An OPC UA based approach for dynamic-configuration configuration of security credentials and integrating a vendor independent digital product memory Result of the joint research project SecurePLUGandWORK funded by the Federal Minsitry of Education and Research (BMBF) Marco Blume 1, Nils Koch 2, Jahanzaib Imtiaz 2, Dr. Holger Flatt 2, Prof. Dr. Jürgen Jasperneite 2, Dr.-Ing. Miriam Schleipen 3, Dr.-Ing. Olaf Sauer 3, and Steffen Dosch 4 1 WIBU-Systems AG, Rüppurrer Str. 52-54, 76137 Karlsruhe, Germany marco.blume@wibu.com 2 Fraunhofer IOSB-INA, Application Center Industrial Automation, Langenbruch 6, 32657 Lemgo, Germany {nils.koch, jahanzaib.imtiaz, holger.flatt, juergen.jasperneite}@iosb-ina.fraunhofer.de 3 Fraunhofer IOSB, Information Management and Production Control, Fraunhoferstr. 1, 76131 Karlsruhe, Germany {miriam.schleipen, olaf.sauer}@iosb.fraunhofer.de 4 wbk Institute of Production Science, Kaiserstr. 12, 76131 Karlsruhe, Germany steffen.dosch@kit.edu
Outline Introduction & Motivation State of the art OPC UA Digital Product Memory Security aspects of Plug & Work Systems Proposal of a Communication Architecture for Secure Plug & Work Automation Systems A Prototype Secure Plug & Work I/O field device as a Case Study Conclusion
Introduction & Motivation High configuration effort of systems When integrating a component, the system needs to know the type and skills Solution: Enable Auto-configuration Challenge: Integrate components coming from different vendors In multi vendor environment an open and standardized component integration is needed! Goal: Create a vendor neutral architecture based on existing standards
OPC Unified Architecture
Digital Product Memory A digital product memory (DPM) stores relevant production data during the life cycle of a product provides better diagnosis enables an optimized seamless production Realized by either placing an active electrical memory or a passive identifier at the product An active DPM can also enable intelligent product and device management OPC UA based vendor neutral interface enables the data exchange of DPMs with intelligent environments
Security aspects of Plug & Work Systems Plug & Work system require a new view on the security of the transported information Bidirectional communication flow opens new cyber physical attacks The user might manipulate logged data to claim warranty A displeased employee might manipulate sensor values to disturb or sabotage the plant or production A competitor might be interested in the parameters set in the component Data Integrity and IP protection would be a requirement for a vendor neutral communication interface
How to enable Auto configuration? Component knows its properties and skills Communication of those during startup Realization of a digital product memory (DPM) Component can be monitored during life cycle Two seperate communication channels Real-Time channel for control (e. g. PROFINET) Time-uncritical channel for configuration data and for recording operation data (OPC UA) Each component is equipped with an OPC UA server Use of security dongles for keys and certificates
Requirements for a component OPC UA server Digital product memory Network access Security (data must not be read/changed by third persons) Posibility to plug in a security dongle Processing of sensors and actors Real-time communication to PLC
Proposal of a Communication Architecture OPC UA-based architecture solution Dynamic configuration of security credentials Vendor neutral exchange of information from a digital product memory Store Keys in a secure space Communication to a higher level authority AutomationML-based device model ported to UA address space
Case Study (Secure Plug & Work I/O Field Device) Intelligent I/O device to flexibly plug components in and out of a system BeagleBone Black as a evaluation platform TPS-1:PROFINET-based real-time communication Infrastructure services to orchestrate the dynamic configuration and seamless integration Codemeter (Dongle) SPI BeagleBone Black Security / OPC-UA USB GPIO GPIO TPS-1 GPIO GPIO AIN - digital product memory - OPC UA Server RJ45 RJ45 PROFINET-integration PROFINET/ Ethernet digital actors digital sensors analog sensors
Core Components (Codemeter Dongle / Security) Two important factors which often make the use of encryption complicated The secure rollout and distribution of keys and certificates The secure storage of keys and certificates Solution License Central (LC) and central Certificate Authority (CA) CodeMeter dongle with its integrated smart card chip
Core Components (BeagleBone as a development platform) BeagleBone Black is a small sized, flexible single-board computer running a 1 GHz ARM CPU and 512 MB of RAM Many digital I/Os Analog to digital converter Expandable using additional boards (so called capes) Linux as an operating system Kernel patches available to enable real-time scheduling Sufficient resources to run a complete Standard OPC UA Server Profile
Core Components (Enhanced Custom Cape) Requirement: transform GPIO voltage (3.3V) to industrial conform values Eight inputs (TTL-, CMOS-, LV-Logic, 24V) Eight outputs (30W) 4 analog inputs up to 10V CAN interface SPI interface I²C interface PROFINET support (using the TPS-1-µ-board by OWITA) excite signal (TTL-Logic, 1,5V per Div) emitted signal (24V-Logic, 12V per Div) signal of a neighboring channel (0,1V per Div) 10ms
Conclusion A hybrid approach using a real-time channel for the control loop and an OPC UA-based best effort channel is possible Configures and exchange security related digital certificates Provides a vendor neutral interface to a digital product memory Enables Auto configuration by the use of a DPM Supports live view at the sensor data without interfering the real-time part of the system One of the challenges of the Industry 4.0-IT-architecture is the ability to adapt to changes An OPC UA-based architecture would be an enabler for a flexible, scalable, secure and standards-based integration of distributed automation system components.
Thanks for your time! Any Questions?