Knowledge
homeappabout
English
English
  • Home
  • About Ardexa
    • Our Security Principles
    • What makes us different?
    • Collecting Data
    • Device Remote Control
    • Tunnel (VPN) Access
    • File Transfers
    • Machine Plugins
  • Getting Started
    • What is Ardexa?
    • Connectivity in 60 Seconds
    • The Ardexa Data Store
  • Configure the Edge Device
    • Edge and Cloud Connect
    • Edge Device Configuration
      • ArdexaLinux Operating System
      • Approved Hardware
        • Dell Industrial Computers
          • Dell PowerEdge Installation
        • Advantech Industrial Computers
          • Configuring Advantech Devices
            • UNO-2271G, UNO-2272G
            • UNO-2362G
          • Advantech ArdexaLinux Installation
          • Advantech Serial Driver
        • Siemens Industrial Computers
          • Siemens IPC 127E Installation
          • Siemens IOT2050 ArdexaLinux Installation
        • Raspberry Pi
          • Install the Raspbian Image
          • USB On-The-Go (OTG) support
          • Raspberry Pi 4 EEPROM update
          • Display hardware version of Raspberry Pi
        • Virtual machines
      • Internet Connection
        • Connecting
        • Complex Network Management
      • Networking
        • Network Configuration Using Ardexa Cloud
        • Config Static IP - Manually
        • Add static route
        • Add secondary IP
        • Access via SSH
        • Update password
        • Test Network Access
        • Reconnecting Offline Device
        • Cisco VPN Access
        • USB Tethering
      • Using a local Network Time server (NTP)
      • Serial Communications
        • Testing the serial ports
      • Antivirus
      • Time Zone
    • Connecting to Plant Equipment
      • TCP (Ethernet)
        • Standard Industrial Protocols
        • OPC Protocols
        • Database Protocols
        • PLC Protocols
        • Miscellaneous
      • Serial (RS-485, RS-422, RS-232)
        • Standard Industrial Protocols
        • Proprietary Protocols
      • Others (Bluetooth, etc.)
    • Ardexa Agent
      • Installation (ARM64 or X86/AMD64)
      • Installation Raspberry Pi
      • Install (opkg)
      • Install on Docker
      • Check it's working
      • Increase system limits
      • Data types and formats
        • Decimal
        • CSV file format
      • Scenarios
        • Run
        • How does the UNIX_SOCKET scenario work?
      • Dynamic Configuration
      • Manual Configuration
      • Replacing a Device with a New One
      • Replacing a Device with an Existing One
      • Uninstall
    • Ardexa Machine Plugins
      • Safety & Risk Notice
      • Modbus
        • Modbus Server
        • Modbus Python Plugin
        • Modbus Plugin
      • Programmable Logic Controllers (PLCs)
        • Access to OPC DA Data
        • Installing the OpenOPC utility
        • Mitsubishi PLC Plugin
        • Siemens S7 PLC Plugin
        • Omron PLC Plugin
        • README
      • OPC Plugins
        • OPCUA Plugin
      • Solar Inverter Plugins
        • Satcon Inverters
        • Sungrow Inverters
          • Sungrow SG Grid Scale Inverters
          • Sungrow SG1000MX Inverters
          • Sungrow SG String Inverters
        • Delta Inverters
        • Connecting to Huawei
        • Huawei Logger
        • Huawei Logger
        • ABB Inverters
          • Configuring ABB Inverters
          • ABB Aurora Inverters
          • ABB PowerOne Modbus Inverters
          • ABB Pro 33 Inverters
          • ABB PVS 800 Inverters
          • ABB Trio Inverters
        • SolarEdge Inverters
        • Sunspec Inverters
        • SMA Inverters
          • Connecting SMA Inverters
          • SMA Central Inverters
          • SMA Cluster Controllers
          • SMA "YASDI" Inverters
          • SMA Sunny Tripower (non Sunspec)
          • SMA Power Plant Controllers
          • SMA Central 1850-2750 Inverters
          • SMA Sunny Webbox
        • Kostal Inverters
          • Connecting via Kostal Proprietary Protocol
          • Kostal Proprietary Plugin
          • Kostal Modbus (non Sunspec) Plugin
        • Kaco Inverters
          • Configuring Kaco Inverters
          • Kaco Inverter Plugin
        • SolarMax Inverters
          • Configuring SolarMax Inverters
          • SolarMax Inverter Plugin
        • Refusol Inverters
        • JEMA IFX Inverters
        • Ginglong Solis Inverters
        • Growatt TL3 Inverters
        • HEC Freesun Inverters
        • Next Tracker Plugin
        • Ingecon 100TL Inverters
        • Tristart MPPT Charger
        • Zenergy PID Boxes
        • Eaton Inverters
        • SolarCheck Strings
        • Soltec Trackers
        • GE Inverters
        • TMEIC Solar Ware Ninja Inverters
        • Power Electronics Inverters
        • Ingeteam Inverters
        • Delta Logger
        • FTC Trackers
        • Trina Trackers
        • Solivia Inverters
        • Dunext Inverters
      • Data Logger Plugins
        • Connecting SolarLog
        • SolarLog Logger
        • MaxWeb Logger
        • Gantner Logger
        • MeteoControl Logger
        • Bluelog Logger
        • Kaco proLOG
        • Sinapsi Logger
        • Skylog Logger
        • SMA Sunny Webbox Logger
      • Electricity Meter Plugins
        • Janitza Meters
        • Cube Meters
        • ECS Meters
        • Gavazzi Meters
          • Gavazzi EM24 Meters
          • Gavazzi WM Meters
        • KBR Meters
        • Plus ES Meters
