Security At Opc Ua; Security Settings - Siemens SIMATIC ET 200AL System Manual
Distributed i/o system
Hide thumbs
Also See for SIMATIC ET 200AL:
- System manual (1585 pages) ,
- Manual (86 pages) ,
- Equipment manual (46 pages)
Table of Contents
Advertisement
OPC UA communication
9.2 Security at OPC UA
9.2
Security at OPC UA
9.2.1
Security settings
Addressing risks
OPC UA allows the exchange of data between different systems, both within the process and
production levels and to systems at the control and enterprise level.
This possibility also entails security risks. That is why OPC UA provides a range of security
mechanisms:
• Verification of the identity of OPC UA server and clients.
• Checking of the identity of the users.
• Signed/encrypted data exchange between OPC UA server and clients.
These security policies should only be bypassed in cases where it is absolutely necessary:
• During commissioning
• In stand-alone projects without external Ethernet connection
If you have selected the endpoint "None" for "UA Sample Client" of the OPC Foundation, for
example, the program issues a clear warning:
When STEP 7 compiles your project it also checks whether you have considered the setting
options for the protection and warns you of possible risks. This also includes an OPC UA
security policy with the setting "no security", which corresponds to the end point "None".
Note
Disabling security policies you do not want
If you have enabled all security policies in the secure channel settings of the S7-1500 OPC UA
server – thus, also the end point "None" (no security) – unsecured data traffic (neither signed
nor encrypted) between the server and client is also possible. The OPC UA server of the
S7-1500 CPU also sends its public certificate to the client at "None" (No security). And some
clients check this certificate. However, the client is not forced to send a certificate to the
server. The identity of the client may possibly remain unknown. Each OPC UA client can then
connect to the server irrespective of any subsequent security settings.
When configuring the OPC UA server, make sure that only security policies that are
compatible with the security concept of your machine or plant are selected. All other security
policies should be disabled.
Recommendation: Use the setting "Basic256Sha256 - Sign and Encrypt", which means that
the server only accepts Sha256 certificates. The security policies "Basic128Rsa15" and
"Basic256" are deactivated by default and should not be used as an end point. Select end
points with a higher security policy.
172
Function Manual, 05/2021, A5E03735815-AJ
Communication
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
Chapters
Table of Contents
