OPC Classic
OLE for Process Control — the late-1990s Microsoft-DCOM-based bridge that let Windows applications read industrial process data. Notorious for needing port 135 plus a wide dynamic port range, which gutted IT/OT firewalling. Superseded by OPC UA.
Also: OPC, OLE for Process Control, OPC DA, OPC HDA, OPC A&E
OPC Classic is the original OLE for Process Control specification — a Microsoft-DCOM-based standard published by the OPC Foundation (founded 1996) that let Windows applications read industrial process data from PLCs, SCADA systems, and DCS controllers. It is the bridge that first dissolved the Purdue Model Level 3 / Level 4 boundary, and the protocol whose firewall behaviour is the canonical example of how IT/OT integration ate the air gap.
What “Classic” means
OPC Classic is the umbrella term for the original COM/DCOM-based suite, which split into three flavours:
| Flavour | Purpose |
|---|---|
| OPC DA (Data Access) | Real-time read/write of tag values. The most-deployed flavour. |
| OPC HDA (Historical Data Access) | Querying historian databases. |
| OPC A&E (Alarms & Events) | Alarm and event subscription. |
All three sat on top of Microsoft DCOM, which is what gave OPC Classic its operational character.
The DCOM port problem
To allow OPC traffic through a firewall, the standard recipe was:
- Port 135 TCP — DCOM endpoint mapper.
- A dynamic range of 1024-65535 TCP — the actual RPC channels DCOM negotiates per call.
You could constrain the dynamic range with registry edits on every host, but in practice this was rarely done correctly. Most sites either ran the OPC server in the same security zone as the historian (collapsing the boundary), opened the full 1024-65535 range (no real boundary), or installed an OPC tunnelling product (Kepware, Matrikon, Cogent) that wrapped OPC inside a single TCP port — which worked but added another vendor dependency to every conduit.
The “industrial DMZ” pattern — Level 3.5 in Purdue — was largely invented to give OPC tunnelling somewhere to land.
Why it matters historically
OPC Classic is the protocol that proved IT/OT convergence had already happened by the early 2000s. Once a Windows historian on the corporate network was reading tags from a Windows OPC server on the control network, the air gap was rhetorical. Stuxnet propagated partly via Windows file-sharing and removable media in the same Windows-on-OT environment that OPC normalised; the conditions for it existed because OPC had made Windows on the plant floor unremarkable.
OPC UA — the successor
The OPC Foundation published OPC UA (Unified Architecture) in 2008 as the platform-independent, transport-agnostic, properly-secured replacement. OPC UA runs over a single TCP port (typically 4840), supports TLS and X.509 mutual authentication natively, and is implementable on Linux, embedded RTOS, and cloud platforms — none of which DCOM ever was.
OPC UA is the protocol that newer DCS, SCADA, and historian platforms use. OPC Classic is what the brownfield runs on, and is going to keep running on for decades because the installed base is enormous and replacing it costs more than living with the firewall scars.