1. Manuals
  2. Brands
  3. Siemens Manuals
  4. Controller
  5. Simatic S7-1500
  6. Function manual

Security At Opc Ua; Security Settings - Siemens SIMATIC S7-1500 Function Manual

Hide thumbs Also See for SIMATIC S7-1500:
Table of Contents

Advertisement

OPC UA communication

9.2 Security at OPC UA

9.2
Security at OPC UA
9.2.1

Security settings

Addressing risks
OPC UA allows the exchange of data between different systems, both within the process
and production levels and to systems at the control and enterprise level.
This possibility also entails security risks. That is why OPC UA provides a range of security
mechanisms:
● Verification of the identity of OPC UA server and clients.
● Checking of the identity of the users.
● Signed/encrypted data exchange between OPC UA server and clients.
These security policies should only be bypassed in cases where it is absolutely necessary:
● During commissioning
● In stand-alone projects without external Ethernet connection
If you have selected the endpoint "None" for "UA Sample Client" of the OPC Foundation, for
example, the program issues a clear warning:
When STEP 7 compiles your project it also checks whether you have considered the setting
options for the protection and warns you of possible risks. This also includes an OPC UA
security policy with the setting "no security", which corresponds to the end point "None".
Note
Disabling security policies you do not want
If you have enabled all security policies in the secure channel settings of the S7-1500 OPC
UA server – thus, also the end point "None" (no security) – unsecured data traffic (neither
signed nor encrypted) between the server and client is also possible. The OPC UA server of
the S7-1500 CPU also sends its public certificate to the client at "None" (No security). And
some clients check this certificate. However, the client is not forced to send a certificate to
the server. The identity of the client may possibly remain unknown. Each OPC UA client can
then connect to the server irrespective of any subsequent security settings.
When configuring the OPC UA server, make sure that only security policies that are
compatible with the security concept of your machine or plant are selected. All other security
policies should be disabled.
Recommendation: Use the setting "Basic256Sha256 - Sign and Encrypt", which means that
the server only accepts Sha256 certificates. The security policies "Basic128Rsa15" and
"Basic256" are deactivated by default and should not be used as an end point. Select end
points with a higher security policy.
146
Function Manual, 11/2019, A5E03735815-AH
Communication
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Siemens SIMATIC S7-1500

Related Content for Siemens SIMATIC S7-1500

This manual is also suitable for:

Simatic et 200mpSimatic et 200alSimatic et 200proSimatic et 200sp

Table of Contents