclause 5.1 reconciles these threats against the OPC UA functions
4.3.2 Message flooding
An attacker can send a large volume of messages, or a single message that contains a large number of requests, with the goal of overwhelming the OPC UA server or components on which the OPC LJA server may depend for reliable operation such as CPU. TCP1IP stack. Operating System, or the File System. Flooding attacks can be conducted at multiple layers including OPC UA. SOAP. (HTTP] or TCP.
Message flooding attacks can use both welI-forned and malformed messages. In the first scenario the attacker could be a malicious person using a legitimate client to flood the server with requests. Two cases exist, one in which the client does not have a session with the server and one in wttich it does. Message flooding may impair the ability to establish OPC UA sessions, o terminate an existing session, In the second scenario an attacker could use a malicious client that floods an OPC UA server with malformed messages in order to exhaust the server’s resources.
More generally message flooding may impair the ability to communicate with an OPC UA entity and result in denial of service,
Message flooding impacts Availability.
See 5.1.2 for the reconciliation of this threat.
4.3.3 Eavesdropping
Eavesdropping Is the unauthorized disclosure of sensitive Information that might result directly In a critical security breach or be used in follow-on attacks.
If an attacker has compromised the underlying operating system or the network infrastructure. the attacker might record and capture messages. It may be beyond the capability of a client or server to recover from a compromise of the operating system.
Eavesdropping impacts Confidentiality directly and threatens all of the other security objectives indirectly.
See 5.1.3 for the reconciliation of this threat.
4.3.4 Message spoofing
An attacker may forge messages from a client or a server. Spooling may occur at multiple layers in the in the protocol stack.
By spoofing messages from a client or a server, attackers may perform unauthorized operations and avoid detection of their activities.
Message spooling impacts Integrity and Authorization.
See 5.1.4 for the reconciliation of this threat.
4.3.5 Message alteration
Network traffic and application layer messages may be captured, modified, and the modified message sent forward to OPC UA clients and servers. Message alteration may allow illegitimate access to a system
Message alteration impacts Integrity and Authorization.
See 5.1.5 for the reconciliation of this threat.
4.3.6 Message replay
Network traffic and valid application layer messages may be captured and resent to OPC UA clients and servers at a later stage without modification. An attacker could misinform the user or send in an improper command such as a command to open a valve but at an improper time.