OPC UA
OPC Unified Architecture — the platform-independent, transport-secure successor to OPC Classic. A single TCP port (4840), TLS and X.509 mutual auth natively, runs on Linux and embedded RTOSes — none of which DCOM ever did. The default IT/OT bridging protocol for new-build substation gateways.
Also: OPC Unified Architecture, OPC UA, OPC UA TCP, Pub/Sub, OPC UA Pub/Sub
OPC Unified Architecture is the OPC Foundation’s 2008-and-onwards replacement for OPC Classic. It is what “OPC” means in any substation gateway specification written in the last decade. Where Classic was a Microsoft-DCOM-bound, Windows-only, port-anywhere mess, UA is platform-independent, transport-secure, and runs on a single TCP port (4840) — the difference matters operationally far more than the marketing names suggest.
OPC UA is also published by IEC as IEC 62541, which is what utility procurement documents tend to cite — same standard, different cover.
What changed from OPC Classic
| Property | OPC Classic | OPC UA |
|---|---|---|
| Transport | DCOM (Microsoft proprietary) | TCP/IP (single port) or HTTPS |
| Platform | Windows only | Windows, Linux, embedded RTOS, browser |
| Firewall friendliness | Port 135 + 1024-65535 dynamic | Single port (4840) |
| Security | DCOM authentication (in practice often disabled) | TLS + X.509 mutual auth as a first-class concern |
| Discovery | DCOM endpoint mapper (rarely worked across firewalls) | Local Discovery Server, Global Discovery Server, mDNS |
| Information model | Tag list | Rich object/type model with inheritance |
| Pub/Sub | Polling only | Native Pub/Sub since 2018 (IEC 62541-14) |
The single-port TCP transport alone made OPC UA dramatically friendlier to IT/OT segregation than Classic ever was. The whole “industrial DMZ to terminate OPC tunnelling” pattern that justified Purdue Level 3.5 became less necessary.
Where it shows up in substations
OPC UA is rarely the protocol on the bus in a substation — that is GOOSE, Sampled Values, or MMS for the 61850 traffic, DNP3 or IEC 60870-5-104 for the SCADA traffic. OPC UA shows up at the gateway:
- Substation gateway → corporate historian. The gateway exposes an OPC UA server; the historian (PI, AVEVA, Cognite, etc.) runs an OPC UA client. A single TCP port through the firewall, mutually authenticated, replaces a generation of bespoke historian-protocol bridges.
- Substation gateway → asset-management or condition-monitoring platform. Same pattern — UA server on the gateway, UA client on the consuming system.
- ADMS → external systems. ADMS vendors increasingly expose UA northbound interfaces to the data lake and the AI/ML platforms that increasingly consume operational data.
It is the IT/OT-boundary protocol of choice for new-build gateway designs. Greenfield projects almost never specify Classic; brownfield projects keep Classic running because the historian on the other side of the firewall has been running for fifteen years and replacing it is not in the budget.
Pub/Sub and OPC UA FX
The 2018 publication of OPC UA Pub/Sub (IEC 62541-14) added a publish/subscribe layer over UDP multicast and over MQTT/AMQP. This is what makes OPC UA usable for the high-frequency machine-to-machine communications that the original client/server model was too heavy for.
OPC UA FX (Field eXchange) is the 2022-onwards profile for industrial-control-class deployment — peer-to-peer between controllers, deterministic over Time-Sensitive Networking (TSN). It is more relevant to factory-floor automation than substation use, but signals where the protocol ecosystem is going.
Security posture
OPC UA was designed with security as a first-class concern in a way Classic was not. The standard defines:
- Three security modes — None / Sign / Sign and Encrypt — selectable per session.
- X.509 mutual authentication as the default identity mechanism.
- Application authentication (certificate of the OPC UA application) plus user authentication (username/password, X.509, or token).
- Certificate management through Local and Global Discovery Servers, including push-mode certificate provisioning.
The catch is the same catch IEC 62351-9 faces: the security only works if certificates are managed properly across asset lifetimes. An OPC UA deployment with self-signed certs that nobody rotates is technically secure-mode-3 but operationally as exposed as Classic was.
Where it does not fit
OPC UA is not a process-bus protocol. Its end-to-end latency is not deterministic at the level that GOOSE or SV require. It is also a heavyweight protocol — even the Sign mode adds non-trivial CPU and memory overhead per session — which is why it is not the default for resource-constrained protection IEDs.
The right way to think about it for substation work: OPC UA is the gateway protocol, IEC 61850 is the substation-internal protocol, and the gateway translates between them. That division of labour is what keeps both standards in their respective sweet spots.