Conquering the Cloud with OPC UA

Summary

Exchanging data between Industrial Internet of Things (IIoT) devices and the cloud presents a bewildering array of options. Cloud providers, Amazon Web Services, Microsoft Azure, Google IO, and many others each advocate for their own technique for IIoT data interchange.

There is a confusing hodgepodge of different approaches. IIoT “standards” such as MQTT, AMQP, REST, and Kafka compete to serve as pipelines to move data across the network. The machine-readable format of the data, usually defined in XML or JSON and different for each solution, creates a custom protocol that may not be ideally suited for automation data. These cloud vendor–specific solutions have, in turn, caused a proliferation of “gateways” with multiple vendors promoting different methods as a way to transfer data to the cloud.

Custom implementations from IIoT/edge/cloud software and hardware vendors cause a “vendor lock,” limiting your choices and flexibility. Operational technology (OT) applications have a very long life, and in the fast-moving world of cloud IT some solutions are likely to be orphaned.

We have been here before. Historically vendors would sell programmable logic controllers (PLCs) and automation products with proprietary interfaces that worked only with their software. What changed the landscape then is a clear solution to our current dilemma—OPC.

There is no reason for the cloud to be intimidating or complex. There is one technology you already know that will take your designs from device to cloud and back, and that’s OPC UA.

OPC unified architecture: A complete redesign

OPC has come a long way from the original Windows-centric, network unfriendly, insecure, legacy standard of the late 1990s. The most recent OPC specification—OPC UA—continues to be very widely supported and provides access to almost any field device. It is the preferred way to share data with factory automation software and is implemented by many vendors.

The redesign of the OPC standard was much more than a modernization of the legacy standard. With many years of experience in the OT field, the OPC UA standard kept the utility and capabilities of the legacy standard while addressing the limitations. The importance of IIoT and the continuing growth of the cloud may not have been obvious when the OPC Unified Architecture standard was first published in 2006, but some prescient decisions help make OPC UA a natural choice for the entire cloud environment. The most obvious is that OPC UA is crossplatform and provides secure-by-design network communications

OPC has always been targeted at automation data—a continuous stream of values that we need to share between applications to populate user interfaces and trends and from which we need to extract alarms and anomalies. OPC reflects the reality of the OT environment. Each tag or data point has descriptive metadata including valuable text descriptions of the point, units, ranges, locations, etc. Critical for good OT data management are a quality indicator and the time stamp of the actual reading—not the time it was uploaded. As obvious and vital as all these requirements are for OT data, many widely adopted protocols and custom cloud/IIoT solutions do not include these essential aspects.

Security is always a priority whenever data is passed across a network. OPC UA security is based on state-of-the-art IT best practices, but you do not have to understand the intricacies to deliver a secure solution. Security is an integral part of the standard and is part of all OPC UA clients and servers. OT professionals, with reasonable care and understanding, can ensure a secure OPC system end-to-end—indeed, if you have already installed and configured any OPC UA solution you know the procedure.

OPC UA, like legacy OPC, supports subscriptions and on-datachange notifications. Clients can subscribe to the server and receive notification of tags that have changed in real time. This service has been enhanced so that on-data-change notifications are queued at the server. If there is a short network outage, the server will maintain the notifications for the client and deliver them in order when the client can receive them. Another addition to the standard is the “HistoryRead” service. Clients can request data starting from a particular date and time, allowing data notifications that were missed during a more major network issue to be retrieved once the network connection is reestablished.

Communication is always initiated by the client. Data requests from the client use a technique similar to the well-understood web concept of a “long poll.” Normally, when we consider polling, we think of constant periodic requests to a PLC for the current value. With large datasets this is inefficient and can use a lot of bandwidth. In a long poll from the client, the server will not immediately return the current values, but wait, either until values are available or a timeout has expired. This approach maintains efficiency but still leaves the client in control. The client sets the timeout, which is essentially a heartbeat ensuring that the communication between client and server is healthy. This behavior, always initiating the connection from the client, is transparent to the user, but is consistent with a modern web/HTTPS architecture. More importantly, it allows redundancy and replication of the server.

Cloud deployment

You are likely familiar with using OPC UA locally—running OPC clients and servers, and frequently databases, within a facility for monitoring and data sharing. Conceptually, very little changes as these servers are moved to the cloud. It is a simple and obvious extension to leverage OPC UA technology on remote platforms.

