Certificates Pursuant To Itu X.509 - Siemens SIMATIC ET 200AL System Manual

OPC UA communication
9.2 Security at OPC UA
Additional security rules
● Only use the end point "None" in exceptional cases.
● Only use the "guest authentication" of the user in exceptional cases.
● Only allow access to PLC tags and DB components via OPC UA if it is genuinely
necessary.
● Use the list of trusted clients in the settings of the S7-1500 OPC UA client to allow access
to certain clients only.
9.2.2

Certificates pursuant to ITU X.509

Security mechanisms are integrated in several layers in OPC UA. Digital certificates have an
important role here. An OPC UA client can only establish a secure connection to an OPC UA
server when the server accepts the digital certificate of the client and classifies it as trusted.
See section "Configuring the OPC UA server of the S7-1500 CPU (Page 161)".
The client must also check and trust the certificate of the server. The server and client must
show their identities and prove that they are what they claim to be: They must prove their
identity. Mutual authentication of client and server, for example, prevents man-in-the-middle
attacks.
Man-in-the-middle attacks
A "man-in-the-middle" could have positioned itself between server and client. A man-in-the-
middle is a program that intercepts communication between server and client and claims to
be a client or server, and is thus able to obtain information about the S7 program or to set
values in the CPU and attack a machine or plant.
OPC UA uses digital certificates that meet standard X.509 of the International
Telecommunication Union (ITU).
This allows the identity of a program, a computer or an organization to be proven
(authenticated).
146
Function Manual, 12/2017, A5E03735815-AF
Communication