Germany
06/05-06/2024

OPC Foundation Security Summit 2024

Location:
Webinar / International

Welcome to the “OPC Day 2023 – International” – for the fourth time as a digital event.

The OPC Foundation will host the digital event from June 19-23, 2023 with 3 hours per day.
Each session will be held twice in different time zones to serve Americas, Europe and Asia.

Registration

EUROPE / ASIA

Please use this registration for the daily Europe / Asia slot
08:00 am – 11:00 am CEST

AMERICA / EUROPE

Please use this registration for the daily Americas / Europe slot
09:00 am – 12:00 pm PDT | 6:00 pm – 9:00 pm CEST

Security Summit 2024 registration

Security Summit 2024 brochure

Agenda

Day 1 (June 05)

Greetings from the Host

Dr. Holger Kenn,
Microsoft

Welcome & Introduction to OPC UA: Keynote The Industrial Interoperability Standard

OPC UA is the IEC62541 standard for semantic interoperability for the secure exchange of information, scalable from sensor to all levels to IT/cloud solutions such as DataSpaces, DigitalTwins and Metaverse.

This presentation will give you an overview introduction:

  1. OPC Foundation: the non-profit organization with > 980 international members
  2. OPC UA technology: The rich modeling language with various transport options (such as TCP, UDP, MQTT, but also field transfer and REST interface) and integrated security-by-design.
  3. Companion Specifications: >151 area-specific semantic information models for factory, process, energy and other industries
  4. Acceptance in the industry
  5. Offerings such as: Certification, Open Source, Academic Program
Stefan Hoppe,
President and Executive Director OPC Foundation
OPC UA Security Architecture

The OPC Unified Architecture includes security as one of its core features. This presentation provides an overview of the OPC UA security architecture, the scalable features available for OPC UA applications, and the centralized security management options defined by OPC UA.

Matthias Damm,
Unified Automation
The CRA is coming – the CE Mark is extended to include security

With the Cyber Resilience Act (CRA) security will be prerequisite for market access additionally to safety. This comes with new obligation for manufacturers, not only regarding conformity assessments before bringing on the market but also for the lifetime of the product. What does that imply? A short overview over motivation for the new law and essential changes for manufacturers and consumers.

Anna Schwendicke,
BSI

A component manufacturer’s considerations regarding security

Based on experience, good practice and considering the requirements of the European Union’s Cyber Resilience Act, this presentation describes the perspective of a resourceful component manufacturer who cares about system integrators. The perspective focuses on the economy and efficiency of applied cyber security in technology and processes. It includes not only the components, but also the systems built with them and the applicability during operation.

With a pinch of humor, positive and negative examples of technical and formal applications of cyber security are presented. The description of alternatives raises the question of how we want to “live” the cyber security required by regulations and standards in the automation sector. The lecture puts forward the thesis that we still have room to design the solution.

Torsten Förder,
Beckhoff Automation GmbH
Vulnerability Management – CVE

Vulnerability Management is one of the main pillars of the CRA. Based on the information of the SBOM for the individual products, the CRA expects that companies use this information to provide CVEs for the individual components and for the resulting product. This session describes the exact requirements brought to digital products and how these can be addressed in general.

Jens Cordt,
BSI

Machinery manufacturers commitment to the CRA

The CRA was developed on the initiative of the VDMA, among others. It will have a significant impact on the quality of digital products, including software and hardware. The presentation outlines the resulting opportunities and risks for mechanical engineering in Germany.

Alexey Markert,
VDMA

Security, a foundation for the Digital Factory

Navigating within new automation initiatives to move into
the digital factory in an interoperable way, is challenging.
Cybersecurity is one important building block to succeed with
the digital transformation within the OT domain. An energy
company journey into the secure interoperable digital twins,
will be presented.
• Digital Factory, interoperability and standards
• Cybersecurity, IEC 62443, Zones & Conduits

 

TROND KVAMME,
Equinor

JAN MUNKEJORD,
Equinor

OPC UA Cloud Solutions & Security

Cloud technology comes with its own set of security features and this talk will highlight how these security features can be combined with existing OPC UA security features, including Public Key Infrastructure (PKI).

