IEC TR 62541-2:2010 pdf download – OPC Unified Architecture – Part 2: Security Model
4.2.2 Authentication Entities such as clients, servers, and users should prove their identities. Authentication can be based on something the entity is, has, or knows.
4.2.3 Authorization The access to read, write, or execute resources should be authorized for only those entities that have a need for that access within the requirements of the system. Authorization can be as coarse-grained as allowing or disallowing a client to call a server or it could be much finer grained, such as allowing specific actions on specific information items by specific users.
4.2.4 Confidentiality Data shall be protected from passive attacks, such as eavesdropping, whether the data is being transmitted, in memory, or being stored. To provide Confidentiality data encryption algorithms using special secrets for securing data are used together with authentication and authorization mechanisms for accessing that secret.
4.2.5 Integrity Receivers shall receive the same information that the sender sent, without the data being changed during transmission.
4.2.6 Auditability Actions taken by a system have to be recorded in order to provide evidence to stakeholders that this system works as intended and to identify the initiator of certain actions.
4.2.7 Availability Availability is impaired when the execution of software that needs to run is turned off or when software or the communication system is overwhelmed processing input. Impaired Availability in OPC UA can appear as slowing down of subscription performance or inability to add sessions for example.
4.3 Security threats to OPC UA systems
4.3.1 General OPC UA provides countermeasures to resist the threats to the security of the information that is communicated. The following subclauses list the currently known threats to environments in which OPC UA will be deployed. Following the subclauses that describe the OPC UA security architecture and functions, subclause 5.1 reconciles these threats against the OPC UA functions.
4.3.2 Message flooding An attacker can send a large volume of messages, or a single message that contains a large number of requests, with the goal of overwhelming the OPC UA server or components on which the OPC UA server may depend for reliable operation such as CPU, TCP/IP stack, Operating System, or the File System. Flooding attacks can be conducted at multiple layers including OPC UA, SOAP, [HTTP] or TCP. Message flooding attacks can use both well-formed and malformed messages. In the first scenario the attacker could be a malicious person using a legitimate client to flood the server with requests. Two cases exist, one in which the client does not have a session with the server and one in which it does. Message flooding may impair the ability to establish OPC UA sessions, or terminate an existing session. In the second scenario an attacker could use a malicious client that floods an OPC UA server with malformed messages in order to exhaust the server’s resources. More generally message flooding may impair the ability to communicate with an OPC UA entity and result in denial of service.
Message flooding impacts Availability.
See 5.1 .2 for the reconciliation of this threat.
4.3.3 Eavesdropping
Eavesdropping is the unauthorized disclosure of sensitive information that might result directly in a critical security breach or be used in follow-on attacks. If an attacker has compromised the underlying operating system or the network infrastructure, the attacker might record and capture messages. It may be beyond the capability of a client or server to recover from a compromise of the operating system. Eavesdropping impacts Confidentiality directly and threatens all of the other security objectives indirectly.
See 5.1 .3 for the reconciliation of this threat.
4.3.4 Message spoofing An attacker may forge messages from a client or a server. Spoofing may occur at multiple layers in the in the protocol stack. By spoofing messages from a client or a server, attackers may perform unauthorized operations and avoid detection of their activities. Message spoofing impacts Integrity and Authorization. See 5.1 .4 for the reconciliation of this threat.
4.3.5 Message alteration Network traffic and application layer messages may be captured, modified, and the modified message sent forward to OPC UA clients and servers. Message alteration may allow illegitimate access to a system. Message alteration impacts Integrity and Authorization. See 5.1 .5 for the reconciliation of this threat.
4.3.6 Message replay Network traffic and valid application layer messages may be captured and resent to OPC UA clients and servers at a later stage without modification. An attacker could misinform the user or send in an improper command such as a command to open a valve but at an improper time.IEC TR 62541-2 pdf download.