Operational Technology environments are no longer air gapped. SCADA systems, PLC networks, historian platforms, and industrial gateways increasingly communicate over routed IP networks. In this context, OPC UA has become the de facto secure communication standard for industrial interoperability.
Unlike legacy industrial protocols, OPC UA was designed with security as a core architectural component. Two cryptographic primitives form the backbone of that security model:
• AES 256 for encryption
• SHA 256 for integrity
Together, they protect not only confidentiality, but more importantly in OT, system integrity and availability.
This article explains how.
1. Why Security in OPC UA Matters in OT
In regulated and safety critical environments, the consequences of insecure communication are not theoretical. If control commands are altered, intercepted, or replayed:
• Setpoints can be manipulated
• Process logic can be disrupted
• Safety systems can be bypassed
• Production continuity can be compromised
Standards such as IEC 62443 and ISO 27001 increasingly require demonstrable cryptographic protection of industrial communications.
OPC UA addresses this requirement natively.
2. OPC UA Security Architecture in Practice
OPC UA does not simply “add TLS.” It defines a full security model built around:
• Application certificates
• Secure channels
• Message signing
• Message encryption
• Security policies
A common modern security policy used in regulated OT environments is:
Basic256Sha256
This policy uses:
• AES 256 for symmetric encryption
• SHA 256 for message integrity
• RSA for asymmetric key exchange
Let us examine what that means in operational terms.
3. AES 256 in OPC UA: Securing Control Commands
3.1 What AES 256 Does
AES 256 is a symmetric encryption algorithm using a 256 bit key. In OPC UA, once a secure channel is established:
• Session keys are negotiated
• Messages are encrypted with AES 256
• Only the intended recipient can decrypt them
If someone captures network traffic between:
• SCADA and PLC
• Historian and controller
• Engineering workstation and device
They cannot read or alter the encrypted payload.
3.2 Why This Protects Availability
In OT, availability is king.
If commands can be intercepted or modified in transit:
• Output values could be altered
• Interlocks could be bypassed
• False shutdown signals could be injected
AES 256 ensures that control traffic remains confidential and protected against manipulation during transport.
This reduces the risk of process instability caused by malicious interference.
4. SHA 256 in OPC UA: Guaranteeing Message Integrity
Encryption alone is not sufficient. We must also guarantee that messages have not been modified.
4.1 How SHA 256 Is Used
In OPC UA:
• Each message is hashed using SHA 256
• The hash is signed
• The receiver verifies the hash before accepting the message
If even a single bit changes:
• The hash changes completely
• The signature validation fails
• The message is rejected
This prevents silent data manipulation.
4.2 Integrity in Regulated Environments
In pharmaceutical GMP environments, infrastructure automation, and safety critical production systems:
• Setpoints must be traceable
• Commands must be attributable
• Configuration changes must be controlled
SHA 256 based integrity validation ensures that:
• Messages are authentic
• Data is not corrupted
• Unauthorized modifications are detected immediately
This is directly aligned with regulatory traceability requirements.
5. Certificates and Trust in OPC UA
OPC UA relies heavily on X 509 certificates.
Each application instance:
• Has its own certificate
• Establishes trust relationships
• Validates peer certificates before communication
This ensures:
• The client is who it claims to be
• The server is authentic
• Rogue devices cannot join the network unnoticed
When combined with AES 256 and SHA 256, this creates a layered defense model.
6. Protection Against Common Industrial Threats
6.1 Man in the Middle Attacks
Without encryption and integrity validation:
• Attackers could intercept traffic
• Modify commands
• Replay old valid messages
With AES 256 and SHA 256:
• Encrypted traffic is unreadable
• Modified messages fail hash verification
• Session security prevents replay
6.2 Lateral Movement
In many ransomware cases, attackers move laterally inside the network.
OPC UA secure channels:
• Require certificate trust
• Enforce encryption
• Reject unsigned traffic
This significantly limits unauthorized device communication inside the OT zone.
7. From Cybersecurity to Operational Reliability
Encryption and hashing are often framed as “IT security controls.”
In OT, they are reliability mechanisms.
AES 256 protects control traffic from external interference.
SHA 256 ensures commands are not silently altered.
Certificates ensure only trusted systems communicate.
The result:
• Reduced risk of process manipulation
• Faster detection of anomalies
• Stronger regulatory compliance
• Improved operational continuity
In safety critical and regulated OT systems, that is not optional. It is fundamental.
8. Practical Considerations for OT Engineers
When deploying OPC UA in industrial projects:
• Enforce Basic256Sha256 or stronger security policies
• Disable legacy insecure security modes
• Manage certificate lifecycle properly
• Protect private keys securely
• Test message signing and encryption during FAT and SAT
These controls are measurable and verifiable during validation and audit.
From a verification and validation perspective, AES 256 and SHA 256 are not abstract cryptographic concepts. They are concrete, testable mechanisms that protect system integrity and availability in modern connected OT environments.
If you are building secure industrial architectures, OPC UA with strong cryptography is not a feature. It is a baseline requirement.