Erich Barnstedt,
Chief Architect Standards, Consortia & Industrial IoT, Azure Edge + Platform

DAY 2 (June 06)

Welcome Day 2
Keynote
Benjamin Bögel,
Head of Sector for Product Security and Certification Policy at the European Commission
Operational Technology (OT) Threats and the Need for
Cybersecurity Collaboration

This presentation explores threats to Operational Technology (OT) systems. It emphasizes breach consequences, using real-world examples to stress the need for robust cybersecurity. The multifaceted threats require comprehensive defense strategies, advocating collaboration to counter cyber threats and create resilient OT environments. Emphasizing the consequences raises awareness, empowering decisionmakers to implement measures for a secure technological future. Advocating for collaboration between government
agencies, private sectors, and international entities is deemed crucial for fortifying defenses and responding effectively to emerging threats.

Special Agent Gabrielle Ma,
FBI

For effective Vulnerability Management – SBOM in the CRA

In the US the EO 14028 requires vendors of software for the US government to list all components they have used in creating their software in a software bill of materials (SBOM). This is supposed to increase transparency and security in the software by providing clear information on components and dependencies of software applications. With the CRA the legal obligation to maintain an SBOM comes to the EU, too, and not just for software, but for all products with digital elements. What does the CRA demand, why, and for what?

Anna Schwendicke,
BSI

CRA and EN IEC 62443

The presentation provides an overview and status of the CRA
related standardization activities. It focusses on the interplay
with the relevant standards of the EN IEC 62443 cybersecurity
framework and the challenges on the way to get harmonized
and listed standards to provide presumption of conformity.

Dr. Kai Wollenweber, Siemens
CVE from experience

Vulnerabilities are inherited along the supply chain. With every integration into a new product and every adaption into a new branch, they likely change their characteristics and the resulting risk. This presentation is looking into industrial software supply chains and the effects that vulnerabilities cause.

Dr. Thomas Pröll,
Siemens
The OPC Foundation CVE Management Process

This presentation will discuss how the OPC Foundation handles reports of security vulnerabilities. It will explain the differences between handling vulnerabilities that affect OPC specifications and vulnerabilities that affect specific products or SDKs. It will also discuss the efforts work with security researchers.

Randy Armstrong,
OPC Foundation
Liability for Open-Source-Software under the Cyber Resilience Act

The first draft of the Cyber Resilience Act (CRA) led to an outcry from the Open Source community given that it looked like the average Open Source contributor would have to fully adhere to the CRA. A change to the CRA draft introducing the criteria of a commercial activity raised even more questions regarding paid contributors and non-profit-organizations. The current CRA draft includes a whole section on Open-Source-Software which may have resolved the issue for the Open Source community. But one question remains: What does a commercial enterprise need to do if they use Open-Source-Software in their commercial products – do they have to declare conformity under the CRA for the Open Source Software?

Dr. Gerrit Hötzel,
Voelker Gruppe

CVE in context of supply chain

Vulnerabilities are inherited along the supply chain. With every integration into a new product and every adaption into a new branch, they likely change their characteristics and the resulting risk. This presentation is looking into industrial software supply chains and the effects that vulnerabilities cause.

Dr. Thomas Pröll,
Siemens
Secure device registration and certificate management for heterogeneous OT environments incl. OPC UA

When OT components communicate in a secure way using standard protocols like OPC UA they use their secure identities for authentication. A secure identity according to IEEE 802.1AR consists of a private key, the X.509 certificate and the corresponding certificate chain. Managing certificates manually is very time consuming and prone to error. We will show how to manage certificates and register OT components in heterogeneous OT environments in a secure, user friendly and automated way using OPC UA and further standard protocols.

Thereby, the SINEC Registration Authority that enables the IT and OT convergence by connection the OT environments to a legacy PKI hosted in IT will be introduced.

Anna Palmin,
Siemens

Frank LauriG,
Siemens

Contract Design along the Supply Chain under the Cyber Resilience Act

One key element of the Cyber Resilience Act (CRA) is the focus on the supply chain. Many obligations of a commercial enterprise can only be observed if suppliers are contractually obligated to collaborate in the conformity assessment (e.g. regarding the software included in their products). But not only the contractual situation towards the supplier is important. The contractual situation regarding the customer is at least equally important. Besides stipulations for providing security updates and information to customers, the CRA introduces one big change: an extended liability of up to five years. Do all warranty and liability clauses in all terms and conditions and sales contracts have to be changed to reflect this?

