Emerson Exchange 365

In recent blogs, we’ve been discussing aspects of OPC UA (Unified Architecture) technology in PLC/PAC control. OPC UA is a secure, platform-independent, scalable, and object-oriented architecture for representing and communicating information. Security is an integral part of OPC UA technology. An OPC UA server provides a set of services dedicated to creating a secure connection. Once created, it will apply the security protocol to messages between the client and server to ensure the integrity and confidentiality of messages. An overview of how a secure connection is achieved between an OPC UA server and client is provided to bring insights into the workings of OPC UA security.

1. Find Available Endpoints to Establish a Secure Channel
   1. If an OPC UA client does not have pre-configured information on how to connect to a server, it can send an unsecured request to the discovery endpoint of the server to get descriptions of the server’s available endpoints. The discovery endpoint of a server is either well-known or obtained from a Global Discovery Server. Included in the returned endpoint descriptions is all the information required for the client to establish a Secure Channel between itself and the endpoint including the server’s Application Instance Certificate and the supported Security Mode.
   2. The client selects an available endpoint that it can handle from a security perspective and validates the server’s Application Instance Certificate for the endpoint to ensure that it is trustworthy.
      
      
2. Open Secure Channel to Selected Endpoint
   1. A client then makes a request to open a Secure Channel to the selected endpoint of the server in accordance with the Security Mode. If the Security Mode is None, then the request message is unsecure. If the Security Mode is either Sign or SignAndEncrypt, then the request message is secured using Public Key Cryptography (PKC). In the request message, the client sends its Application Instance Certificate and a secret.
   2. Once the open Secure Channel request message is received by the server, it validates the Application Instance Certificate of the client to ensure that it is trustworthy. The client’s Application Instance Certificate is provided in the unencrypted part of the request message. If the client is trustworthy, then the server uses PKC to decrypt and verify the signature of the request message. The server then sends a response message, which includes a secret, to the client, secured in a similar fashion to the request.
   3. The client receives the secured response from the server and can, therefore, decrypt and verify the signature of the server using PKC. The use of PKC during the open Secure Channel request-response message exchange is necessary so that: (1) the client can authenticate the server; (2) the server can authenticate the client; and (3) secrets can be exchanged between the client and server so that Symmetric Keys can be derived.
   4. If Symmetric Keys are derived on both the client and server, then a Secure Channel is established. The Symmetric Keys are used for encrypting and signing all subsequent messages on the Secure Channel.
      
      
3. Create Session
   1. The client makes a request to the server to create a session on top of the Secure Channel.
   2. In response to this request, the server returns a session identifier and authentication token. The session identifier is used to identify the session in audit logs and in the server’s AddressSpace. The authentication token is used to associate an incoming request with a session.
      
      
4. Activate Session
   1. The client makes a request to the server to activate the session. The purpose of this request is to associate a user identity with a session. Therefore, the request includes the user’s credentials along with proof that the request is coming from the same client that created the session.
   2. Once the server receives the request, it validates the user credentials and that the client is the same that created the session. If these validations succeed, the session is activated and a connection between the client and server is established.

Emerson PLC/PAC control systems are comprised of applications distributed on different hardware platforms and unified with a common information backbone – the OPC UA framework. OPC UA provides a mechanism to protect the confidentiality and integrity of information and to determine whether applications are trustworthy – a fundamental need of the industrial internet.