opc ua security: native and add-on solutions

© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories 1

The Rise of Smart Factories:

Use Cases – Essentials – Security Tools

Oliver WinzenriedCEO WIBU-SYSTEMS AG

[email protected]

OPC UA Security: Native and Add-on Solutions

Speaker 2Speaker 3

December 13, 2016


Smart Factory Projects featuring Wibu-Systems

OpSIT: Smart Items Technologies in Healthcare

SesaOPC: SmartFactoryKL

Secure Plug & Work: Fraunhofer IOSB

IUNO: German reference project for Cyber Security in Industrie 4.0 Large consortium: 14 companies and 7 research institutes

Four large Use Cases (Testbeds)

December 13, 2016



December 13, 2016



OpSIT: Optimal use of smart items technologiesin healthcare

Using an Intel Edison SBC as a Gatewayfor wireless low-power sensors Wireless sensor data is sampled from Edison

Unprotected data is sampled and processed locally

Sampled data is provided via OPC UA in hospital network

Secure access to sensitive data

Whole system (application & cryptographic material) stored on a CodeMeter microSD card

December 13, 2016


Technology Initiative SmartFactoryKL

December 13, 2016

Cyber Physical Systems

2002 2005 2015

Smart Home

Internet of Thingswww

2011

10-year anniversaryLaunching:

CONFIGURATION OF THE VISION INDUSTRIE 4.0

More than 10 years…

www.SmartFactory.de



December 13, 2016



December 13, 2016

Topics and content:• Cyber-Physical Systems• Vertical integration via OPC-UA• Decentralised process control via RFID• Semantical product and object memory model • Resource protection through

context-enabled M2M communication• Augmented-Reality based human-machine interaction

Wibu-Systems contribution• Secure signed data in RFID • Secure key storage and certificates for OPC-UA• Security components from sensor to cloud


Project Secure Plug & Work

Plug & Work of production components using open standards

Secure authentication and configuration of production components andtrusted communication

Wibu-Systems contributionCodeMeter Protection, Licensing, Security, OPC UA integration

December 13, 2016


Secure Plug and Work: Secure networking in Industry 4.0

December 13, 2016

Firewall

PC/Über-geordnete IT

Ethernet

Control Room

MAG Specht Milling Cutter

Schunk Powerball


Component Overview

December 13, 2016

Firewall

Component nTool MagazineSpindle

IPC (PLC)Machine Control

PC/MES IT

CAN

Ethernet

Schunk PLC

ProfiNet


OPC UA Communication Added

December 13, 2016

Firewall



OPC-UA-Server

OPC-UA-Server

PC/MES IT

UA Server

CAN

Ethernet

Schunk PLC

OPC-UA-Server

ProfiNet


Security in “Secure Plug & Work”

December 13, 2016

Gateway(Switch for secure connection,

gateway for unsecured connection, aggregating UA-Server)

Firewall



OPC-UA-Server Security


OPC-UA-Server

PC/MES IT

UA Server

CAN

Ethernet

Schunk PLC


ProfiNet


IUNO: Reference Project Security in Industrie 4.0

December 13, 2016

Four large Use Cases (Testbeds)

Collect all requirements and solutions in a tool box

Implementation

Transfer to Industry!Secure ConnectivityVisual security control room for a production scenario

Secure Processes Customer individual production

Secure Services Remote access / trusted partners

Secure Data Technology market place for process data


IUNO: Reference Project for Cyber Security in Industrie 4.0

December 13, 2016


IUNO WP 1 – Customized Production (HOMAG)

December 13, 2016


IUNO WP 1 – Customized Production

Goal: Definite and secure identification throughout the production process Identification is complicated by

Processing, production environment (e.g., dust, humidity,…), multi-domains

Examples Painting or cutting of components

Challenges Secure application of identification material to components

Prevention of product piracy (counterfeits)

Establishing cross-domain trust in identification process

December 13, 2016


IUNO WP 2 – Marketplace for technology data (TRUMPF)

December 13, 2016


IUNO WP 2 – Marketplace for technology data (TRUMPF)

Goal: Easy and secure tradeable technology data (machine configurations) Status Quo

Basic technology data is included in the machine

Advanced technology data is bought on a one-time basis

Technology data is not protectet against theft at all

Challenges Machines are not a single, easily controllable entity

Technology data need to be flexible

Industrial requirements for availablity and reliability

December 13, 2016


IUNO WP 3 – Remote maintenance (Bosch)

December 13, 2016


IUNO WP 3 – Remote maintenance (Bosch)

Goal Unified platform for remote maintenance of machines

Status Quo Diverse landscape of remote maintenance solutions

Challenges Secure and unified identification of all participating parties

Platform, machines, maintainers, service providers, contracting bodies, …

Secure routing of connections One configuration for network equipment suffices for all machines on the shop floor

December 13, 2016


How to Implement Security in Connected Products

Working principles of CodeMeter

December 13, 2016

OPC UA typical architectures

CodeMeter integration in OPC UA


Wibu-Systems Technologies and Solutions

December 13, 2016

Software Integration

Back Office Integration

Protection Suite: Ax/Ex/Ix-Protector

CodeMeter License Central

CodeMeter®

Secure Key Storage (Hardware / Software)

De-/Encryption (AES, ECC, RSA)

