The Straight Scoop on OPC and Security

What You Need to Know about OPC-UA and OPC-Xi

2 of 2 1 | 2 > View on one page


Unlike OPC Classic, where security is a benefit of the underlying technology, OPC-UA specifically defines the security to be implemented by vendors. It is a core component of the specifications. All products implementing OPC-UA must implement OPC-UA security, and although "none" is an option, it is now a conscious decision that can be reversed as easily as it was chosen. OPC- UA leverages today's standards in security, including message encryption and identity certificates. Security is enhanced to the application level. Clients and servers must exchange certificates in order to interact with each other. These certificates are based on the x509 standards.

OPC-UA clearly changes the way in which security will be implemented in future UA-based automation systems, making them more secure by empowering the process engineer with the ability to design and implement the flow of data with application-to-application security, even security with respect to communications with embedded systems and devices. Higher level applications, for example, HMI/SCADA, will be implementing additional user-based security, typically based on Microsoft standards. OPC-UA based products started reaching the market back in 2008 and are available from a variety of vendors at all levels of the application spectrum.


Starting in 2008, several vendors recognized the need for a higher-level interoperability standard, leveraging the latest .NET development tools and Microsoft standards such as Windows Communications Foundation (WCF). This technology is intended to be used between higher level applications, such as HMI/SCADA, communication drivers, historians and higher-level business systems. This technology was adopted by the OPC Foundation early in 2010, and is now known as OPC-Express Interface (OPC-Xi). Unlike OPC-UA, which delivers sample code along with its specifications in order to deliver the functionality a developer requires from server to sensor level products, OPC-Xi is primarily a specification that leverages available new technologies on the higher level platforms.

The benefit of OPC-Xi is that it unifies the OPC Classic specifications, and leverages current Microsoft technologies as the data transport, both within a PC or across any distributed architecture. Security is implemented as any other WCF application, leveraging existing IT personnel knowledge. OPC-Xi products are being showcased today.

Both OPC-UA and OPC-Xi are designed with the latest security standards, encryption and authentication in mind. Both OPC-UA and OPC-Xi enable communications across both intranet- and Internet-based environments, thereby essentially rendering separate tunneling products unnecessary.

OPC's Future

What's the future of OPC? Well, a brief review of its hisotry may show where it's going. Thomas Burke, president of the OPC Foundation, explains that, "After being introduced back in 1996, OPC has become the interoperability standard at the level above fieldbus and vendor protocol levels. The OPC Foundation now boasts over 400 members, distributed worldwide. There are thousands of OPC-compatible products on the market and OPC implementations numbering in the millions of nodes."

He adds, "The adoption of new OPC Technologies will likely be different from the days of OPC Classic. In the past, interoperability within the walls of the plant was the Holy Grail. It was OPC that delivered a common way to connect systems from disparate vendors, even systems from competitors. Today, this interoperability is largely taken for granted, and we are now faced with new challenges, primarily centered on system security."

The security we need in future automation systems will differ from what we need today as we are faced with the need to exchange data at a public level. Automation systems will be bridging to smart-grid control systems. They will make better use of real-time information from public sources, such as weather, dynamic raw material costs and new variable energy costs. In addition, enhanced and reliable communications over the Internet will enable new levels of outsourced services, enabling system integrators and other service providers to securely access the information they need for performance optimization, compliance reporting, equipment maintenance, etc.

However, while systems are being enhanced through OPC improvements and the ability to leverage new technologies, it is still incumbent on the design engineer to learn the technologies, involve the right IT personnel and implement the tools to their fullest capability. The security of a system is only as good as the engineers that implement it.

Training is also essential to understand the new technologies. More important, training will show you what you don't know. Any engineer can tinker till something works, but today, with widely distributed systems, it is the attention to detail that will make all the difference. 

Roy Kok is a consultant with


2 of 2 1 | 2 > View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments