What is the difference between OPC UA and OPC Classic?

OPC Classic uses Microsoft COM/DCOM, limiting it to Windows platforms with complex security configuration. OPC UA is platform-independent (runs on Linux, Windows, embedded systems, cloud), includes built-in X.509 certificate security, provides a rich information model with self-describing data, and supports modern patterns like publish-subscribe and MQTT transport. OPC UA is the recommended standard for all new implementations.

Is OPC UA secure enough for industrial control systems?

Yes, OPC UA has the most comprehensive built-in security of any industrial protocol. It supports X.509 certificate authentication for both applications and users, AES-256 encryption, digital signatures for message integrity, and configurable security policies. The OPC Foundation works with IEC 62443 to ensure OPC UA meets industrial cybersecurity requirements. Always configure OPC UA with a security policy of Basic256Sha256 or higher.

Can OPC UA replace Modbus and DNP3?

OPC UA can replace Modbus and DNP3 at the supervisory level for SCADA and MES integration. Many modern PLCs and RTUs now include OPC UA servers alongside traditional protocol support. However, Modbus and DNP3 remain widely used at the field device level due to their simplicity and the installed base of existing devices. Most architectures use OPC UA for northbound integration while maintaining traditional protocols for field communication.

OPC UA: Architecture and Industrial Use Cases

From OPC Classic to OPC UA

OPC Classic (OLE for Process Control) was the first widely adopted standard for industrial data exchange, enabling SCADA software to read data from PLCs and DCS systems regardless of vendor. However, OPC Classic relied on Microsoft COM/DCOM technology, limiting it to Windows platforms and creating persistent configuration challenges with DCOM security settings, firewall traversal, and remote access. OPC UA (Unified Architecture), released in 2008 and continuously enhanced, is a complete redesign that eliminates the Windows dependency, adds built-in security, and introduces a rich information modeling framework. OPC UA runs on Linux, Windows, embedded systems, and cloud platforms.

OPC UA Architecture

OPC UA is not simply a communication protocol but a comprehensive framework for modeling and exchanging industrial data. Its architecture consists of four key pillars: the transport layer, the security model, the information model, and the service set.

Transport Options

OPC UA TCP (opc.tcp://): Binary-encoded messages over TCP. Most efficient for machine-to-machine communication with minimal overhead. Default port 4840
HTTPS (https://): SOAP/XML or JSON-encoded messages over HTTPS. Firewall-friendly and compatible with web infrastructure. Higher overhead but easier IT integration
OPC UA over MQTT: Pub-sub transport using MQTT brokers for cloud integration and multi-subscriber scenarios. Defined in OPC UA Part 14
OPC UA over TSN: Time-Sensitive Networking for deterministic real-time communication on converged IT/OT Ethernet. Emerging standard for next-generation factory automation

Security Model

OPC UA integrates security as a core architecture element rather than an afterthought. Every OPC UA application has an Application Instance Certificate (X.509) that identifies it uniquely. Communication between client and server establishes a SecureChannel with configurable security policies.

Authentication: X.509 certificates for application authentication, plus username/password or X.509 user certificates for user authentication
Encryption: AES-128 or AES-256 encryption for message confidentiality. Security policies define the cipher suite
Signing: RSA or ECC digital signatures ensure message integrity and prevent tampering
Security policies: None (no security), Basic256Sha256 (recommended minimum), Aes128_Sha256_RsaOaep, and Aes256_Sha256_RsaPss
Certificate trust: Applications maintain trust lists of accepted certificates. Untrusted certificates are rejected, preventing unauthorized connections

Information Modeling

OPC UA's information model is perhaps its most significant innovation. Rather than exposing raw register values like Modbus or tag lists like OPC Classic, OPC UA models data in a rich, hierarchical address space that describes what the data represents, its engineering units, its data type, and its relationships to other data. This self-describing data model enables clients to browse and understand a server's data without prior configuration or external documentation.

Key Information Model Concepts

Nodes: Everything in OPC UA is a node: variables, objects, methods, data types, and references. Each node has attributes including a NodeId, BrowseName, DisplayName, and Description
Object types: Define templates for real-world objects. A MotorType might contain Speed, Current, Temperature, and RunningStatus variables plus Start() and Stop() methods
Companion specifications: Industry-specific information models standardized by organizations like VDMA (packaging machines), AutoID (RFID/barcode), PLCopen (motion control), and ISA-95 (MES integration)
Namespaces: Each vendor or specification defines its information model in a namespace, preventing naming conflicts. The OPC Foundation base namespace (index 0) defines core types

Client-Server Communication

OPC UA's client-server model supports multiple interaction patterns optimized for different use cases:

Browse: Clients discover the server's address space by browsing the node hierarchy, similar to navigating a file system
Read/Write: Direct read and write of node values. The most basic data access pattern, similar to Modbus register read/write
Subscriptions and monitored items: Clients create subscriptions to monitor specific nodes. The server sends notifications only when values change, reducing network traffic. Sampling and publishing intervals are configurable per subscription
Method calls: Clients invoke methods on server objects to trigger actions (start a motor, acknowledge an alarm, initiate a batch). Input and output parameters are type-checked
Historical access: Read historical values and events from embedded historians. Supports raw, interpolated, and aggregated historical data retrieval

Publish-Subscribe (Pub-Sub)

OPC UA Pub-Sub extends the architecture beyond client-server to support one-to-many and many-to-many data distribution. Publishers send data to topics without knowing who subscribes; subscribers receive data from topics without knowing who publishes. Pub-Sub uses either UDP multicast for local network distribution or MQTT/AMQP brokers for wide-area and cloud distribution. This pattern is essential for IIoT scenarios where thousands of devices need to share data with multiple consumers simultaneously.

Industrial Use Cases

Vertical Integration: PLC to Cloud

OPC UA enables direct data flow from shop floor PLCs to cloud analytics platforms. Modern PLCs from Siemens (S7-1500), Beckhoff (TwinCAT), B&R, and others include built-in OPC UA servers. An edge gateway or cloud connector subscribes to PLC data via OPC UA and forwards it to AWS, Azure, or Google Cloud for analytics, machine learning, and digital twin applications, all using standardized data models rather than custom integration code.

Multi-Vendor SCADA Integration

OPC UA eliminates vendor lock-in by providing a standardized interface between automation components. A packaging line with Siemens PLCs, Allen-Bradley robots, ABB drives, and Endress+Hauser instruments can expose all data through a unified OPC UA address space. The supervisory SCADA or MES system accesses all devices through a single protocol with consistent security and data modeling.

ISA-95 MES Integration

The OPC UA ISA-95 companion specification maps the ISA-95 (ANSI/ISA-95) enterprise integration model to OPC UA information models. This standardizes the data exchange between Level 3 MES/MOM systems and Level 2 control systems, enabling interoperable production scheduling, material tracking, quality management, and performance reporting across multiple vendor platforms. NFM Consulting implements OPC UA integration architectures that connect field devices to enterprise systems while maintaining the security boundaries required for industrial control system protection.