1、 IEC TR 62541-2 Edition 2.0 2016-10 TECHNICA L R EPOR T OPC unified architecture Part 2:Security Model IEC T R 62541-2:2016-10(en)c olourinsideInternational Electrotechnical Commission THIS PUBLICATION IS COPYRIGHT PROTECTED Copyright 2016 IEC,Geneva,Switzerland All r ights r eserved.Unless otherwis
2、e specif ied,no par t of this publication may be reproduced or utilized in any f orm or by any means,electr onic or mechanical,including photocopying and microfilm,without permission in writing f rom either IEC or IECs member National Committee in the country of the requester.If you have any questio
3、ns about IEC copyright or have an enquiry about obtaining additional rights to this publication,please contact the address below or your local IEC member National Committee f or fur ther information.IEC Central Office Tel.:+41 22 919 02 11 3,r ue de Varemb Fax:+41 22 919 03 00 CH-1211 Geneva 20 info
4、iec.ch Switzer land www.iec.ch About the IEC The Inter national Electrotechnical Commission(IEC)is the leading global organization that prepares and publishes International Standar ds f or all electr ical,electronic and related technologies.About IEC publications The technical content of IEC publica
5、tions is kept under constant review by the IEC.Please make sur e that you have the latest edition,a corrigenda or an amendment might have been published.IEC Catalogue-webstore.iec.ch/cat alogue The stand-alone application for consulting the entir e bibliographical information on IEC International St
6、andards,Technical Specifications,Technical Reports and other documents.A vailable for PC,Mac OS,A ndroid Tablets and iPad.IEC publicat ions search-www.iec.ch/searchpub The advanced search enables to find IEC publications by a variety of criteria(reference number,text,technical committee,).It also gi
7、ves information on projects,replaced and withdraw n publications.IEC Just Published-webstore.iec.ch/just published Stay up to date on all new IEC publications.Just Published details all new publications released.A vailable online and also once a month by email.Electropedia-www.electropedia.org The w
8、orlds leading online dictionar y of electronic and electrical terms containing 20 000 terms and definitions in English and French,with equivalent terms in 15 additional languages.A lso known as the International Electrotechnical Vocabular y (IEV)online.IEC Glossar y -st d.iec.ch/glossary 65 000 elec
9、trotechnical terminology entries in English and French ex tracted from the Ter ms and Definitions clause of IEC publications issued since 2002.Some entries have been collected from earlier publications of IEC TC 37,77,86 and CISPR.IEC Cust omer Service Centre-webst ore.iec.ch/csc If you wish to give
10、 us y our feedback on this publication or need fur ther assistance,please contact the Customer Service Centre:csciec.ch.International Electrotechnical Commission IEC TR 62541-2 Edition 2.0 2016-10 TECHNICA L R EPOR T OPC unified architecture Part 2:Security Model INTER NA TIONAL ELECTROTECHNICAL COM
11、MISSION ICS 25.040.40;35.100.01 ISBN 978-2-8322-3641-3 Registered t rademark of t he Int ernational Electrot echnical Commission W arning!Make sure that you obtained this publication from an authorized distributor.c olourinsideInternational Electrotechnical Commission 2 IEC TR 62541-2:2016 IEC 2016
12、CONTENTS FOREWORD.4 1 Scope.6 2 Normative ref erences.6 3 Terms,def initions and abbreviations.8 3.1 Terms and def initions.8 3.2 Abbreviations.12 3.3 Conventions f or security model f igures.12 4 OPC UA security architecture.12 4.1 OPC UA security environment.12 4.2 Security objectives.13 4.2.1 Ove
13、rview.13 4.2.2 Authentication.13 4.2.3 Authorization.13 4.2.4 Conf identiality.14 4.2.5 Integrity.14 4.2.6 Auditability.14 4.2.7 Availability.14 4.3 Security threats to OPC UA systems.14 4.3.1 Overview.14 4.3.2 Message f looding.14 4.3.3 Eavesdropping.15 4.3.4 Message spoof ing.15 4.3.5 Message alte
14、ration.15 4.3.6 Message replay.15 4.3.7 Malf ormed Messages.15 4.3.8 Server prof iling.16 4.3.9 Session hijacking.16 4.3.10 Rogue Server.16 4.3.11 Compromising user credentials.16 4.4 OPC UA relationship to site security.17 4.5 OPC UA security architecture.17 4.6 SecurityPolicies.19 4.7 Security Pro
15、f iles.20 4.8 User Authorization.20 4.9 User Authentication.20 4.10 Application Authentication.20 4.11 OPC UA security related Services.21 4.12 Auditing.21 4.12.1 General.21 4.12.2 Single Client and Server.22 4.12.3 Aggregating Server.23 4.12.4 Aggregation through a non-auditing Server.23 4.12.5 Agg
16、regating Server with service distribution.24 5 Security reconciliation.25 5.1 Reconciliation of threats with OPC UA security mechanisms.25 5.1.1 Overview.25 International Electrotechnical Commission IEC TR 62541-2:2016 IEC 2016 3 5.1.2 Message f looding.25 5.1.3 Eavesdropping.26 5.1.4 Message spoof ing.26 5.1.5 Message alteration.26 5.1.6 Message replay.26 5.1.7 Malf ormed Messages.27 5.1.8 Server prof iling.27 5.1.9 Session hijacking.27 5.1.10 Rogue Server.27 5.1.11 Compromising user credential