9/4/2008
As many readers might be aware, the team at Digital Bond has conducted a security assessment on the OPC UA protocol, SDK and source code. They have recently posted some of the positive findings that will be part of their final report. The full details can be found here. I’ve included some of the more note worthy remarks and recapped the major findings:
Noteworthy quotes:
“…there are numerous examples of positive findings and text in the report. In fact, there is no comparison between the security in OPC UA and the security of any other control system protocol, with the possible exception of Secure DNP3 and its IEC equivalent. The OPC Foundation should be commended for their security efforts and pressure should be applied to other protocols to step up.”
“the current profiles have leveraged existing, vetted crypto primitives and algorithms rather than try to tackle the difficult process of developing a new security algorithm”
“[the OPC UA SDK code] is among the cleanest code Digital Bond has seen in the control system space. The code is well written, easy to follow and contains good use of comments.”
“The security event logging required by the specification will be a fantastic help to attack detection and after incident analysis. It is the best the Digital Bond team has seen in this space by far.”
The major positive security findings include:
· Options for the use of encryption for confidentiality and signatures for source authentication and integrity, which means the protocol has ‘built-in’ security
· OPC UA uses a profile approach for specifying functionality including the crypto algorithms and key lengths. This provides flexibility and extensibility. Additionally, the current profiles have leveraged existing, vetted crypto primitives and algorithms.
· The OPC UA SDK code base is surprisingly clean of vulnerabilities for a code base of its size. Many common coding errors were not found and there are a number of well-written OPC wrappers of common C functionality. Comments in the code remind developers to use safe functions.
· Excellent security event logging requirements by the specification.
Of course the whole point of security assessments is to highlight findings that could lead to vulnerabilities, and we know that the Digital Bond team has found some. The reason the OPC Foundation so strongly supports this initiative is to find and correct these issues before they make their way into live systems. Many of the findings have already or are in the process of being addressed. A lot of folks have put a lot of effort into ensuring the OPC UA specification stands up to its promise of being secure. Those efforts are clearly paying of in the form of a solid specification. 9/1/2008
Some interesting things happening with OPC UA over the last few weeks while I was vacationing. One of which the whitepaper/OPC UA book excerpt which gives some background on the perceived complexity of OPC UA. Is OPC UA complicated? The answer to that seems to differ from person to person based on their point of view. The whitepaper talks in more detail about what is involved with OPC UA and why some people consider it complicated. Here’s my take on the whole thing:
Is OPC UA completed to use? No. OPC UA has all the familiar concepts from classic OPC; Client/Server architecture, browsable address space, data subscriptions, read/write operations. For the most part, end users will not see a difference, except that OPC UA now offers additional standardized functionality like security, redundancy, richer browsing and data organization, and access to more server information and diagnostics. Users of the classic OPC interfaces did not need to know the full details of COM/DCOM or the functionality of the proxy components. Similarly with OPC UA users will not need to understand the details of security certificate handling, wire transport encoding or bulk interface transactions.
Is OPC UA more complicated than OPC DA? In a word, Yes. OPC UA stands for Unified Architecture, which means it covers all aspects of classic OPC, including real-time, history, alarms, batch, security, commands and OPC XML. It is supposed to be encompassing than simply an OPC DA replacement. There are multiple reasons we’ve created a new architecture:
· Microsoft has deemphasized COM in favor of cross-platform capable Web Services and SOA (Service Oriented Architecture)
· OPC Vendors want a single sent of services to expose the OPC data models (DA, A&E, HDA ...)
· OPC Vendors want to implement OPC on non-Microsoft systems, including embedded devices
· Other collaborating organizations need a reliable, efficient way to move higher level structured data
In addition to these goals, the standards must also be industrially reliable and performant, meet security requirements of today’s systems AND provide a manageable migration path for the countless thousands of classic OPC installations. I fully understand why someone comparing the OPC UA to the OPC DA 2.05 documentation would say OPC UA is complicated.
Is OPC UA complicated to implement? No. The caveat to that is; when using the OPC Foundation supplied SDK or other toolkits. Anyone trying to develop a fully featured OPC UA server from ground zero would consider it complicated. Another caveat would be the more Profiles an application supports, the more complicated the server development becomes. An OPC UA server that meets the profile for serving real-time data from an embedded device would we undeniably less complex than an OPC UA server that meets the profiles for real-time, historical and events as well as multiple security options and full query support for an enterprise-wide address space. However these two OPC UA applications will still interoperate in a standard way. That means they both rely on a standardized architecture and a core set of services. The whitepaper/book excerpt touch on some of these, such as secure connections and publish mechanisms. The reason the OPC Foundation provides the SDK, wrappers, sample code, etc is to ensure these common framework components are implemented properly.
