Send message to

Do you want to send the message without a subject?
Please note that your message can be maximum 1000 characters long
Special characters '<', '>' are not allowed in subject and message
reCaptcha is invalid.
reCaptcha failed because of a problem with the server.

Your message has been sent

You can find the message in your personal profile at "My messages".

An error occured

Please try again.

Make an appointment with

So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.

Create an onsite appointment with

So that you can make an onsite appointment, the appointment request will open in a new tab.

Forums it-sa Expo Knowledge Forum D

Attention critis(ch)! Secure IT/OT convergence with OPC UA

Anyone who networks sensitive systems via OPC UA should not only rely on the security stack, but take additional measures.

calendar_today Wed, 13.10.2021, 13:45 - 14:00

event_available On site

place Hall 7, Booth 7-609

Action Video


Action description







Industry 4.0 / IoT / Edge Computing Network Security / Patch Management



This action is part of the event Forums it-sa Expo

Action Video

grafischer Background

This video is available to the it-sa 365 community. 
Please register or log in with your login data.

Action description

Download Handout - PDF


Standardised and secure communication from the machine or field device to the enterprise server or into the cloud is no longer a vision. OPC UA makes it possible. The Open Platform Communications Unified Architecture (OPC UA for short) is considered the class leader among communication standards for Industry 4.0, at least for the German and European market. Instead of converting proprietary manufacturer-specific protocols across network boundaries and having to deal with how data is exchanged in networks or application layers, automation and plant operators can use a uniform protocol from the sensor to the cloud with OPC UA. However, the networking of devices, machines and plants always involves security risks. So how should OPC UA be evaluated from the perspective of IT security?
Basically, IT security was considered as part of the OPC UA standard and a security layer was specified. In total, OPC UA takes seven security objectives into account: Confidentiality, integrity, authentication at application level and at user level, authorisation, auditing and availability. For client-server-based communication, the security architecture of OPC UA is based on sessions between a client app and a server app via an encrypted, secure communication channel. The standard defines several security mechanisms: transport security of the transmission layer, user and app authentication, role-based user authorisation, and auditing to ensure traceability of user and app actions and data consistency. The security profiles of the standard describe the capabilities of clients and servers, i.e. which security functions are supported. The security policies define which of the supported security mechanisms a server allows.
The OPC UA specification thus offers exemplary security features. The problem: In practice, the user is dependent on the quality of the implementation of the respective stack manufacturer. For example, a machine's stack or the OPC-UA security layer on the machine's stack can be compromised because the software implementation contains vulnerabilities. Such security risks are difficult to assess. In view of the constantly increasing danger of cyber attacks, supplementary security concepts should be considered for sensitive systems and network segments in the sense of a defence in depth, which exclude the compromise of systems from the outset. The question arises as to how domain and segment transitions can be effectively secured and at the same time the opportunities of Industry 4.0 can be exploited, such as flexible production and the intelligent control, monitoring and optimisation of all processes in terms of quality, energy efficiency, material consumption and costs.
Two complementary approaches in particular offer an answer. One is Zero Trust, which means that user authorisations and the status of the client system are checked in the application. On the other hand, network segmentation and separation through stateful firewalls (transport layer), application level firewalls, application gateways and data diodes serve as an essential line of defence. The decision which security solutions to use in a specific case depends on the security objectives, the security level and the use case.

... read more

Language: German

Questions and Answers: No


show more

This content or feature is available to the it-sa 365 community. 
Please register or log in with your login data.