OPC UA Role-based access control in industrial automation
Lusetti, Luukas (2025)
2025
Master's Programme in Computing Sciences and Electrical Engineering
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
Hyväksymispäivämäärä
2025-06-09
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202506086930
https://urn.fi/URN:NBN:fi:tuni-202506086930
Tiivistelmä
This thesis explores the implementation of Role-Based Access Control (RBAC) within Indus-trial Automation systems using the Open Platform Communications Unified Architecture (OPC UA). As industries progress into the Fourth Industrial Revolution, the integration of Operational Technology (OT) with Information Technology (IT) enhances operational efficiency but also in-troduces significant cybersecurity challenges. OPC UA, a prominent communication protocol in industrial environments, has recently incorporated RBAC to strengthen security measures.
The primary objective of this research is to analyse the OPC UA RBAC framework and demonstrate a centralized RBAC implementation in an industrial setting. The study begins by reviewing essential industrial network security concepts for safeguarding OT networks against cyber threats. A comprehensive examination of the OPC UA architecture is provided with focus on the RBAC definitions of the specification.
A centralized RBAC system is proposed, leveraging existing IT infrastructure like Lightweight Directory Access Protocol (LDAP) to manage user roles. This approach offers several benefits, including improved security posture and reduced management overhead. However, the imple-mentation also faces challenges such as ensuring continuous operational availability during network disruptions, preventing role proliferation due to context-specific permissions, and bridg-ing the gap between IT and OT teams.
To validate the proposed implementation, a case study is presented where a redundant LDAP controller is deployed within a DMZ. This setup ensures that access control remains ro-bust even if the primary IT network experiences connectivity issues, thereby maintaining the in-tegrity and availability of critical industrial operations.
Additionally, the thesis compares alternative implementation methods and considerations, including bearer token-based authorization, distributed on-device RBAC persistence, and or-chestration-based RBAC management. Each method is evaluated for its scalability, resilience, and administrative complexity, providing a comparative analysis to guide optimal RBAC strate-gies in diverse industrial environments.
Integrating RBAC in OT environments has potential to enhance access control in industrial automation systems. However, successful deployment requires a balanced approach that in-corporates both centralized and decentralized strategies, tailored to the specific operational needs and existing infrastructure of industrial settings. This research contributes insights into securing interconnected OT and IT systems, promoting safer and more efficient industrial oper-ations.
The primary objective of this research is to analyse the OPC UA RBAC framework and demonstrate a centralized RBAC implementation in an industrial setting. The study begins by reviewing essential industrial network security concepts for safeguarding OT networks against cyber threats. A comprehensive examination of the OPC UA architecture is provided with focus on the RBAC definitions of the specification.
A centralized RBAC system is proposed, leveraging existing IT infrastructure like Lightweight Directory Access Protocol (LDAP) to manage user roles. This approach offers several benefits, including improved security posture and reduced management overhead. However, the imple-mentation also faces challenges such as ensuring continuous operational availability during network disruptions, preventing role proliferation due to context-specific permissions, and bridg-ing the gap between IT and OT teams.
To validate the proposed implementation, a case study is presented where a redundant LDAP controller is deployed within a DMZ. This setup ensures that access control remains ro-bust even if the primary IT network experiences connectivity issues, thereby maintaining the in-tegrity and availability of critical industrial operations.
Additionally, the thesis compares alternative implementation methods and considerations, including bearer token-based authorization, distributed on-device RBAC persistence, and or-chestration-based RBAC management. Each method is evaluated for its scalability, resilience, and administrative complexity, providing a comparative analysis to guide optimal RBAC strate-gies in diverse industrial environments.
Integrating RBAC in OT environments has potential to enhance access control in industrial automation systems. However, successful deployment requires a balanced approach that in-corporates both centralized and decentralized strategies, tailored to the specific operational needs and existing infrastructure of industrial settings. This research contributes insights into securing interconnected OT and IT systems, promoting safer and more efficient industrial oper-ations.