OPC Security

Classic OPC specifications rely on the DCOM security model where Windows security protects the OPC Server. Windows Firewall closes DCOM ports, DCOM Limits and ACLs (component security prevents individual Windows users or groups from accessing a component).

A huge disadvantage of this model is the “all-or-nothing” effect. When a client is allowed through these security layers it can access all interfaces provided by the OPC Server. OPC Security adds another layer, which can make security more granular. By implementing OPC Security specification in an OPC Server, the programmer can make access to individual objects and interfaces dependent on Access Control Lists. These ACLs need to be configured by the end-user.

To realize OPC security, the OPC Server can implement two additional interfaces: IOPCSecurityNT and IOPCSecurityPrivate.

  • SecurityNT is applied to the Windows user of the OPC Client. It can use it without its own implementation of the security specification.

  • SecurityPrivate is for non-Windows users. It is used where security needs to be decoupled from domain security.

A properly implemented security specification is also a huge performance advantage in large OPC architectures (20,000 item +). It can be used to filter the address space for certain user groups, so that the users in these groups only see items for their relevant groups.

Security for OPC Data Access

Most DA OPC Servers implement the security specification based on the DA address space. Permissions are configured in the OPC Server that allow a user to perform actions to hierarchy nodes or individual items. Typical actions would be:

  • Read

  • Write

  • Browse / Add Items

Address Space Security
Figure 1. Address Space Security

In the above scenario:

  • User A can read only a part of the address space

  • User B can read/write

  • User C cannot browse

How a vendor implements OPC Security inside their OPC Server is not defined, the specification only defines the necessary basics to bring an OPC Client’s user to the OPC Server when it connects.

In normal OPC DA communication, the user can always browse the complete address space. Browsing a very large address space can be a time consuming operation on some OPC Servers, so using security specification to limit the view on an address space makes an OPC Server not only more secure, but also increases the reliability of the OPC Server.