Secure Onboarding of IIoT Devices using OPC UA

In today's Industrial Internet of Things (IIoT), a broad range of communication protocols are utilized. Built-in security mechanisms enable these protocols to protect communication and defend against network attacks. However, before IIoT devices can utilize these security mechanisms, they need to be securely onboarded in the network. Although several onboarding solutions exist, there is no widely applicable and easy solution for all protocols. Thus, owners of IIoT devices must currently perform multiple processes until they can securely use a device in operation, which requires a high amount of manual effort and onboarding infrastructure. In this work, we present a generic secure onboarding solution for a broad range of network protocols based on OPC UA. OPC UA is particularly suited for this task, as it is one of the most widespread IIoT protocols and one of few protocols whose standard defines a secure onboarding. Our solution leverages the OPC UA onboarding process to equip other IIoT protocols with the initial trust and credentials to establish secure connections. To this end, only minor extensions to the OPC UA implementation on devices are necessary, such that device owners can reuse their OPC UA onboarding infrastructure without any modifications. As a proof of concept for our solution, we demonstrate the secure onboarding of an HTTPS web server. Our implementation fully reuses the reference implementation OPC UA sample server as infrastructure and only needs minor extensions to the IIoT device.