OPC UA (Unified Architecture) is the IEC 62541 standard for secure, platform-independent industrial data exchange. It has replaced OPC Classic (DCOM-based) as the standard for moving data between OT equipment and enterprise systems, historian, and cloud platforms.

Why OPC UA Replaced OPC Classic

OPC Classic (DA, HDA, A&E) relied on Microsoft DCOM technology, which was insecure, Windows-only, and difficult to configure across network boundaries. OPC UA solves all these problems:

  • Platform-independent (runs on Linux, embedded systems, PLCs)
  • Firewall-friendly (TCP port 4840, or HTTPS port 443)
  • Built-in security (authentication, authorization, encryption)
  • Self-describing information model (browse without documentation)
  • Supports both client-server and publish-subscribe (OPC UA PubSub)

OPC UA Information Model

OPC UA organises data in a hierarchical node space. Every piece of data (variable, object, method) is a node with a NodeId. Clients browse the namespace to discover available data – no hardcoded tag lists required.

Key node classes:

  • Variable: Holds a data value (temperature reading, valve position)
  • Object: Groups related variables (a pump object contains speed, status, alarm variables)
  • Method: Callable function (start, stop, reset)
  • DataType: Defines the structure of complex values

OPC UA Security Model

OPC UA security operates at three levels:

  1. Transport Security: TLS encryption of the communication channel
  2. Application Authentication: X.509 certificates authenticate servers and clients to each other
  3. User Authentication: Username/password or user certificates authenticate individual users

Security policies range from None (no security – development only) to Basic256Sha256 (production standard). Never use None in a production environment.

OPC UA PubSub

OPC UA PubSub (IEC 62541-14) extends the standard with a publish-subscribe transport suitable for IIoT and cloud integration. It supports MQTT and AMQP as transports, enabling OPC UA data to flow directly to cloud brokers without polling overhead.

Practical Deployment Tips

  • Use the OPC Foundation’s UA .NET Standard stack for server/client development
  • Matrikon OPC, Kepware, and Ignition all include OPC UA servers for legacy equipment
  • Firewall rules should permit TCP 4840 inbound to OPC UA servers from authorised clients only
  • Manage certificate trust lists carefully – automate renewal to prevent surprise expiries