Boiled down, OPC UA can be considered a standardized set of web services designed to meet the needs of industrial automation. Web services should not be confused with Web applications in that they involve application-to-application communication, and are not intended to be accessed via a Web browser. Web delivery of process and business data enhances collaboration between work groups and multi-location plants across the enterprise. OPC UA can be considered the industrial automation equivalent of web services used in Supply Chain Management, Customer Relationship Management, Enterprise Application Integration and a plethora of other software services designed to facilitate optimal decision-making at all levels. Every vendor, customer, application writer and developer in the SOA space will tell you they have a simpler answer to web service integration of the enterprise. 10 years ago there where those who said Windows, DCOM and client/server architecture was too complicated, yet OPC has far and away proven itself to be the solution to control application integration.
The simple fact is OPC UA is the right answer to the industrial automation integration needs of today and tomorrow. The many OPC Foundation members who are developing and releasing products and actively supporting the OPC UA initiatives know this and are making it happen. 8/1/2008
The OPC UA opportunities for facilitating OPC UA adoption continue, this time in Europe, Germany to be precise.
Looking to start developing OPC UA products? Then the European session of the highly popular OPC UA Developers Conference and Workshop, slated for October 27-31 in Munich, Germany is the place to be. The week long event is really two separate focuses. The first two days is the Developer Conference, which is more of a higher level overview of what is OPC UA and it’s current state. Limit 95 participants. The following three-day Developer Workshop is really a training event targeted specifically for product developers. The first day covers the details of OPC UA and the next two full days of specific instructions using either C++ / ANSCI C or .NET programming. This is course is hands-on development on building OPC UA servers and clients. The workshop is limited to 25 participants per track (50 total) and attendance will be on a first-come, first-served basis. With OPC UA in high gear and the next round of Released specifications and updated codebase due in mid-August, the rush will be on. Don’t delay and get registered now. The deadline is Oct 10th, but I suspect it will fill long before then. For full details on pricing, hotels, etc go here.
For those on this side of the pond looking to find out what OPC is all about, the fall sessions of the OPC Foundation Roadshows are starting up soon. The next session is in Milwaukee, WI on September 4th. Details and registration here. I’ve said it before, and I’ll say it again these events are a great opportunity to learn about OPC, how to use the technology and best practices for implementing, as well as a chance to talk with industry experts from the numerous vendor sponsors.
Lots of things happening on the OPC UA front. More updates on to the OPC UA SDK, sample code and other redistributables. You can find the latest downloads here. 7/16/2008The latest Release Candidate versions for Parts 1 - 8 of the OPC Unified Architecture Specification have recently been posted and are available for download and review by all OPC Foundation members. The Technical Advisory Council has also been asked to make a final review and approve their release by August 16, 2008. Reviewers may submit written comments (or commented versions of the docs) by sending them to the UAcommentsATopcfoundation.org (replace the AT with @ to make the real address)
It’s getting near Oktoberfest time again. This year’s keg tapping festivities run from September 20th - October 5th. Since you are already in Germany (and most likely in a very good mood), it’s just a short trip to Nuremberg to keep the fun going with the OPC Foundation’s European Interoperability Workshop 2008. This work shop is in Nürnberg, Germany and runs from 1:00 PM on Monday, October 6th through Noon on Friday, October 10th.
Of course since OPC Interoperability Sessions are such an event in their own right, I’m sure many will choose to skip the crowed beer gardens in order to be bright-eyed and bushy-tailed for the OPC connectivity testing.
As always OPC Foundation members are encouraged to use this opportunity to validate their products and correct any interoperability problems. This year's session will allow up to a maximum qty (40) vendors to validate Data Access (V1, V2 and V3) interoperability, XML-DA, Alarms and Events and Historical Data Access. In order for a DA Client to qualify to use the new 'Self-Tested' logo, the product must be tested at an Interoperability Workshop with other DA Servers and it must pass a supervised test with the OPC Analyzer. The interoperability workshops will be the only venue clients are tested with the Analyzer, so this is your chance to qualify for the new logo. In order to greatly improve your chances of passing, DA client vendors should download the OPC Analyzer and test your client yourself beforehand.
All the details on registration, location, hotel information and agenda can be found here. Note that attendees are encouraged to make reservations by September 08, 2008 after which the hotel will release the rooms for sale to the general public.
Whether or not your travel plans include foamy mugs and friendly fräuleins, many sure they do include OPC Interoperability testing. 7/4/2008
A while back the OPC Foundation conducted a survey of OPC vendors on their knowledge and plans for OPC UA, and those of their customers. The results are out, so here are some comments on them…
The first question dealt with what sort of issues most customers are facing with classic OPC; DCOM, security, cross-platform, lack of integration, etc. I’ve always said that the OPC UA adopters seem to fall into three basic categories: Those who… 1) want to get rid of DCOM 2) want to be on Non-Windows platforms and 3) want an integrated, enterprise connectivity solution. Usually in that order. The questionnaire results back that thinking, with the most popular reasons being DCOM, Reliability and Windows Security related problems. The next major grouping related to non-Windows and Embedded OS support. Enterprise integration and richer information models rounded out the feature set customers are looking for.
