1. What are the basic security implementation guidelines provided by OPC Foundation?
The standards suggest you to use FIPS 140-2 based compliant algorithms so and so, but the standard will not suggest how to implement it. Also, there is a document released by foundation “Practical Security Recommendations for building OPC UA Applications” you can referee that to get some idea.
2. How is security incorporated in the OPC DA (OPC Classic)?
There is a limitation and dependencies in OPC classic. Especially, concerned with DCOM and COM configurations. OPC UA is built and being improved keeping security in mind, but it is not the case with classic
3. Will the communication between the client and the server be established they are configured with OPC DA and OPC UA respectively?
If the client is OPC Classic, then it can only connect to OPC Classic DA Server. However, if you have OPC UA server, then you can use it to convert to OPC DA data and then be able to connect using OPC Client.
4. Is there a particular certificate format and is it always generated by the client?
The certificates are created by both server and client. It follows the x509certificate format.
5. How to manage the security certficates? Is there any tool available in the market for the users to select?
There are no separate tools available in the market to manage the security certificates. It’s up to OPC Pub/Sub development vendor to provide the tool required to generate the certificate keys. The user shall be able to select the tool that works best for them if it is compliant with the OPC specifications.
6. How to implement OPC UA Client and Server in Windows? What is the minimum scan time and what are the tag limitations? What are the technical pre-requisites and what is the associated cost?
“Thank you for your interest in approaching Utthunga for implementing an OPC UA solution for your Windows application. The simplest approach is to have a COTS solution that allows you to customize your OPC UA application based on your business requirements and needs. In case, you need assistance in the stack selection and implementation of different OPC UA applications, we can help you as our Industrial Connectivity solutions leverages the domain and technical expertise of our competent team of developers. We’ll also help you determine the scan times and tag limitations based on the target machine’s hardware and software configurations. We are a vendor neutral supplier of certified OPC UA and OPC based data interoperability products for control automation, to ensure secure, authenticated, and encrypted communications across various network topologies. “
7. Is device security different from OPC UA security? Does one need to purchase separate stack or service for both?
Yes, Device Security and OPC UA security (or any protocol/application level security) are two totally different features.
Device security includes communication security along with data security, identifying vulnerabilities to setup protection mechanisms, monitoring, notification and configurability. The scope of OPC UA security covers only communication security.
For OPC UA security, usually the OPC UA stacks depend on other security stacks like OpenSSL, mbedTLS etc.
Due to the inherent features of the device security, it can’t be provided with a stack. However, it will be provided as a service. This is because the security aspects of every device vary from device to device based on hardware, form factor, firmware design, how the device is going to be used by the end customer, etc.,
To answer your question of whether to purchase a separate stack or opt for a service, we can collaborate for a suitable engagement model that involves a security consultant, developer and tester along with your product development team throughout the product development lifecycle including maintenance (as new types of security threats being discovered, to keep the product up to date from security aspects).
8. How to get all the data from several OPC servers implemented in several independent networks at a central location?
Thank you for reaching out for our help with your OPC related issue. To enable you to collect all the OPC data in one server in a central location, please follow the below steps.
- Install Server side component in the 7 independent DCS network which shall all expose data over OPC UA
- In Firewall settings, enable the port which is used by OPC UA Server in the Server side component
- In Central location, install Client side component and configure such that it shall connect all OPC UA Server (Server side component(s)) running in 7 independent DCS network
- Now, the Client side component will act as a central server, which shall collect all the OPC data from different locations in a secure manner
You can directly reach out to our OPC experts for a more detailed understanding of our OPC capabilities and services that meets your specific requirements.
9. How and where the security certificates generated in the OPC UA network? What is the process of certifcate exchange between OPC UA client and server?
Usually the certificates are generated in their trusted path. But, whenever the application tries to connect, the certificates are moved to rejected folder path and the end-user need to manually copy that certificate to the trusted location. This procedure is applied for both Client end and the server end.
10. Which ports are used for scanning the network machines on the server and client sides?
To answer your question
- On server side, it shall be using port 636.
- On client side, it depends on OPC UA Server port configuration However, for machine discovery it uses port 4840.