Skip to main content

OPC UA

What is OPC UA

OPC UA stands for OPC Unified Architecture. It is an extensible, platform-independent standard that enables the secure exchange of information in industrial systems. In 2008, OPC UA was released by the Open Platform Communications (OPC) Foundation, which regulates and maintains the interoperability standard, protocols, and specifications for data communication, mainly in industrial automation operations. OPC UA is compatible with Windows, macOS, Android, and Linux. It can also be used in embedded systems and bare-metal systems, which do not use an operating system. OPC UA works on PCs, cloud-based infrastructures, PLCs, micro-controllers, and cyber physical systems (CPS) which are engineered systems that integrate computational elements with physical processes such as smart grids, autonomous vehicles , robotic arms.

##Architecture and core concept of OPC UA OPC UA is a protocol stack built on top of the well-known TCP/IP protocol, the backbone of Ethernet, and the internet.

OPC UA operates on a client-server model, where the OPC UA server exposes its data objects to a client. The OPC UA interface is configured to define how data is accessed. A client-side

OPC UA application subscribes to data objects on the server, with subscriptions consisting of one or more data links to server objects, enabling the client to request and receive data.

Core Concept

Its architecture is based on the following principles:

OPC UA Subscriptions

Each configured OPC UA subscription has properties that request data such as:

A typical OPC UA subscription link has this format:

The link directs the OPC UA client to the OPC UA server at the configured location, the link identifies the PC name, IP address, and TCP port number at which the OPC UA server can be reached. // image // The OPC UA TCP protocol uses essentially the same link structure as for an internet link, this gives OPC UA clients the ability to directly discover, address, and subscribe to data in the OPC UA server over any Ethernet network. It makes OPC UA independent of the operating system, making it truly platform-independent. Platform Independence: Runs on various operating systems and hardware platforms. Service-Oriented Architecture (SOA): Uses services for communication, such as read, write, subscribe, and method calls. Information Modeling: Provides a rich, extensible framework to define complex data structures and relationships. Security: Incorporates robust mechanisms for authentication, authorization, encryption, and data integrity. Scalability: Supports small embedded devices to large enterprise systems.

DisplayName, which is the data object or tag, Tag Value, Quality or Status, Timestamp of the OPC UA Server and Client, Data Type Subscription ID.

“opc.tcp://PCName192.168.1.45:62652/MyOPCProvider/UAServerName”

OPC UA Read/Write Functionality

The Read/Write functionality in OPC UA allows an OPC UA client, such as an HMI or control application, to interact with data on an OPC UA server. The Read operation retrieves data or attributes from the server’s address space, while the Write operation modifies data, provided the client has the necessary permissions. These operations are essential for monitoring and controlling devices or processes in industrial automation. Each Read or Write operation targets specific nodes in the server’s address space, which represent data objects like variables, objects, or methods. The nodes have attributes that can be accessed or modified, including:

How Read/Write Works

Read Operation : The client sends a ReadRequest to the server, specifying the NodeId and attribute (Value) to retrieve. The server responds with the requested data, such as the current value, timestamp, and status. Write Operation : The client sends a WriteRequest to update a node’s attribute (Value) with a new value. The server checks the client’s permissions and the node’s AccessLevel (must be writable) before updating the value. Note : Due to the hardware constraints of the Siemens S7-1200 PLC, only two OPC UA functionalities (Subscription and Read/Write) are supported. Other OPC UA functionalities are not available.

Security in OPC UA

DisplayName: The name of the data object or tag (e.g., “TemperatureSensor”). Tag Value: The actual data value (e.g., 25.5°C for a temperature reading). Quality or Status: Indicates the data’s validity (e.g., Good, Bad, Uncertain). Timestamp: Records when the data was generated (source timestamp) or processed (server timestamp). Data Type: Specifies the type of data (e.g., Float, Integer, String). NodeId: A unique identifier for the node in the server’s address space.

OPC UA has been adopted by groups like the oil and gas industry and the pharmaceutical industry and many other industrial sectures which are fields that requires high security.

Security Layers in OPC UA

OPC UA security operates at multiple layers to protect communication between clients and servers:

OPC UA security architecture – Client / Server

OPC UA Certificates

OPC UA uses an IT technology called X509 certificates for message signing and encryption. Signing means when your application receives a message, you can know exactly who sent it by checking the message signature. This protects against rogue entities sending your client or server bogus requests. Message encryption provides confidentiality by guaranteeing that only the receiver is able to read a message. Transport Layer: The transport layer is the first line of defense for the OPC UA. This layer focuses primarily on the IP address of the machine, as well as relevant ports. In addition, defenses such as user access lists or firewalls to manage connections exist here. Communication Layer: At the communication layer, the UPC UA client connects to the server and exchanges certificates to authenticate connections, as well as encrypt and sign messages sent. Application Layer: In the UA application layer, this is where verification occurs that the user credentials accessing the Server have proper authority to access specific resources.

OPC UA Encryption

Symmetric Encryption :

Ensures confidentiality of data during transmission by encrypting messages, uses a single shared key for both encryption and decryption, which is faster and more efficient for large data volumes.

Asymmetric Encryption :

Facilitates secure key exchange, authentication, and message signing to establish trust and protect the initial setup of communication, it uses a public/private key pair.

PLC Implementation

Note : OPC UA will not work for S7-1200 PLCs that have below version 4.4 firmware. This is why OPC UA works best from TIA Portal V16, also from TIA V16, the certificate license for OPC UA has already been included in the software, so there is no need to purchase a separate license. Therefore, we are using Tia portal V16 during the whole project. To use the OPC UA in tia portal as a server you need firstly to activate the OPC UA server from the OPC UA navigation. The server address should be noted because the OPC UA client device will connect to the server through this address. The OPC server address contains the IP address and the port number. In this example, the port number is 4840.

In security navigation, TIA Portal automatically generates the server certificate for you, this certificate is a basic one and is self-signed. You can also author new self-signed certificates. you can do that by clicking on the harbinger icon and generating new certificates.

Then you create a new data block that will contain the OPC UA data that we will be manipulating.

Configuring the server interface

The server interface is used in configuring interfaces for the OPC UA server. There can be more than one interface configured for a particular server, this will help in orderly arrangement and simplicity.