opc ua security: native and add-on solutions
TRANSCRIPT
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 1
The Rise of Smart Factories:
Use Cases – Essentials – Security Tools
Oliver WinzenriedCEO WIBU-SYSTEMS AG
OPC UA Security: Native and Add-on Solutions
Speaker 2Speaker 3
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 2
Smart Factory Projects featuring Wibu-Systems
OpSIT: Smart Items Technologies in Healthcare
SesaOPC: SmartFactoryKL
Secure Plug & Work: Fraunhofer IOSB
IUNO: German reference project for Cyber Security in Industrie 4.0 Large consortium: 14 companies and 7 research institutes
Four large Use Cases (Testbeds)
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 3
OpSIT: Smart Items Technologies in Healthcare
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 4
OpSIT: Smart Items Technologies in Healthcare
OpSIT: Optimal use of smart items technologiesin healthcare
Using an Intel Edison SBC as a Gatewayfor wireless low-power sensors Wireless sensor data is sampled from Edison
Unprotected data is sampled and processed locally
Sampled data is provided via OPC UA in hospital network
Secure access to sensitive data
Whole system (application & cryptographic material) stored on a CodeMeter microSD card
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 5
Technology Initiative SmartFactoryKL
December 13, 2016
Cyber Physical Systems
2002 2005 2015
Smart Home
Internet of Thingswww
2011
10-year anniversaryLaunching:
CONFIGURATION OF THE VISION INDUSTRIE 4.0
More than 10 years…
www.SmartFactory.de
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 6
Technology Initiative SmartFactoryKL
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 7
Technology Initiative SmartFactoryKL
December 13, 2016
Topics and content:• Cyber-Physical Systems• Vertical integration via OPC-UA• Decentralised process control via RFID• Semantical product and object memory model • Resource protection through
context-enabled M2M communication• Augmented-Reality based human-machine interaction
Wibu-Systems contribution• Secure signed data in RFID • Secure key storage and certificates for OPC-UA• Security components from sensor to cloud
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 8
Project Secure Plug & Work
Plug & Work of production components using open standards
Secure authentication and configuration of production components andtrusted communication
Wibu-Systems contributionCodeMeter Protection, Licensing, Security, OPC UA integration
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 9
Secure Plug and Work: Secure networking in Industry 4.0
December 13, 2016
Firewall
PC/Über-geordnete IT
Ethernet
Control Room
MAG Specht Milling Cutter
Schunk Powerball
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 10
Component Overview
December 13, 2016
Firewall
Component nTool MagazineSpindle
IPC (PLC)Machine Control
PC/MES IT
CAN
Ethernet
Schunk PLC
ProfiNet
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 11
OPC UA Communication Added
December 13, 2016
Firewall
Component nTool MagazineSpindle
IPC (PLC)Machine Control
OPC-UA-Server
OPC-UA-Server
PC/MES IT
UA Server
CAN
Ethernet
Schunk PLC
OPC-UA-Server
ProfiNet
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 12
Security in “Secure Plug & Work”
December 13, 2016
Gateway(Switch for secure connection,
gateway for unsecured connection, aggregating UA-Server)
Firewall
Component nTool MagazineSpindle
IPC (PLC)Machine Control
OPC-UA-Server Security
OPC-UA-Server Security
OPC-UA-Server
PC/MES IT
UA Server
CAN
Ethernet
Schunk PLC
OPC-UA-Server Security
ProfiNet
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 13
IUNO: Reference Project Security in Industrie 4.0
December 13, 2016
Four large Use Cases (Testbeds)
Collect all requirements and solutions in a tool box
Implementation
Transfer to Industry!Secure ConnectivityVisual security control room for a production scenario
Secure Processes Customer individual production
Secure Services Remote access / trusted partners
Secure Data Technology market place for process data
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 14
IUNO: Reference Project for Cyber Security in Industrie 4.0
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 15
IUNO WP 1 – Customized Production (HOMAG)
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 16
IUNO WP 1 – Customized Production
Goal: Definite and secure identification throughout the production process Identification is complicated by
Processing, production environment (e.g., dust, humidity,…), multi-domains
Examples Painting or cutting of components
Challenges Secure application of identification material to components
Prevention of product piracy (counterfeits)
Establishing cross-domain trust in identification process
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 17
IUNO WP 2 – Marketplace for technology data (TRUMPF)
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 18
IUNO WP 2 – Marketplace for technology data (TRUMPF)
Goal: Easy and secure tradeable technology data (machine configurations) Status Quo
Basic technology data is included in the machine
Advanced technology data is bought on a one-time basis
Technology data is not protectet against theft at all
Challenges Machines are not a single, easily controllable entity
Technology data need to be flexible
Industrial requirements for availablity and reliability
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 19
IUNO WP 3 – Remote maintenance (Bosch)
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 20
IUNO WP 3 – Remote maintenance (Bosch)
Goal Unified platform for remote maintenance of machines
Status Quo Diverse landscape of remote maintenance solutions
Challenges Secure and unified identification of all participating parties
Platform, machines, maintainers, service providers, contracting bodies, …
Secure routing of connections One configuration for network equipment suffices for all machines on the shop floor
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 21
How to Implement Security in Connected Products
Working principles of CodeMeter
December 13, 2016
OPC UA typical architectures
CodeMeter integration in OPC UA
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 22
Wibu-Systems Technologies and Solutions
December 13, 2016
Software Integration
Back Office Integration
Protection Suite: Ax/Ex/Ix-Protector
CodeMeter License Central
CodeMeter®
Secure Key Storage (Hardware / Software)
De-/Encryption (AES, ECC, RSA)
Flexible License Models
Software Integration Automatic Code Protection / API
Secure Boot / OPC UA
Back Office Integration Key and Certificate Deployment
License Deployment
License Administration
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 23
OPC UA offers excellent security at protocol level
Secure Channel Authentication X.509 certificates
RSA public/private keys
Trust management viaPublic Key Infrastructure
Secure Channel Encryption Symmetric Encryption using Advanced Encryption Standard (AES) 128/256bit keys
Using OPC UA provides high security in transit
December 13, 2016
Picture: OPC Foundation
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 24
OPC UA offers excellent security
Widely supported: Plattform Industrie 4.0 in Germany
BSI Study on OPC UA standardhttps://opcfoundation.org/security/
IIC support
Chinese Alliance Industrial InternetDecember 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories
OPC UA offers endpoint security
The IIoT Landscape: Where are Endpoints?
