|
SLOVENSKI STANDARD
01-december-2021
Nadomešča:
SIST-TP CLC/TR 62541-2:2010
Poenotena arhitektura OPC - 2. del: Zaščitni model (IEC/TR 62541-2:2020)
OPC unified architecture - Part 2: Security Model (IEC/TR 62541-2:2020)
OPC Unified Architecture - Teil 2: Modell für die IT-Sicherheit (IEC/TR 62541-2:2020)
Architecture unifiée OPC - Partie 2: Modèle de sécurité (IEC/TR 62541-2:2020)
Ta slovenski standard je istoveten z: CLC IEC/TR 62541-2:2021
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
35.100.01 Medsebojno povezovanje Open systems
odprtih sistemov na splošno interconnection in general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL REPORT CLC IEC/TR 62541-2
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
July 2021
ICS 25.040.40; 35.100.01 Supersedes CLC/TR 62541-2:2010
English Version
OPC unified architecture - Part 2: Security Model
(IEC/TR 62541-2:2020)
Architecture unifiée OPC - Partie 2: Modèle de sécurité OPC Unified Architecture - Teil 2: Modell für die IT-
(IEC/TR 62541-2:2020) Sicherheit
(IEC/TR 62541-2:2020)
This Technical Report was approved by CENELEC on 2021-07-05.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. CLC IEC/TR 62541-2:2021 E
European foreword
This document (CLC IEC/TR 62541-2:2021) consists of the text of IEC/TR 62541-2:2020, prepared by
SC 65E "Devices and integration in enterprise systems" of IEC/TC 65 "Industrial-process
measurement, control and automation".
This document supersedes CLC/TR 62541-2:2010.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Technical Report IEC/TR 62541-2:2020 was approved by CENELEC as a
European Technical Report without any modification.
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cenelec.eu.
Publication Year Title EN/HD Year
IEC/TR 62541-1 - OPC Unified Architecture - Part 1: CLC IEC/TR 62541-1 -
Overview and Concepts
IEC 62541-4 - OPC Unified Architecture - Part 4: EN IEC 62541-4 -
Services
IEC 62541-5 - OPC Unified Architecture - Part 5: EN IEC 62541-5 -
Information Model
IEC 62541-6 - OPC Unified Architecture - Part 6: EN IEC 62541-6 -
Mappings
IEC 62541-7 - OPC unified architecture - Part 7: Profiles EN IEC 62541-7 -
IEC 62541-12 - OPC unified architecture - Part 12: EN IEC 62541-12 -
Discovery and global services
IEC 62541-14 - OPC unified architecture - Part 14: EN IEC 62541-14 -
PubSub
IEC 62351 series Power systems management and EN IEC 62351 series
associated information exchange - Data
and communications security
IEC TR 62541-2
Edition 3.0 2020-11
TECHNICAL
REPORT
colour
inside
OPC unified architecture –
Part 2: Security Model
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 25.040.40; 35.100.01 ISBN 978-2-8322-9077-4
– 2 – IEC TR 62541-2:2020 © IEC 2020
CONTENTS
FOREWORD . 5
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, and abbreviated terms . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms . 13
4 OPC UA security architecture . 13
4.1 OPC UA security environment . 13
4.2 Security objectives . 14
4.2.1 Overview . 14
4.2.2 Authentication. 15
4.2.3 Authorization . 15
4.2.4 Confidentiality . 15
4.2.5 Integrity . 15
4.2.6 Non-Repudiation . 15
4.2.7 Auditability . 15
4.2.8 Availability . 15
4.3 Security threats to OPC UA systems . 15
4.3.1 Overview . 15
4.3.2 Denial of Service . 16
4.3.3 Eavesdropping . 17
4.3.4 Message spoofing . 17
4.3.5 Message alteration . 17
4.3.6 Message replay . 17
4.3.7 Malformed Messages . 18
4.3.8 Server profiling . 18
4.3.9 Session hijacking . 18
4.3.10 Rogue Server . 18
4.3.11 Rogue Publisher . 18
4.3.12 Compromising user credentials . 19
4.3.13 Repudiation . 19
4.4 OPC UA relationship to site security . 19
4.5 OPC UA security architecture . 20
4.5.1 Overview . 20
4.5.2 Client / Server . 21
4.5.3 Publish-Subscribe . 22
4.6 SecurityPolicies . 23
4.7 Security Profiles . 24
4.8 Security Mode Settings . 24
4.9 User Authentication . 24
4.10 Application Authentication . 24
4.11 User Authorization . 25
4.12 Roles . 25
4.13 OPC UA security related Services . 25
4.14 Auditing . 26
4.14.1 General . 26
IEC TR 62541-2:2020 © IEC 2020 – 3 –
4.14.2 Single Client and Server . 27
4.14.3 Aggregating Server . 28
4.14.4 Aggregation through a non-auditing Server . 28
4.14.5 Aggregating Server with service distribution . 29
5 Security reconciliation . 30
5.1 Reconciliation of threats with OPC UA security mechanisms . 30
5.1.1 Overview . 30
5.1.2 Denial of Service . 31
5.1.3 Eavesdropping . 32
5.1.4 Message spoofing . 32
5.1.5 Message alteration . 33
5.1.6 Message replay . 33
5.1.7 Malformed Messages . 33
5.1.8 Server profiling . 33
5.1.9 Session hijacking . 33
5.1.10 Rogue Server or Publisher . 34
5.1.11 Compromising user credentials . 34
5.1.12 Repudiation . 34
5.2 Reconciliation of objectives with OPC UA security mechanisms . 34
5.2.1 Overview . 34
5.2.2 Application Authentication . 34
5.2.3 User Authentication . 35
5.2.4 Authorization . 35
5.2.5 Confidentiality . 35
5.2.6 Integrity . 35
5.2.7 Auditability . 35
5.2.8 Availability . 36
6 Implementation and deployment considerations . 36
6.1 Overview. 36
6.2 Appropriate timeouts .
...