《OPC UA IEC 62443合规性映射:增强工业网络的安全性.pdf》由会员分享,可在线阅读,更多相关《OPC UA IEC 62443合规性映射:增强工业网络的安全性.pdf(26页珍藏版)》请在三个皮匠报告上搜索。
1、OPC Day InternationalPaul HunkarDirector of Compliance&CertificationEditor OPC UA Part 2:SecurityOPC Day InternationalSecure by DesignMany Productsfrom Many VendorsMany aspects Client/Server communication Pub/Sub communication Information models.2Enterprise networkPlant Floor NetworkOperation Networ
2、kOPC SubscriberOPC ClientOPC SubscriberOPC SubscriberOPC ClientOPC ServerOPC ServerOPC ServerOPCClientOPCPublisherSubscriberOperation NetworkOPC ServerOPCClientOPCPublisherSubscriberOPC ClientOPC ClientCA SKSGDSCA InternetOPC Day InternationalOPC UA Server products PC Laptop Rack server Embedded con
3、trollerServerServerOPC Day InternationalOPC UA Server products PC Laptop Rack server Embedded controllerApplication(s)OPC UA Client Securely obtain data Include users identity/authorizationGlobal Services Certificate Authentication AuthorizationGDSOPC Day InternationalConfidentiality Protecting priv
4、acy of message contentsChanged Value:Variable Y Value 0OPC UA Information and FunctionalityPrevented by confidentiality controlsOPC Day InternationalIntegrity Not manipulating the content of a messageOPC UA Information and FunctionalityWrite:Variable X Value 1Changed Value:Variable Y Value 0Value 0V
5、alue 1Prevented byintegrity controlsOPC Day InternationalAvailability Resiliant to DoS threats,maximizing availability Protected by Design for availabilityUA ServerUA ClientOPC Day InternationalApplication:Authentication and AuthorizationApplication InstanceCertificatesOPC UA Information and Functio
6、nality(e.g.read,write)OPC Day InternationalUser:Authentication and Authorization OPC UA Information and Functionality(e.g.read,write)1.Authenticate User(e.g.username and password,CertificatesOAuth 2.0Others)2.Authorize for specific operations and information(e.g.writing a specific value)OPC Day Inte
7、rnationalAuditabilityTracking important interactionsWrite Variable change from 1 to 2 by KarlAuditLogWrite Variable change from 1 to 2 by KarlWrite Variable change from 1 to 2 by KarlTracks all important updates,including who did itUA TrafficOPC UA Defines Audit Parameters and to be included in audi
8、t records.OPC Day InternationalDevice Other Applications Certificate Storage Not Secured Communication Not Authenticated UsersOPC Day InternationalThe ISA99 committee,Industrial Automation and Control Systems Security,and IEC Technical Committee 65 Working Group 10(TC 65 WG 10)have cooperated in the
9、 development of the ISA/IEC 62443 series of standards and technical reports that define the requirements for cybersecurity robustness and resilience at each stage of the IACS lifecycle.“ISA-62443-x-y,”while the IEC Editions appear as“IEC 62443-x-y.”12OPC Day Internationalhttp:/en.wikipedia.org/wiki/
10、File:ISA-62443_Standard_Series_2012.pngISA-62443OPC Day Internationalhttp:/en.wikipedia.org/wiki/File:ISA-62443_Standard_Series_2012.pngISA-62443OPC Day InternationalWhat is the SL(Security Assurance Level)?SL-T where T defines the target security level.SL-C where C defines the capability achieved.O
11、PC Day InternationalSL 1 Identify and authenticate all users(humans,software processes and devices)by mechanisms which protect against casual or coincidental access by un authenticated entities.SL 2 Identify and authenticate all users(humans,software processes and devices)by mechanisms which protect
12、 against intentional unauthenticated access by entities using simple means with low resources,generic skills and low motivation.SL 3 Identify and authenticate all users(humans,software processes and devices)by mechanisms which protect against intentional unauthenticated access by entities using soph
