OPC UA Security

OPC UA specifications provide the following security modes:

  • None: Messages are not signed nor encrypted. The fastest, though unsecured option. Not recommended in production.
  • Signed: Messages are digitally signed. The digital signature guarantees that the message cannot be modified (tampered) by an attacker; the client receives the messages exactly as the server sent them (and vice versa). However, an attacker could still listen and understand the message.
  • Signed and Encrypted: Messages are digitally signed and then encrypted. This is the most CPU-demanding, though the safest option. Encryption protects the message from being understandable to anyone other than the client and server, so even if an attacker gets the message, they will not be able to understand its contents.

In conjunction with the security modes, there are the following authentication mechanisms:

  • User name and password: the usual user name and password authentication.
  • X.509 certificates: provides a standard that defines the format of public key certificates. These X.509 certificates support a number of public key standards such as RSA, DSA, ECDSA, ed25519, and are widely used across the internet.
  • Kerberos: currently deprecated; provides an authentication mechanism based on mutual authentication of symmetric keys.

OPC UA is firewall-friendly while addressing security concerns by providing a suite of controls:

  • Transport: Numerous protocols are defined, providing options such as the ultra-fast OPC-binary transport or the more universally compatible JSON over Websockets, for example.
  • Session Encryption: Messages are transmitted securely at various encryption levels.
  • Message Signing: The message signature allows the recipient to verify the origin and integrity of the received message.
  • Sequenced Packets: Exposure to message replay attacks is eliminated with sequencing.
  • Authentication: Each OPC UA client and server is identified through X.509 certificates, providing control over which applications and systems are permitted to connect.
  • User Control: Applications can require users to authenticate with login credentials, a certificate, or a web token, and can further restrict and enhance their capabilities with access rights and address-space “views”.
  • Auditing: Activities by a user and/or the system are logged, providing an access audit trail.