Abstract for those in a hurry…
Secure data exchange between production and management levels is still something of a minefield, with many aspects and security issues needing to be negotiated. Middleware has since established itself as a key component in the pursuit of seamless integration of the OT and IT domains. The following post addresses the aspects of secure cross-company communication by looking at an OPC UA-based solution from Softing.
Establishing truly secure and utterly reliable data exchange is an increasingly fraught topic for integrators of production and management systems. Network complexity grows as more and more OT and IT applications join the fray. No less substantial is the rise in data transfer volumes and the effort needed for installation, setup and maintenance. And all of this is running on public cloud platforms that need shielding against external attack.
Faced with Industrie 4.0 and the Industrial IoT, businesses need ways to migrate their siloed applications to coherent, integrated solutions. Steps have therefore been taken to link enterprise resource planning (ERP) systems and manufacturing execution systems (MES) with existing production components. The OPC UA (Unified Architecture) standard has established itself as the enabling technology for ensuring seamless data transfer between these various subsystems, allowing the production (operational technology, OT) and management (information technology, IT) domains to be tightly coupled together. One of the more recent OPC UA extensions, OPC UA Publisher/Subscriber, builds on this by offering an elegant solution for achieving interoperability between separate control systems.
Yet network complexity – and with it the volume of data – rises exponentially in proportion to the OT and IT applications involved, as effort skyrockets for installation, configuration and maintenance. Other issues are the global distribution of production and intercompany networking as a potential chink in the armor for data theft.
Industry bodies like the Industrie 4.0 platform have been tackling this important topic. The group’s position paper "Secure cross-company communication with OPC UA" offers a number of solution strategies here and highlights the advantages of an aggregating server. Softing Industrial is addressing this solution strategy with its dataFEED Secure Integration Server middleware component. This provides an abstract interface between the OT and IT domains based on the OPC UA standard, which it utilizes to the full for the purposes of interface abstraction and data aggregation.
Interface abstraction handles changes or extensions within one domain (OT/IT) without any modifications then being needed in the other. So a new IT application could be integrated into the overall solution without having to change the OPC UA interface at the OT end. Nor do IT applications need to be adjusted to match changes made on the production side – just as long as the OPC UA interface implemented in the middleware is kept unmodified. This means that IT applications and platforms to deploy can be chosen to exploit the short innovation cycles in IT while also reducing the effort for integration. Within OT, changes can be made without having to go back to the IT integration drawing board.
Data aggregation permits data from multiple sources to be consolidated on a single OPC UA server. Because IT applications now only need to access this one server, this simplifies and streamlines the underlying communication infrastructure. Another key benefit is the time saved in configuring systems, since a separate configuration is no longer needed for each OPC-UA data source and each OPC-UA client.
All of the fundamental mechanisms needed by a comprehensive security model for management, policies and monitoring are consolidated and centralized by dataFEED Secure Integration Server. To improve security yet further, the solution also supports the definition of whitelists and blacklists to control data access from specific IP addresses, plus the detection of Denial of Service (DoS) attacks targeting OPC UA authentication. Separate applications are granted their own access permissions and filters can be used to restrict rights further. As a result, individual OPC UA client applications are bound to a single, exclusively approved address space and must connect to the relevant access service to make use of individual data items. This affects services such as reading, writing, browsing or subscribing.
The degree of data security provided by dataFEED Secure Integration Server corresponds to the security functions anchored in the OPC UA standard, with the dataFEED SIS implementing Internet security standards across three separate layers:
The dataFEED Secure Integration Server centralizes all connections at a single instance. Users can monitor all of the active security features at a central location, making management of their Industrie 4.0 solution both simple and secure.
Do you have further questions on this topic? We are happy to help you. Please contact us!