Moving the servers off the local computer has huge potential for cost savings and security improvements. A 24/7/365 team of IT and security experts manage systems in the cloud at a scale that few organizations could justify internally. Computers and operating systems are updated and patched as needed. Applications are protected behind cloud components that are constantly monitored for security issues. Cloud data centers are physically secure systems—protected from break in and theft of hardware. Intruders must break these defenses before they can attack your data. These benefits are all part of the cost of the services, which are generally less than the costs of providing an in-house system.

The OPC UA server in the cloud is accessible from any authorized OPC UA client, worldwide. All communications with the server are secured and encrypted. We need to understand only one protocol from device to cloud and back with the obvious cost savings and benefits that come with familiarity. The expertise to make connections and transfer data is likely already available in-house—you do not need to outsource to IT developers.

In applications that have exposure to the Internet—almost all SCADA and remote monitoring systems—the security benefits and cost savings of the cloud are compelling. Maintaining OPC servers 24/7 on remote customer sites can be costly. The never-ending need to patch these systems and the potential for hardware failure of a system that is long obsolete are distractions, not central OT tasks. Providing secure access to these systems adds to these challenges. Many failures in this area are often very public and costly for all concerned. Everyone must be responsible for the security of a system, but leveraging the expertise, vigilance, and capabilities of cloud deployment removes some of the burden from OT.

Moving IT infrastructure off site and making it available worldwide in the cloud provides advantages to organizations like sharing data between multiple facilities or tracking remote assets anywhere in the world. Although the physical location of the computer hosting the OPC UA server is relatively unimportant, it is nonetheless possible to host the server geographically close to the assets or facilities being monitored. This can help with compliance to local data requirements by hosting the data in the country of origin.

Moving the server off premises also encourages a natural network segmentation. Systems that only need to communicate with the cloud can be “logically” removed from the facilities network. These systems remain physically connected—they are using the same cables—but viruses, Trojans, and other malware cannot easily travel between the “virtual LANs” (VLANs). Cyberattacks are becoming more common and more sophisticated, but a great many start with social engineering attacks through email—phishing and spear phishing emails that seem legitimate enough that the end user opens them and inadvertently releases a malware attack. There is no single solution, but a remote OPC UA server is more isolated from these attacks and helps guide good security practices throughout the installation.

Scaling up

Using OPC UA servers deployed in the cloud increases security and lowers cost. A cloud-based OPC UA server eliminates proprietary solutions and removes the need for custom gateways and vendorspecific implementations. This leaves you free to choose your cloud provider or to use multiple providers for different projects based on customer preference—and you can change provider. Overwhelmingly, the features of the OPC UA standard match the requirements for a cloud-based deployment—they provide the features we need and already have near-universal support among OT providers.

Cloud resources are generally far more reliable than in-house computers. Failures are rare, and intense system monitoring often provides notice of potential hardware failures so that applications can be moved before the hardware fails completely. You can choose a convenient time to migrate to a healthy system. Cloud data centers have multiple network connections and backup power from both gridconnected and on-site generation.

For very high availability, multiple servers can be deployed. The standard has guidance on redundancy for both clients and servers. In the case of OPC servers, redundancy options include transparent failover— the clients are unaware that a single server has failed and can continue to be served by an alternate server. This architecture permits multiple live servers in the cloud—replication rather than simple redundancy. Multiple servers can provide load balancing and, as a result, additional performance. To protect against the failure of a single data center, servers can be deployed within an “availability zone” —independent but closely located data centers connected together on a very high speed network, or across “regions”—distinct geographical locations.



OPC UA is a collection of specifications. The primary specification, and by far the most widely implemented and recognized, is the “Data Access” standard. Other standards are gaining industry support. Of particular interest in the cloud is the “Historical Data Access” (OPC HDA) specification. This extends the OPC server to include reading and writing historical data as well as real-time transfers. Databases are a huge component of almost any cloud architecture. Modern simple-to-use cloud database dashboards let you set up and configure everything from a small historian to enterprise storage with replication, redundancy, and data encryption. HDA allows any OPC client to use these cloud databases in a transparent, database-independent fashion. This allows you to select different databases based on customer preference or project requirements

A recent addition to the OPC standard is the “publish-subscribe” model. This provides features similar to the Data Access model with some additional performance and lower overhead. This standard further enhances the benefits of OPC UA in the cloud.

Robust cloud applications

OPC UA makes using the cloud easy and safe. You already know OPC and can create secure, robust cloud and IIoT applications. Moving application data to the cloud lets you do your job better while saving cost and lowering security risks. A vendor-independent, widely implemented standard ensures long-term support and protects your investment in a rapidly changing cloud environment.

This article comes from Volume 1 of the Automation 2021 Ebook: IIoT & Industry 4.0.