Not surprisingly, the results on vendor awareness of the OPC UA specifications, existing OPC UA products and available training courses and webinars were all overwhelmingly positive. Seems the OPC UA message is getting out loud and clear.
The remaining questions focused on the development platforms and transport options vendors are looking to support. The numbers planning on using C#/.NET verses C/C++ or Java reflected similar numbers to the earlier question on issues. Most vendors will continue to target Microsoft platforms, with strong support showing for cross-platform languages. In terms of transport options, it’s not surprising that most vendors plan to support both the high-performance binary methods, as well as the more flexible XML/HTTP type implementations.
The survey results not only show the OPC UA deliverables are in synch with vendor expectations, they are also backed up by solid actions. The recent OPC UA Developers Workshop and Plug-fest where both maxed out on seating capacity. The Workshop was so popular another one to be held in Europe shortly is already being planned. If you missed out on the first one, your next chance is coming soon.
Of course the biggest indication of OPC UA support are the products that have been or are soon to be released. Off the top of my head I know of OPC UA products from ABB, ICONICS, Kepware, Matrikon and Softing. There are others as well (if I missed your company, drop me a comment and I’ll stick you on the list J ).
The point is OPC UA technology is here and being adopted. Where is your company on the adoption curve? 6/27/2008
The latest version of the OPC UA SDK (Software Development Kit) version 1.00.215.2 Beta is now available for download. The OPC UA SDK is a set of interfaces, libraries and executables that allow developers to quickly create UA applications with the .NET programming environment, including:
-
Implementations of the XML Web Services and UA Native Binary stack profiles
-
Server and Client development toolkits
-
Sample Applications
-
A wrapper for COM-DA Servers (DA 2.05a and DA3.00)
-
A Diagnostics Client Application
-
Local Discovery Server
-
An Application Configuration Tool
The sample applications are available with source code, and the stack and development toolkits are available as binaries. This release includes bugs fixes, updated installers and redistributable binaries as well as the examples on how to create a custom NodeManager.
A lot of OPC Foundation members are actively developing products on the OPC UA SDK and other deliverables. In addition to gaining valuable OPC UA knowledge, troubleshooting and improving the OPC UA framework, these companies are ahead of the curve on OPC UA product development. If you haven’t yet, take the opportunity to review the SDK and other deliverables and see the great things OPC UA has to offer. 6/18/2008
OPC UA is starting a buzz in the news these days. Recent OPC UA announcements are getting noticed by industrial automation blogs, and more articles are hitting news sources. Besides OPC blogs, another great source of information on what’s happening with OPC is the OPC Portal at Automation.com. It’s got feature OPC articles, product releases, application stories, training opportunities and much more.
You can also subscribe to the OPC newsletter. Here’s a sample of some of the OPC articles in this month’s offering:
There’s always something of note happening with OPC, and 2008 is definitely shaping up to be the Year of OPC UA. Just think of what next year will bring. 6/11/2008
In order to continually improve and ensure the OPC Foundation is providing you with the sort of information you require, we are seeking some of your thoughts on security and safety.
Please take 5 minutes to fill out this simple survey that covers; your views on automation security (cyber and otherwise) and safety, where you hear about the latest security and safety news, and the impact of Automation Security and Safety in your company. Results of the survey will be published back to the respondents’, and published on the OPC Foundation website within two weeks.
Of course a survey wouldn’t be complete without the chance to win some great gifts! Fill out the survey, enter your e-mail and be registered to win prizes from the OPC Foundation.
The survey may be found here: Automation Security and Safety Survey
Deadline for filling out the survey is Monday June 23, 2008. 6/3/2008
Based on the feedback I’ve heard, the IndConn sessions held at last month’s ConnectivityWeek were a success. A lot of good presentations and discussions, as well as great opportunities for networking across multiple industries. I guess that’s not hard to do when you have major players from the power generation, distribution, regulators, standards groups, end users and industrial automation experts all at the same event.
One theme that keeps coming to the top was more collaboration. Large-scale impacts on energy consumption at times of high demand can’t happen until even the most ingenious proprietary technology offers a standardized, collaborative pathway by which the utilities and the consuming systems can interact. It’s not hard to understand why OPC was such a big part of this event. Collaboration and connectivity to energy systems/building automation sources + connectivity to IT + access to higher level applications = energy savings and optimization.
Several OPC Foundation members where present, including Tom Burke. Tom had this to say “One of the key things here is evolution versus revolution…the technology is changing so fast…in order to be successful not only do we have to bridge the gap back to the existing systems”. Tom expands on that topic and more in conversation with MatrikonOPC’s, Sean Leonard in an interview with Ken Sinclair of AutomatedBuildings.com. You can see the read the whole OPC and Building Automation interview here. The site also has recaps of the panel sessions, including the Smart Energy Panel, Jim Luth sat on and the Connectivity Mega Panel that Tom Burke attended. Open, interoperable and available standards like OPC UA are key to making better connected systems.
Did you attend the OPC sponsored IndConn? Did you find it a worthwhile and informative opportunity? Let’s hear from you. |
|
|
|
|