December 13, 2016
25
“Computational Network”
(Core, Fog)
EP
EPEP
EdgeEP
EPEP
EP
25
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories
OPC UA offers endpoint security
Access Control Monitoring & Analysis Secure Configuration & Management Integrity Protection Identity Root of Trust Physical Security (with CM) Data Protection Security Model and PolicyDecember 13, 2016 26
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 27
Pervasive security extends beyond the protocol layer
Security of endpoints is equally important Vulnerabilities in operating systems
Vulnerabilities in software libraries
Vulnerabilities in applications
Consequences of a compromised endpoint can be severe Theft of cryptographic material (authentication)
Manipulation of configuration data (trust lists, certificate revocation lists)
Manipulation of applications (producing incorrect information)
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 28
Pervasive security needs additional effort
General setup for OPC UA servers and clients Private keys are stored on the hard disk
Trust lists and certificate revocation lists are stored on the hard disk
Applications are not protected against tampering
Successful attack to endpoints leads to Further penetration of infrastructure
Loss of functionality or reliability
Loss of intellectual property
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 29
OPC UA SDK, CmEmbedded and CmDongle – a perfect match
CmEmbedded Small, modular runtime for embedded systems
Portable to a variety of operating systems
Provides subset of CodeMeter API
CmDongle Smart card chips from Infineon Technologies (EAL 5+)
Secure storage of cryptographic material
Secure execution of crypto primitives (encryption/signature)
Variety of form factors
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 30
OPC UA SDK, CmEmbedded and CmDongle – a perfect match
Integration of CodeMeter Embedded in OPC UA SDK Storage and processing of all security sensitive information in the smart card chip
Effortless development of applications with hardware security
Seamless migration between conventional software security and hardware security
Access to protection, licensing, and security features of CodeMeter
December 13, 2016
CodeMeterEmbedded
Development
OPC-UA Application
CodeMeterEmbedded
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 31
Enhancing security in OPC UA
Protection of private keys in CmDongle Implementation of asymmetric encryption and signature
algorithm according to OPC UA security profiles Currently RSA keys up to 2048bit (ECC 224 Bit)
All processing done in CmDongle Extraction of private keys practically impossible
Protection of security sensitive information (e.g. trust lists) Encryption of OPC UA application prevents tampering and reverse engineering
Signatures for protected information verified in CmDongle
Verified, tamperproof trust lists, certificate revocation lists, passwords, …December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 32
OPC-UA Application
CodeMeterEmbedded
Feature #1
Feature #2
Feature #3
Benefits of License Management in OPC UA
Flexible licensing of functionality License access to features of OPC UA application
Full access to extensive list of CodeMeterlicense models (e.g. pay-per-use, rental, …)
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 33
Unified access
Update CmDongle contents via OPC UA No physical access necessary
No extra network protocols or open ports necessary
Secure distribution through CodeMeter functions Secure, even without OPC UA Security (Security Profile: None)
December 13, 2016
OPC-UA Application
CodeMeterEmbedded
Feature #1
Feature #2
Feature #3
OPC UA Secure Channel
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 34
Availability
Unified Automation SDKs ANSI C based OPC UA SDK
High Performance OPC UA SDK
Successful evaluation phase in severalresearch projects and demonstrators
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 35
Your major takeaways
Thomas J. Burke: IIoT, IoT, Industrie 4.0 requirements for real interoperability require security and
information integration. OPC UA provides secure reliable interoperability and information integration
seamlessly. The OPC Foundation collaborates with 30+ standard organizations providing the
infrastructure for these standards organizations to have plug-and-play interoperability and information integration.
December 13, 2016
© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 36
Your major takeaways
Oliver Winzenried: Security is the enabler for IoT and Industrial Internet projects Each device needs a tamperproof identity Know-how is in flexible production processes, software, technology data, and
production data – all needs to be protected against counterfeiting and tampering OPC UA is more than secure communication and an open standard
December 13, 2016
Deutschland: +49-721-931720
USA: +1-425-7756900
China: +86-21-55661790
http://www.wibu.com
Germany: +49-721-931720
USA: +1-425-7756900
China: +86-21-55661790, 10-82961560
http://www.wibu.com
[email protected]© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories
Questions?Contact us!
December 13, 2016