13、isticated means with moderate resources,IACS specific skills and moderate motivation.SL 4 Identify and authenticate all users(humans,software processes and devices)by mechanisms which protect against intentional unauthenticated access by entities using sophisticated means with extended resources,IAC
14、S specific skills and high motivation.http:/isa99.isa.org/Documents/Drafts/ISA-62443-3-3-WD.pdfOPC Day International1)Concepts2)Security Model3)Address Space Model4)Services5)Information Model6)Mappings7)Profiles8)Data Access9)Alarms and Conditions10)Programs11)Historical Access12)Discovery13)Aggreg
15、ates14)PubSub15)Safety16)State Machines17)Alias Names18)Role-Base Security19)Dictionary reference20)File Transfer21)Device ProvisioningRed:directly relevant for IT securityOPC Day InternationalISA-62443-4-2 SL2CRs and ResApplies to OPC UA OPC UA Part#OPC UA Profile/Facet/Conformance Unit(CU)CR 1.1:H
16、umanuser identificationand authenticationYPart 4IssuedIdentityTokenPart 6JSON Web Token(JWT),JWT UserTokenPolicyPart 7Security User JWT IssuedToken,Security User JWT TokenPolicy,OPC UAAuthority ProfileRE(1):Unique identification and AuthenticationYPart 4IssuedIdentityTokenPart 6JSON Web Token(JWT),J
17、WT UserTokenPolicyPart 7Security User JWT IssuedToken,Security User JWT TokenPolicy,OPC UAAuthority ProfileUser Token JWT Server Facet,User Token JWT ClientFacet19OPC Day International20OPC Day InternationalISA-62443-4-2 SL2CRs and ResApplies to OPC UA OPC UA Part#OPC UA Profile/Facet/Conformance Un
18、it(CU)CR 1.1:Humanuser identificationand authenticationYPart 4IssuedIdentityTokenPart 6JSON Web Token(JWT),JWT UserTokenPolicyPart 7Security User JWT IssuedToken,Security User JWT TokenPolicy,OPC UAAuthority ProfileRE(1):Unique identification and AuthenticationYPart 4IssuedIdentityTokenPart 6JSON We
19、b Token(JWT),JWT UserTokenPolicyPart 7Security User JWT IssuedToken,Security User JWT TokenPolicy,OPC UAAuthority ProfileUser Token JWT Server Facet,User Token JWT ClientFacet21OPC Day International22Part 7ProfileToolOPC Day InternationalISA-62443-4-2 SL2CRs and ResApplies to OPC UA OPC UA Part#OPC
20、UA Profile/Facet/Conformance Unit(CU)CR 1.2:Softwareprocess and deviceidentification and authenticationYPart 2ApplicationAuthentication,X.509 v3 Security CertificatesPart 4ApplicationInstance Security CertificateEndpointDescription,EndpointUrl,Hostname(Device)Part 7Security DefaultApplicationInstanc
21、e Security Certificate,GlobalSecurity Certificate Management Server FacetCR 1.3:AccountmanagementN23OPC Day InternationalPart 2 describe the mapping for all section of the ISA-62443-4-2 This includes all CR and RES The mapping was provided by the Open Group from the O-PAS Standard,Version 2.1.The ma
22、pping includes reference to standards that were not yet publish when 1.05.01 was published.In future release of Part 2 we will enhance the mapping to include other items that map from OPC Specification to IEC 62443 specification24OPC Day InternationalCertificationOPC Day InternationalThe ISA Securit
23、y Compliance Institute(ISCI),a wholly-owned ISA certification consortium,offers three schemes for off-the-shelf industrial automation and control technology including the Component Security Assurance(CSA)Certification,IOT Component Security Assurance(ICSA),and System Security Assurance(SSA)Certifica
24、tion.ISCI also offers the Security Development Lifecycle Assurance(SDLA)Certification program which applies to development processes used by suppliers of control system products.These certifications assure conformance to the ISA/IEC 62443 family of cybersecurity standards.Based on security requireme
25、nts published in the ISA/IEC 62443 series of standards,the certification schemes demonstrate suppliers commitment to protecting products and systems from a variety of cybersecurity threats.26OPC Day InternationalPaul HunkarPaul.HunkarOPCFoundation.orgEnter them in will answer them after all sessionWe will also respond to the question in writing