IEC_TR_62541-2-2010.pdf

IEC/TR 62541-2Edition 1.0 2010-02TECHNICAL REPORT OPC Unified Architecture Part 2:Security Model IEC/TR 62541-2:2010(E)LICENSED TO MECON LIMITED-RANCHI/BANGALORE,FOR INTERNAL USE AT THIS LOCATION ONLY,SUPPLIED BY BOOK SUPPLY BUREAU.THIS PUBLICATION IS COPYRIGHT PROTECTED Copyright 2010 IEC,Geneva,Switzerland All rights reserved.Unless otherwise specified,no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical,including photocopying and microfilm,without permission in writing from either IEC or IECs member National Committee in the country of the requester.If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,please contact the address below or your local IEC member National Committee for further information.Droits de reproduction rservs.Sauf indication contraire,aucune partie de cette publication ne peut tre reproduite ni utilise sous quelque forme que ce soit et par aucun procd,lectronique ou mcanique,y compris la photocopie et les microfilms,sans laccord crit de la CEI ou du Comit national de la CEI du pays du demandeur.Si vous avez des questions sur le copyright de la CEI ou si vous dsirez obtenir des droits supplmentaires sur cette publication,utilisez les coordonnes ci-aprs ou contactez le Comit national de la CEI de votre pays de rsidence.IEC Central Office 3,rue de Varemb CH-1211 Geneva 20 Switzerland Email:inmailiec.ch Web:www.iec.ch About IEC publications The technical content of IEC publications is kept under constant review by the IEC.Please make sure that you have the latest edition,a corrigenda or an amendment might have been published.?Catalogue of IEC publications:www.iec.ch/searchpub The IEC on-line Catalogue enables you to search by a variety of criteria(reference number,text,technical committee,).It also gives information on projects,withdrawn and replaced publications.?IEC Just Published:www.iec.ch/online_news/justpub Stay up to date on all new IEC publications.Just Published details twice a month all new publications released.Available on-line and also by email.?Electropedia:www.electropedia.org The worlds leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions in English and French,with equivalent terms in additional languages.Also known as the International Electrotechnical Vocabulary online.?Customer Service Centre:www.iec.ch/webstore/custserv If you wish to give us your feedback on this publication or need further assistance,please visit the Customer Service Centre FAQ or contact us:Email:csciec.ch Tel.:+41 22 919 02 11 Fax:+41 22 919 03 00 LICENSED TO MECON LIMITED-RANCHI/BANGALORE,FOR INTERNAL USE AT THIS LOCATION ONLY,SUPPLIED BY BOOK SUPPLY BUREAU.IEC/TR 62541-2Edition 1.0 2010-02TECHNICAL REPORT OPC Unified Architecture Part 2:Security Model INTERNATIONAL ELECTROTECHNICAL COMMISSION VICS 25.040.40;35.100.01 PRICE CODEISBN 2-8318-1080-3 Registered trademark of the International Electrotechnical Commission LICENSED TO MECON LIMITED-RANCHI/BANGALORE,FOR INTERNAL USE AT THIS LOCATION ONLY,SUPPLIED BY BOOK SUPPLY BUREAU.2 TR 62541-2 IEC:2010(E)CONTENTS FOREWORD.4 INTRODUCTION.6 1 Scope.7 2 Normative references.7 3 Terms,definitions,abbreviations and conventions.7 3.1 Terms and definitions.7 3.2 Abbreviations and symbols.11 3.3 Conventions concerning security model figures.11 4 OPC UA Security architecture.11 4.1 OPC UA security environment.11 4.2 Security objectives.12 4.2.1 General.12 4.2.2 Authentication.13 4.2.3 Authorization.13 4.2.4 Confidentiality.13 4.2.5 Integrity.13 4.2.6 Auditability.13 4.2.7 Availability.13 4.3 Security threats to OPC UA systems.13 4.3.1 General.13 4.3.2 Message flooding.13 4.3.3 Eavesdropping.14 4.3.4 Message spoofing.14 4.3.5 Message alteration.14 4.3.6 Message replay.14 4.3.7 Malformed messages.15 4.3.8 Server profiling.15 4.3.9 Session hijacking.15 4.3.10 Rogue server.15 4.3.11 Compromising user credentials.15 4.4 OPC UA relationship to site security.16 4.5 OPC UA security architecture.16 4.6 Security policies.18 4.7 Security profiles.18 4.8 User authorization.19 4.9 User authentication.19 4.10 Application authentication.19 4.11 OPC UA security related services.19 4.12 Auditing.20 4.12.1 General.20 4.12.2 Single client and server.21 4.12.3 Aggregating server.21 4.12.4 Aggregation through a non-auditing server.22 4.12.5 Aggregating server with service distribution.23 5 Security reconciliation.24 5.1 Reconciliation of threats with OPC UA security mechanisms.24 LICENSED TO MECON LIMITED-RANCHI/BANGALORE,FOR INTERNAL USE AT THIS LOCATION ONLY,SUPPLIED BY BOOK SUPPLY BUREAU.TR 62541-2 IEC:2010(E)3 5.1.1 General.24 5.1.2 Message flooding.24 5.1.3 Eavesdropping.25 5.1.4 Message spoofing.25 5.1.5 Message alteration.25 5.1.6 Message replay.25 5.1.7 Malformed messages.26 5.1.8 Server profiling.26 5.1.9 Session hijacking.26 5.1.10 Rogue server.26 5.1.11 Compromising user credentials.26 5.2