Welcome back to another cybersecurity-focused episode of the ARC Digital Transformation Podcast. In this episode, we speak to Randy Armstrong, director of IT operations at the OPC Foundation. OPC has a very solid cybersecurity foundation and Randy has been at the center of this for some time, giving us an excellent summary of the many different layers of cybersecurity within OPC UA.
Security isn't something that was bolted on to OPC. From the beginning, security has been a primary concern. According to Randy,
"We wanted to have a standard that incorporated security as a first-class concept. From the beginning, every aspect of the specification is analyzed in terms of its impact on security, and, and has to be able to follow the conventions and the requirements that we've laid out for the overall framework. So by doing this, we've developed a standard that has a very cohesive, holistic view of security that shows up at different levels in the implementations."
Many of the concepts behind what's known today as "zero trust" already exist in OPC, such as advanced authentication schemes, including the use of PKI, application authentication, and more. According to Randy,
"What we built into the OPC UA infrastructure is this concept of application authentication. So every application that's installed on a particular node has a unique identifier and has a certificate assigned to it. And it will be configured to only allow communication with a finite number of other applications. And it's up to the administrators to decide who's allowed to trust who, and you have very fine-grained control. So you can have a cell on a factory floor with 10 machines, and those 10 machines would all be I'll be configured to talk to each other but nobody else. And this is going to be independent of the user credentials, which may determine what access somebody has when they're accessing the machine. So it's really two layers of authentication."