Secure Data Bridging in Industry 4.0: An OPC UA Aggregation Approach for Including Insecure Legacy Systems
Dalibor Sain, Thomas Rosenstatter, Olaf Saßnick, Christian Schäfer, Stefan Huber
TL;DR
This work tackles securing Industry 4.0 ecosystems by enabling safe data bridging from insecure legacy devices into OPC UA-based networks. It surveys existing aggregation and retrofitting approaches, formulates a threat model, and evaluates three architectural concepts, identifying TCP-level aggregation as the most practical. The authors then implement SigmaServer—a per-device secure endpoint system that uses a thread-safe shared store to mirror legacy data—demonstrating end-to-end latency under $2.6$ ms and far lower RAM usage compared with a commercial aggregator. The results suggest a viable, low-overhead path for brownfield integration, with open-source implementation enabling reproducibility and further research. Future work will focus on hardening the legacy zone, enabling write operations, and refining latency through synchronized publish–subscribe approaches.
Abstract
The increased connectivity of industrial networks has led to a surge in cyberattacks, emphasizing the need for cybersecurity measures tailored to the specific requirements of industrial systems. Modern Industry 4.0 technologies, such as OPC UA, offer enhanced resilience against these threats. However, widespread adoption remains limited due to long installation times, proprietary technology, restricted flexibility, and formal process requirements (e.g. safety certifications). Consequently, many systems do not yet implement these technologies, or only partially. This leads to the challenge of dealing with so-called brownfield systems, which are often placed in isolated security zones to mitigate risks. However, the need for data exchange between secure and insecure zones persists. This paper reviews existing solutions to address this challenge by analysing their approaches, advantages, and limitations. Building on these insights, we identify three key concepts, evaluate their suitability and compatibility, and ultimately introduce the SigmaServer, a novel TCP-level aggregation method. The developed proof-of-principle implementation is evaluated in an operational technology (OT) testbed, demonstrating its applicability and effectiveness in bridging secure and insecure zones.
