OPC UA (IEC 62541 standard) is an industrial communication protocol that addresses the growing cybersecurity challenges associated with the deployment of Industry 4.0.
Industry 4.0: OPC UA and IIoT security
With the rise of Industry 4.0, industrial environments have undergone extensive digitalization. The boundaries between Information Technology (IT) and Operational Technology (OT) have gradually disappeared, leading to centralized control of industrial systems.
In this context, cyberattacks have become a major threat.Consequently, the industry has started replacing legacy systems with open, standardized communication protocols that meet modern cybersecurity requirements—as outlined, for instance, in the 2013 French Military Programming Law (LPM).
OPC UA (IEC 62541 standard) plays a central role in this transition. It is:
- Recognized as the reference communication standard for Industry 4.0 and the Industrial Internet of Things (IIoT)
- Open, standardized, and platform-independent
- Maintained by the OPC Foundation
These characteristics make OPC UA especially suitable for addressing cybersecurity requirements in industrial environments. It is already deployed across key sectors such as automotive, rail, aerospace, and energy.
The OPC Foundation provides guidelines for implementing security when developing OPC UA-based applications.
Security is natively built into the OPC UA specification and is based on mechanisms that have been thoroughly analyzed by the German Federal Office for Information Security (BSI).
In France, the National Cybersecurity Agency (ANSSI) has supported the INGOPCS project, which aims to develop an open-source and certifiable implementation of OPC UA.
Deployment of OPC UA in industrial systems
OPC UA was initially adopted in SCADA systems using a client-server architecture. Today, it supports a wide range of use cases thanks to its flexible communication paradigms (Client/Server and PubSub) and support for multiple transport protocols such as TCP, UDP, MQTT, and HTTPS.
- The Client/Server model enables point-to-point, connected communication, where the server exposes a data model and the client invokes services.
- The PubSub model allows for connectionless, message-based communication, where Publishers send data to one or more Subscribers.
The PubSub model also allows OPC UA to be deployed at the field level, including controllers, sensors, and embedded systems, which require low-latency and optimized communication over deterministic local networks. It also facilitates direct integration with cloud infrastructures.
OPC UA security mechanisms
Client/Server communication security in OPC UA is based on the exchange of signed X.509 certificates. This provides integrity control, encryption, authentication, authorization, and auditing capabilities.
PubSub communication security relies on symmetric key encryption and message signing. Key management is handled by dedicated servers known as Security Key Services (SKS), which manage the distribution and lifecycle of cryptographic keys.
Systerel: a key player in the OPC UA ecosystem
For over 15 years, our company has developed strong expertise in the OPC UA standard through multiple implementations of OPC UA technology in industrial contexts.
Systerel is:
- A member of the OPC Foundation
- A member of the OPC UA Hub France, hosted by GIMELEC
- A member of GIMELEC’s Cyber OT Club
- Active in several working groups focused on the development and adoption of OPC UA
- Recognized by the OPC Foundation, which acknowledges several of our engineers as experts in data modeling, security, and deployment
- The developer of the S2OPC library
- A provider of training programs on OPC UA technology
S2OPC: a secure open-source implementation of OPC UA
Systerel has developed S2OPC, an open-source OPC UA stack.
- It is compliant with version 1.04 of the standard, as validated by the OPC Foundation.
- ANSSI awarded S2OPC the CSPN security certification, which BSZ in Germany also recognizes.
Designed for critical industrial environments such as energy, transportation, and defense, S2OPC combines a minimal memory footprint, real-time performance, and high scalability.