Flexible License Models

Software Integration Automatic Code Protection / API

Secure Boot / OPC UA

Back Office Integration Key and Certificate Deployment

License Deployment

License Administration


OPC UA offers excellent security at protocol level

Secure Channel Authentication X.509 certificates

RSA public/private keys

Trust management viaPublic Key Infrastructure

Secure Channel Encryption Symmetric Encryption using Advanced Encryption Standard (AES) 128/256bit keys

Using OPC UA provides high security in transit

December 13, 2016

Picture: OPC Foundation


OPC UA offers excellent security

Widely supported: Plattform Industrie 4.0 in Germany

BSI Study on OPC UA standardhttps://opcfoundation.org/security/

IIC support

Chinese Alliance Industrial InternetDecember 13, 2016

https://opcfoundation.org/security/

https://opcfoundation.org/security/

© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories

OPC UA offers endpoint security

The IIoT Landscape: Where are Endpoints?

December 13, 2016

25

“Computational Network”

(Core, Fog)

EP

EPEP

EdgeEP

EPEP

EP

25

© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories

OPC UA offers endpoint security

Access Control Monitoring & Analysis Secure Configuration & Management Integrity Protection Identity Root of Trust Physical Security (with CM) Data Protection Security Model and PolicyDecember 13, 2016 26


Pervasive security extends beyond the protocol layer

Security of endpoints is equally important Vulnerabilities in operating systems

Vulnerabilities in software libraries

Vulnerabilities in applications

Consequences of a compromised endpoint can be severe Theft of cryptographic material (authentication)

Manipulation of configuration data (trust lists, certificate revocation lists)

Manipulation of applications (producing incorrect information)

December 13, 2016


Pervasive security needs additional effort

General setup for OPC UA servers and clients Private keys are stored on the hard disk

Trust lists and certificate revocation lists are stored on the hard disk

Applications are not protected against tampering

Successful attack to endpoints leads to Further penetration of infrastructure

Loss of functionality or reliability

Loss of intellectual property

December 13, 2016


OPC UA SDK, CmEmbedded and CmDongle – a perfect match

CmEmbedded Small, modular runtime for embedded systems

Portable to a variety of operating systems

Provides subset of CodeMeter API

CmDongle Smart card chips from Infineon Technologies (EAL 5+)

Secure storage of cryptographic material

Secure execution of crypto primitives (encryption/signature)

Variety of form factors

December 13, 2016


OPC UA SDK, CmEmbedded and CmDongle – a perfect match

Integration of CodeMeter Embedded in OPC UA SDK Storage and processing of all security sensitive information in the smart card chip

Effortless development of applications with hardware security

Seamless migration between conventional software security and hardware security

Access to protection, licensing, and security features of CodeMeter

December 13, 2016

CodeMeterEmbedded

Development

OPC-UA Application

CodeMeterEmbedded


Enhancing security in OPC UA

Protection of private keys in CmDongle Implementation of asymmetric encryption and signature

algorithm according to OPC UA security profiles Currently RSA keys up to 2048bit (ECC 224 Bit)

All processing done in CmDongle Extraction of private keys practically impossible

Protection of security sensitive information (e.g. trust lists) Encryption of OPC UA application prevents tampering and reverse engineering

Signatures for protected information verified in CmDongle

Verified, tamperproof trust lists, certificate revocation lists, passwords, …December 13, 2016


OPC-UA Application

CodeMeterEmbedded

Feature #1

Feature #2

Feature #3

Benefits of License Management in OPC UA

Flexible licensing of functionality License access to features of OPC UA application

Full access to extensive list of CodeMeterlicense models (e.g. pay-per-use, rental, …)

December 13, 2016


Unified access

Update CmDongle contents via OPC UA No physical access necessary

No extra network protocols or open ports necessary

Secure distribution through CodeMeter functions Secure, even without OPC UA Security (Security Profile: None)

December 13, 2016

OPC-UA Application

CodeMeterEmbedded

Feature #1

Feature #2

Feature #3

OPC UA Secure Channel


Availability

Unified Automation SDKs ANSI C based OPC UA SDK

High Performance OPC UA SDK

Successful evaluation phase in severalresearch projects and demonstrators

December 13, 2016


Your major takeaways

Thomas J. Burke: IIoT, IoT, Industrie 4.0 requirements for real interoperability require security and

information integration. OPC UA provides secure reliable interoperability and information integration

seamlessly. The OPC Foundation collaborates with 30+ standard organizations providing the

infrastructure for these standards organizations to have plug-and-play interoperability and information integration.

December 13, 2016


Your major takeaways

Oliver Winzenried: Security is the enabler for IoT and Industrial Internet projects Each device needs a tamperproof identity Know-how is in flexible production processes, software, technology data, and

production data – all needs to be protected against counterfeiting and tampering OPC UA is more than secure communication and an open standard

December 13, 2016

Deutschland: +49-721-931720

USA: +1-425-7756900

China: +86-21-55661790

http://www.wibu.com

[email protected]

Germany: +49-721-931720

USA: +1-425-7756900

China: +86-21-55661790, 10-82961560

http://www.wibu.com

[email protected]© WIBU-SYSTEMS AG 2016 - OPC UA Security: Native and Add-on Solutions for the Rise of Smart Factories

Questions?Contact us!

December 13, 2016

opc ua security: native and add-on solutions

Devices & Hardware