Dr. Gerrit Hölzel,
Voelker Gruppe
Secure OPC UA Software Development – Good practices

The emergence of new security regulations has affected
development practices. This presentation aims to introduce some of these contemporary techniques and approaches, now considered good practices regardless of the normative framework in use (BSZ/CSPN, Common Criteria, IEC62443, …) These include Software Bills Of Materials (SBOMs), Continuous Integration, Secure Coding Rules, Pentesting, and User Security Guidelines.

Vincent Lacroix,
Systerel
Central Security Management with OPC UA GDS

A Global Discovery Server (GDS) enables the registration of OPC UA-enabled devices and applications for centralized discovery services and certificate management. It enables the management and deployment of application certificates and trust relationships between OPC UA applications.

This presentation introduces the central security management services defined in OPC UA and shows how Unified Automation’s UaGDS manages certificates for different OPC UA applications and devices.

Matthias Damm,
Unified Automation
Part 21: Integrating the supply chain into the OT security process.

This presentation discusses the life cycle of devices and how a secure system requires a secure supply chain. It will elaborate on the necessity of cryptographically identifying and verifying all devices upon their integration into an OT network and discuss the onboarding process using APIs defined in Part 21. Additionally, it will explain the relation between OPC UA and other device identification and onboarding standards, such as the IEC‘s „Identification Link“ (IL) strings (IEC 61406).

Randy Armstrong,
OPC Foundation
Integrating PubSub Security in UAFX

“Integrating PubSub Security in UAFX – Adapting OPC UA PubSub to work with dynamic connections has required adapting PubSub security. We take a look at adaptions required to ensure a secure PubSub connection including the addition of a Push Model for the Security Key Service in Part 14, UAFX architecture choices to ensure interoperability and robustness, and the workflow of the Security Key Service to provide keys to the PubSub Connections.”

David Smith,
Schneider Electric
OPC Compliance Testing of Security Features and GDS

Security has always been an important part of OPC UA. As such it was covered by certification implicitly and explicitly from the beginning of the certification program. Learn which security aspects are covered by the OPC Foundation Certification program and why you can trust the security of certified products. We will also share information about tests which are covered by the automated test tool (CTT) of the OPC Foundation for verifying your products OPC UA Security integration.

Alexander Allmendinger,
OPC Foundation
CISA’s Secure by Design Initiative Applied to OT protocols

Last year CISA started the Secure by Design initiative to shift the burden of security from the least equipped and most vulnerable to the most capable actors. Examples of this range from reporting CWEs and memory safety to deploying a product secure by default. This talk will give a brief history of the initiative then shift the focus to how secure by design factors into OT components and protocols. Embedding cybersecurity into our protocols and components, such that every device is playing an active role in the security of the system, will lower security costs for everyone, while improving resilience.

Matthew Rogers,
Cybersecurity and
Infrastructure Security Agency

OPC Foundation in the world

This session is about OPC Foundation in the regions of the world: Our local colleagues from North America, China, Japan, Korea, Singapore and France will give short reports.

Join our conference at the Convention Center –
Room 3B

  • live demonstrator OPC UA and the Metaverse
  • live demo “OPC UA over MQTT” connecting lot of controllers via OPC UA over MQTT directly to cloud dashboards
  • OPC UA via REST: get information about new working group adressing
    The IT world desires to utilize the data from the OT space to be combined with additional concepts like Asset Administration Shell, Data Spaces, Digital Twins and Metaverse: All these initiatives and solutions are about sharing information between multiple companies with different use cases like product lifecycle data (AAS) or governance data (DataSpaces) etc. In most cases, they exchange the data via proprietary or standardized HTTP REST-Interfaces.
  • OPC UA for field: live demo of horizontal Controller-to-Controller communications based on OPC UA FX series – the one and only harmonized OPC UA solution for both Process- and Factory-Automation, including deterministic, motion, instrumentation, OPC UA Safety and OPC UA over 5G.
  • live demo “GDS – Global Discovery Service” for secured exchange of certificates

These companies and partners will show solutions on the OPC Foundation booth in 2023:

  • Brightly Works Oy
  • Fraunhofer IOSB
  • Hilscher
  • logiccloud AG
  • Matrikon
  • Prosys OPC
  • PTC/ Kepware
  • Siemens
  • Unified Automation

In addition we welcome our partners

  • AutomationML
  • FDT Group
  • Spectaris with the LADS Companion Spec