Secure Granular Interoperability with OPC UA

Abstract

Open Platform Communications Unified Architecture (OPC UA) is the communication standard earmarked for future industrial automation, particularly for the Industry 4.0 (I4.0) infrastructure where it provides the key services for interoperability and built-in communication security. OPC UA defines several models for these services and has already been deployed by industrial partners in their efforts to achieve I4.0 market readiness and to provide more robust systems. Of particular interest is the security services offered by OPC UA, as they are expected to strengthen the security posture of industrial automation systems, which have so far suffered a number of sophisticated cyber-attacks. In general, cyber-attacks are more severe based on the level of access acquired by the attacker, for example, an attacker with unrestricted administrative level access can issue more powerful commands. It is safe to say then that a more stringent access control security concept can offer systems greater protection from unauthorized access. Several access control models exist, which are categorized under two headings discretionary (data owners/users set the access control rules) and non-discretionary (security administrators control the access granted to users). Here, a non-discretionary access control model, namely the attribute-based access control (ABAC) model is compared to the role-based access control (also non-discretionary) typically assumed with OPC UA, to ascertain how a more granular security structure with ABAC could provide additional security advantages for industry.