Table of Contents
Fetching ...

Secure Data Bridging in Industry 4.0: An OPC UA Aggregation Approach for Including Insecure Legacy Systems

Dalibor Sain, Thomas Rosenstatter, Olaf Saßnick, Christian Schäfer, Stefan Huber

TL;DR

This work tackles securing Industry 4.0 ecosystems by enabling safe data bridging from insecure legacy devices into OPC UA-based networks. It surveys existing aggregation and retrofitting approaches, formulates a threat model, and evaluates three architectural concepts, identifying TCP-level aggregation as the most practical. The authors then implement SigmaServer—a per-device secure endpoint system that uses a thread-safe shared store to mirror legacy data—demonstrating end-to-end latency under $2.6$ ms and far lower RAM usage compared with a commercial aggregator. The results suggest a viable, low-overhead path for brownfield integration, with open-source implementation enabling reproducibility and further research. Future work will focus on hardening the legacy zone, enabling write operations, and refining latency through synchronized publish–subscribe approaches.

Abstract

The increased connectivity of industrial networks has led to a surge in cyberattacks, emphasizing the need for cybersecurity measures tailored to the specific requirements of industrial systems. Modern Industry 4.0 technologies, such as OPC UA, offer enhanced resilience against these threats. However, widespread adoption remains limited due to long installation times, proprietary technology, restricted flexibility, and formal process requirements (e.g. safety certifications). Consequently, many systems do not yet implement these technologies, or only partially. This leads to the challenge of dealing with so-called brownfield systems, which are often placed in isolated security zones to mitigate risks. However, the need for data exchange between secure and insecure zones persists. This paper reviews existing solutions to address this challenge by analysing their approaches, advantages, and limitations. Building on these insights, we identify three key concepts, evaluate their suitability and compatibility, and ultimately introduce the SigmaServer, a novel TCP-level aggregation method. The developed proof-of-principle implementation is evaluated in an operational technology (OT) testbed, demonstrating its applicability and effectiveness in bridging secure and insecure zones.

Secure Data Bridging in Industry 4.0: An OPC UA Aggregation Approach for Including Insecure Legacy Systems

TL;DR

This work tackles securing Industry 4.0 ecosystems by enabling safe data bridging from insecure legacy devices into OPC UA-based networks. It surveys existing aggregation and retrofitting approaches, formulates a threat model, and evaluates three architectural concepts, identifying TCP-level aggregation as the most practical. The authors then implement SigmaServer—a per-device secure endpoint system that uses a thread-safe shared store to mirror legacy data—demonstrating end-to-end latency under ms and far lower RAM usage compared with a commercial aggregator. The results suggest a viable, low-overhead path for brownfield integration, with open-source implementation enabling reproducibility and further research. Future work will focus on hardening the legacy zone, enabling write operations, and refining latency through synchronized publish–subscribe approaches.

Abstract

The increased connectivity of industrial networks has led to a surge in cyberattacks, emphasizing the need for cybersecurity measures tailored to the specific requirements of industrial systems. Modern Industry 4.0 technologies, such as OPC UA, offer enhanced resilience against these threats. However, widespread adoption remains limited due to long installation times, proprietary technology, restricted flexibility, and formal process requirements (e.g. safety certifications). Consequently, many systems do not yet implement these technologies, or only partially. This leads to the challenge of dealing with so-called brownfield systems, which are often placed in isolated security zones to mitigate risks. However, the need for data exchange between secure and insecure zones persists. This paper reviews existing solutions to address this challenge by analysing their approaches, advantages, and limitations. Building on these insights, we identify three key concepts, evaluate their suitability and compatibility, and ultimately introduce the SigmaServer, a novel TCP-level aggregation method. The developed proof-of-principle implementation is evaluated in an operational technology (OT) testbed, demonstrating its applicability and effectiveness in bridging secure and insecure zones.
Paper Structure (32 sections, 12 figures, 1 table, 1 algorithm)

This paper contains 32 sections, 12 figures, 1 table, 1 algorithm.

Figures (12)

  • Figure 1: Deployment scenarios of an aggregating server providing a single, aggregated address space grossmann2014Schleipen2019.
  • Figure 2: Network setup of the JRC ISIA testbed showing the segmentation into four zones: enterprise zone, industrial , legacy zone, and shop floor.
  • Figure 3: Threat model illustrating three different attacker levels while considering basic security controls enabled.
  • Figure 4: Architecture of the proposed SigmaServer illustrating the separation of insecure client interfaces and multiple secure endpoints.
  • Figure 5: Utilisation of SigmaServer as a bridge between the secure zone and the insecure legacy zone.
  • ...and 7 more figures