The promise of IoT is to gather data, and the data becomes actionable by applying analytics. Business and process decisions are then made, based on data. It is therefore critical to:
- Verify (authenticate) the device that you are communicating with
- Ensure the confidentiality and integrity of data from the device; and command to the device
IoT devices communicate with each other via communication protocols. Traditional industrial protocols have not been designed with security in mind and are quite vendor-centric.
OPC UA is a communication protocol that has a service oriented architecture, is platform independent and can model complex data. The OPC UA standard has been developed with security in mind. It allows the use of Public Key Infrastructure (PKI), certificates and cryptography to provide authentication, confidentiality and integrity.
Analysts are forecasting that OPC UA adoption will exceed 120 million installations by the end of 2017 and OPC Foundation (that develops the OPC UA standard) members include Bosch AG, Cisco, Dell EMC, GE, Microsoft, Siemens AG and Splunk.
The majority of current OPC UA SDKs use open source software. However, there are sensitive use cases that demand more robust security services and, in some cases, FIPS compliance.
Project Notus uses RSA Crypto-J and SSL-J to provide FIPS 140-compliant security services for the leading OPC UA SDKs in the market. The project aims to demonstrate mutual authentication between communicating devices, confidentiality of communication by encryption, and integrity by signing.
The following diagram depicts a high-level view of Project Notus: