Mr. Tom Burke Global Director of Industry Partnerships for ICONICS explains OPC UA security and explains how it is built into its architecture.

Video Transcript

[0:00] Oliver Gruner Corporate Account Director – Mitsubishi Electric

So, at this point, I'd like to invite Tom Burke. Tom is going to talk a little bit more about OPC UA security standards like Sparkplug B and will give you a great journey and what's important and important in the industry today. Thank you, Tom.

[0:22] Tom Burke Global Director of Industry Partnerships for ICONICS

Thank you, Oliver, it's really a pleasure to be here at the ICONICS event had been to many ICONICS events over the years, but this is the first time that actually worked for ICONICS and Mitsubishi in my role. So as most of I was the founder of OPC. So, I guess like I'm the grandfather of OPC. And I invented it a long time ago, along with OPC UA. So, I'd like to talk about some of the key security concepts that really make OPC UA what I call secure by design. Basically, the whole concept and I’ll talk about two different triads. I’ll talk about what's known as trusted information, and also, I’ll talk about access control. And these are integral parts of the OPC UA architecture when we talk about secure by design. ICONICS was one of the key contributors into this whole architecture of what we've done with OPC UA for so many years. So, when I talk about CIA, I’m talking about the confidentiality of the information. I’m talking about maintaining the integrity. And I’m talking about maintaining the availability information. And then we’ll talk about the access control: who's allowed to access the information; how do I do the authentication; how do I do the logging and the accounting that are all part of that. So, this is when we’ll talk about, like what Jim Desrosiers talked about earlier, this whole concept of information and securing information. It's very important that we can secure this information in a streamlined fashion and give the end users really what they want. And I'm proud to say ICONICS, with all the products we have, we've really designed the security and specifically OPC UA into the architecture.

[2:05]

So, the overall use of OPC UA security really enhances the whole overall system security. And it's not the whole story, but it's the integral part of the infrastructure that's so important to make this happen. So, if you take a look at how GENESIS64 works, and how it communicates with all the different connectivity options that we're talking about the Mitsubishi devices here, and we have the OPC UA server inside of the Mitsubishi device. GENESIS64 is the OPC UA client. And what I just talked about those two pyramids are those two triangles, the application layer is at this one level that basically essentially eights, and it communicates all the authentication between the users and the applications back and forth. So, you've got control; there's no longer this ability that have an application connect up to something that you really shouldn't be allowed to connect to. And this is the whole basis of security; this is how you avoid a lot of those things. And on the communication layer, this is where you handle all the things related to the signing of messages and encryptions and this whole authentication process. So, there's a lot of different transport layers that are underneath. And basically, OPC UA in combination with ICONICS, we build on top of all those transports to really take advantage this and really make the whole infrastructure at both the application layer and the communication layer totally secure. A lot of the different things that happen that I was familiar with, and I remember when one of my colleagues came from the Department of Homeland Security, and she painted doom and gloom about security and scared the daylights out of me, and sent the wrong message in some ways, but then the whole message was, “Take care of this; make sure that you're secure in your infrastructure to begin with”. 

[4:00]

So, some of the types of attacks and that we address basically with OPC UA and now that's built into the ICONICS architecture are things like message flooding. You want to minimize processing of packets before they are authenticated. You want to prevent eavesdropping, and you do that by basically encryption. And you're doing that where you're recording and capturing all the messages that are being exchanged between the client and the server. There's been lots of things where people have seen breaches of security that basically have been what are typically considered message spoofing, and essentially, the attacker forges a message, makes it look like it's somebody real. And next thing I've got my client sending something that they really it wasn't the right one, and they're changing the setpoint. And they're closing a valve when they shouldn't close the valve and next thing you've got a catastrophic error. So, this is all the types of things that are addressed in the architecture And the same thing as we can basically support the reliability through this whole thing called message altercation replay. So, I capture the messages, I modify them, and I can resend them. And it's all built into the secure architecture of OPC UA that we talked about, making sure that we deal with malformed messages. So that you can discard messages that really aren't the right things accordingly. 

