IEC TR 62541-2:2020

OPC Unified Architecture - Part 2: Security Model

IEC TR 62541-2:2020

Name:IEC TR 62541-2:2020   Standard name:OPC Unified Architecture - Part 2: Security Model
Standard number:IEC TR 62541-2:2020   language:English language
Release Date:16-Nov-2020   technical committee:SC 65E - Devices and integration in enterprise systems
Drafting committee:WG 8 - TC 65/SC 65E/WG 8   ICS number:25.040.40 - Industrial process measurement and control

IEC TR 62541-2
Edition 3.0 2020-11
TECHNICAL
REPORT
colour
inside
OPC unified architecture –
Part 2: Security Model




your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de
CH-1211 Geneva 20
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and Definitions clause of
IEC publications issued since 2002. Some entries have been
IEC Customer Service Centre - webstore.iec.ch/csc collected from earlier publications of IEC TC 37, 77, 86 and
If you wish to give us your feedback on this publication or CISPR.

need further assistance, please contact the Customer Service

.
IEC TR 62541-2
Edition 3.0 2020-11
TECHNICAL
REPORT
colour
inside
OPC unified architecture –
Part 2: Security Model
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 25.040.40; 35.100.01 ISBN 978-2-8322-9077-4

– 2 – IEC TR 62541-2:2020 © IEC 2020
CONTENTS
FOREWORD . 5
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, and abbreviated terms . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms . 13
4 OPC UA security architecture . 13
4.1 OPC UA security environment . 13
4.2 Security objectives . 14
4.2.1 Overview . 14
4.2.2 Authentication. 15
4.2.3 Authorization . 15
4.2.4 Confidentiality . 15
4.2.5 Integrity . 15
4.2.6 Non-Repudiation . 15
4.2.7 Auditability . 15
4.2.8 Availability . 15
4.3 Security threats to OPC UA systems . 15
4.3.1 Overview . 15
4.3.2 Denial of Service . 16
4.3.3 Eavesdropping . 17
4.3.4 Message spoofing . 17
4.3.5 Message alteration . 17
4.3.6 Message replay . 17
4.3.7 Malformed Messages . 18
4.3.8 Server profiling . 18
4.3.9 Session hijacking . 18
4.3.10 Rogue Server . 18
4.3.11 Rogue Publisher . 18
4.3.12 Compromising user credentials . 19
4.3.13 Repudiation . 19
4.4 OPC UA relationship to site security . 19
4.5 OPC UA security architecture . 20
4.5.1 Overview . 20
4.5.2 Client / Server . 21
4.5.3 Publish-Subscribe . 22
4.6 SecurityPolicies . 23
4.7 Security Profiles . 24
4.8 Security Mode Settings . 24
4.9 User Authentication . 24
4.10 Application Authentication . 24
4.11 User Authorization . 25
4.12 Roles . 25
4.13 OPC UA security related Services . 25
4.14 Auditing . 26
4.14.1 General . 26

4.14.2 Single Client and Server . 27
4.14.3 Aggregating Server . 28
4.14.4 Aggregation through a non-auditing Server . 28
4.14.5 Aggregating Server with service distribution . 29
5 Security reconciliation . 30
5.1 Reconciliation of threats with OPC UA security mechanisms . 30
5.1.1 Overview . 30
5.1.2 Denial of Service . 31
5.1.3 Eavesdropping . 32
5.1.4 Message spoofing . 32
5.1.5 Message alteration . 33
5.1.6 Message replay . 33
5.1.7 Malformed Messages . 33
5.1.8 Server profiling . 33
5.1.9 Session hijacking . 33
5.1.10 Rogue Server or Publisher . 34
5.1.11 Compromising user credentials . 34
5.1.12 Repudiation . 34
5.2 Reconciliation of objectives with OPC UA security mechanisms . 34
5.2.1 Overview . 34
5.2.2 Application Authentication . 34
5.2.3 User Authentication . 35
5.2.4 Authorization . 35
5.2.5 Confidentiality . 35
5.2.6 Integrity . 35
5.2.7 Auditability . 35
5.2.8 Availability . 36
6 Implementation and deployment considerations . 36
6.1 Overview. 36
6.2 Appropriate timeouts . 36
6.3 Strict Message processing . 36
6.4 Random number generation . 37
6.5 Special and reserved packets . 37
6.6 Rate limiting and flow control . 37
6.7 Administrative access . 37
6.8 Cryptographic Keys . 38
6.9 Alarm related guidance . 38
6.10 Program access . 38
6.11 Audit event management . 39
6.12 OAuth2, JWT and User roles . 39
6.13 HTTPs, SSL/TLS & Websockets . 39
6.14 Reverse Connect . 39
7 Unsecured Services . 40
7.1 Overview. 40
7.2 Multicast Discovery . 40
7.3 Global Discovery Server Security . 40
7.3.1 Overview . 40
7.3.2 Rogue GDS . 40
7.3.3 Threats against a GDS . 41

– 4 – IEC TR 62541-2:2020 © IEC 2020
...

  • Relates Information
  • ISO 8130-9:1992

    ISO 8130-9:1992 - Coating powders
    09-28
  • EN 352-2:2020/FprA1

    EN 352-2:2021/oprA1:2023
    09-28
  • IEC TS 61158-4:1999

    IEC TS 61158-4:1999 - Digital data communications for measurement and control - Fieldbus for use in industrial control systems - Part 4: Data Link protocol specification Released:3/24/1999 Isbn:2831847656
    09-28
  • HD 566 S1:1990

    HD 566 S1:1998
    09-28
  • ISO 5131:1982/Amd 1:1992

    ISO 5131:1982/Amd 1:1992
    09-28
  • EN 60598-2-22:1990

    EN 60598-2-22:1996
    09-27
  • ISO 8504-2:1992

    ISO 8504-2:1992 - Preparation of steel substrates before application of paints and related products -- Surface preparation methods
    09-27
  • EN 12165:2024

    prEN 12165:2022
    09-27
  • IEC TS 61158-6:1999

    IEC TS 61158-6:1999 - Digital data communications for measurement and control - Fieldbus for use in industrial control systems - Part 6: Application Layer protocol specification Released:3/24/1999 Isbn:2831847613
    09-27
  • ISO 4252:1992

    ISO 4252:1992 - Agricultural tractors -- Operator's workplace, access and exit -- Dimensions
    09-27