The Open Platform Communication Unified Architecture (OPC UA) is an open communication standard enabling the communication between arbitrary industrial machines. From individual sensors to complete productions lines plants, they can be represented in a server-side information model and controlled by a client application. OPC UA is a vendor independent standard and a key technology for Industry 4.0 applica-tions. The client-server architecture of OPC UA provides, compared to other industrial communication pro-tocols, built-in security mechanisms to ensure the authenticated, integrity-protected and encrypted com-munication, as well as mechanisms for the authorised access of information in the OPC UA address pace for applications and users. The specified security mechanisms are sufficient to ensure a high level of security. This was already examined and confirmed in a study conducted on behalf of the BSI for OPC UA version 1.02 in 2016. Since the study of 2016, there have been major changes both in the OPC UA specification and in the ANSI C implementation provided by the OPC Foundation. In the meantime, OPC UA version 1.04 has been adopted and the OPC Foundation’s ANSI C implementation is now only available in a legacy version. Simultaneously, more and more products and applications with OPC UA support have been developed and deployed.

In context of this publication, an update of the OPC UA security analysis from 2016 was conducted, based on OPC UA version 1.04 and the open source C implementation open62541. The methodology of the 2016 analysis was mostly maintained and was limited to the Server/Client use case. In addition, a user survey was carried out to determine the security of OPC UA products and applications in real world environments, and to help identify the problems and challenges that the developers face when implementing the OPC UA specification.