[5:25]

So, these are the big things that are all part of OPC UA secure by design that ICONICS has built in the architecture. The next thing is, I'm pleased to talk about what I call the Device Explorer, which is our it's our OPC UA server and all the feature functionality that has so this is integrated now. And it's licensed with GENESIS64. And it's got connectivity to so many different devices and networks out there, that basically anything that's out there in the industry, we've got the right connectivity, too. So, this is really the answer that what it solves a problem of I want to communicate to this device or want to communicate to that device. And basically, you can buy this Takebishi Server, and it's purchased and licensed directly to our ICONICS so and you activate the license through the ICONICS license utility as well. So, if you think about what GENESIS64 does, we need connectivity; we need the data. So, our connectivity solution really is the Takebishi architecture specific with Device Explorer. And again, they answer the question and allows us to get our foot in the door. So not only are we great with Mitsubishi, but we can also always talk to Rockwell; we can talk to Siemens. We've got the ability to have connectivity to anything. And that's really the core things. 

[6:48]

A lot of people are familiar with the whole Kepler architecture and Kep server. I don't want to go into too much detail on this other than we've got the ability if you're using Kepler now. to basically import all the things from Kepler directly into Takebishi. So, this basically eliminates a lot of roadblocks out there. Well, we've been using Kepler forever Tom, but now you want me to switch to Takebishi. We can make it easy for you. So that's all built into thing. And our targets basically are to support everybody. And we want to basically migrate over any opportunity that we can that's using Kepware into Takebishi. There's a lot of good reasons behind that. 

[7:30]

The other thing is I'm always asked to talk about this. “Well, you did OPC UA, Tom, but how does it work with MQTT? And how does it work with Sparkplug B?” and I want to talk a little bit about that. So, if you take a look at this whole thing that we talked about IT OT convergence, and what we're doing there, the importance is there are a lot of other architectures for communicating and pushing data between the IT and OT. And this whole concept of MQTT and what it does. Basically, it's a broker architecture. It allows devices underneath to actually push data to a broker or to a cloud. And then clients on the other side can actually basically subscribe to that and to get data. So, it's just a little different than the typical OPC UA. OPC UA also builds on top of MQTT and Sparkplug B. So, there are a lot of different ways that you can make this thing work. But the big advantage of MQTT and Sparkplug B is basically it's a lightweight protocol. And it allows a lot of applications basically in a lot of industry, specifically in the oil and gas and water treatment to really get a much more effective communication mechanism. So OPC UA is an open specification. Sparkplug B is an open specification. It was developed by a good friend of mine Arlen Nipper, and I've had the opportunity to work with him for a long period of time. And again, we've now built this into the ICONICS architecture. So, we have OPC UA we have MQTT, we have Sparkplug B. And we've got all these vehicles in that allows us to support both what's known as a client server model, but also publish subscribe. So basically, it's a secure, lightweight protocol that we're using. And that's the big thing. So, from a vendor interoperability standpoint, Sparkplug B is getting a lot of endorsement by a lot of different sensor guys, IO guys, because they're able to put this technology into the lower-level devices. And when they do that, that gives you the capability of grabbing data from a lot of this IO or sensors basically, and really having pure MQTT interoperability. So that's the exciting thing about that. So, the sensors basically are secure. It's built into them with Sparkplug B, they can basically publish data to the broker and MQTT and then the ICONICS suite is able to subscribe to that directly. 

[10:01]

So, the interesting thing is somebody asked, “But MP TT, MP TT is strictly a transport Sparkplug B basically enhances that, and basically defines what's known as the payload or the structure of the messages. So essentially, you can push structure data now from a lower-level sensor directly into the broker and then have ICONICS be able to access it. So, it's a pretty exciting thing that's happened with the architecture. And again, our goal, and specifically, is to make sure that we're leveraging all the technical innovations that are out there. And the only thing we know for sure is, today is one thing; tomorrow is going to be different. So, we have to adopt. We have to look at the right technical innovation. There are lot of other things that are going on in the world. Right now. We're talking about TSN. We're talking about 5G from a connectivity standpoint, and all those things basically between OPC UA and MQTT. And the importance of what we're doing with ICONICS, we will leverage all these innovations to basically give you connectivity. And guess what we're doing. We're going to bridge the gap and basically have the OT to IT conversions and get information up to and back and forth.