        • RPI Current Transformers
        • Schweitzer Meters
        • Schweitzer Protection Relays
        • Schneider Electric Meters
          • Schneider ION Meters
          • Schneider Sepam Meters
        • Fanox Relay
        • Elspec Meters
        • Landis Gyr Meter
      • Wind Turbines
        • Wind Park Networks
        • Vestas Wind Turbines
          • Vestas ODBC
          • Vestas OPCUA
        • Clavis XML Server
        • Gamesa Wind Turbines
          • Gamesa ODBC Wind Turbines Plugin
          • Gamesa Windnet OPCUA
          • Gamesa Wind Turbines via Config Files
        • Nordex Wind Turbines
          • Nordex OPCXML Wind Turbines Plugin
          • Nordex Plugin ODBC with Config Files
          • Nordex Plugin OPCXML with Config Files
        • Enercon Wind Turbines
          • Enercon Wind Turbines Plugin
          • Enercon Wind Turbines Plugin with Config Files
        • GE ODBC Wind Turbines
        • Senvion Wind Turbines
          • Senvion Wind Turbines Plugin
          • Senvion Plugin with Config Files
        • Siemens Wind Turbines
          • Siemens Wind Turbines
          • Siemens Wind Turbines with Config Files
      • Weather Stations
        • Kipp and Zonen
        • IMT Si-RS485 Sensors
        • Webdom
        • Lufft Weather Stations
        • Campbell Weather Stations
        • DustIQ Soiling Sensors
        • Geonica Weather Stations
        • Groundwork Zenith Meteorological Stations
        • Hukseflux Pyranometers
      • Solar Powered Computers
      • Energy Storage
        • BYD ESS C648
        • BYD ESS
        • NetMan 204
        • Narada Batteries
      • IEC
        • IEC 61850
        • IEC 60870
      • Management Plugins
        • RESI Real Time Clock Plugin
        • Logrotate Plugin
        • Interface Manager Plugin
          • Automatic Modem Connection
          • Manual Modem Connection
          • Troubleshooting Modem Usage
        • Black Box Plugin
        • Log Rotation and Deleting Old Logs
        • Antivirus
        • Backfill
      • Computer Vision
        • Photo Capture Plugin
      • Testing Plugins
        • Dynamic Test
        • JSON Test
        • Ping Test
        • Schema Test
        • Serial Test
        • Solar Demo Plugin
        • Vestas Demo Plugin
        • Service Load Test
        • Resource Usage
        • Edge Statistics
      • Control
        • Ardexa Control Plugin
    • Variable Naming Guide
    • Communications Hardware
      • USB to WIFI Converter
      • Teltonika RUT950 router
      • Huawei E8372 (3G) Modems
      • Modems
  • Ardexa Cloud
    • Ardexa Account
      • Multi-factor Authentication
      • User profile
      • Browsers
      • Navigation
    • Ardexa Remote
      • Install Ardexa Remote
      • Using the Tunnel
      • Using the VPN
      • Troubleshooting
    • Data Access
      • KPIs
      • Users and Permissions
      • Device Groups
      • Limit user access to a subset of devices
      • Limit Access to Searches
      • API Tokens
      • Device access to the API
      • Images
      • Power BI
    • Analysis
      • View Types
      • Charts
      • Formulae
      • Device Logs
    • Searches
      • Creating Searches
      • Sharing Searches
      • CSV Downloads
      • Scheduled Search
      • Search Admin
      • Search Visualisations
      • Search Statistics
      • Search Analysis
      • Audit Logs
      • Other Resources
    • Devices
      • Edge and Cloud Devices
      • Device Summary
      • Device Bulk Actions
      • General Info
      • Remote Shell
      • File Transfer
      • Machine Plugins
      • Manual Configuration
      • Live Feed
      • Network (Edge Devices)
      • Network (Cloud Devices)
      • Discovery
        • Modbus
      • Commands
      • Tunnel (Ardexa Remote)
        • Install ArdexaRemote command line interface (CLI)
      • NAT Gateway
    • Entities
      • What is an entity
      • Create new entity
      • View entities
      • Managing entities
      • Recommendations
    • Standard UI components
    • Dashboards
      • Creating and Editing
      • Card types
        • 📈Chart Card
        • Button Stack
        • Active Incidents
        • Camera Control
        • Command Template
        • Cylinder
        • Energy Summary
        • Energy Tally
        • Gauge
        • Heat Map
        • Indicator light
        • Indicator light table
        • Inverter performance
        • KPI Chart
        • KPI Value
        • Latest Values
        • Link Stack
        • Live Calculation
        • Map
        • Metadata
        • Photo
        • Radial Histogram
        • Remote Web
        • Satellite Image
        • Scatter Plot
        • Single Value
        • Switch Toggle
        • Dynamic Text
        • Static Text
        • Value Table
        • Pie Chart
      • Lookup Table Integration
      • Timeframe and Timezone
    • Alerts
      • Incident Logs
    • Administration
      • Security Services
      • Metadata
      • Workgroup Settings
      • Labelling
      • Moving a Device Across Workgroups
      • External Sources
      • Lookup Table
      • Access Control
    • Energy Solutions
      • Energy Reports
        • Configuring the Daily Energy process
        • Configuring Meter Data
        • Configuring Performance Ratio
          • Irradiation Extract
    • Control
      • Schedules
    • Photos
  • FAQ
    • Difference between "Datetime", "event_time" and "store_time"
    • How can I manually upgrade the agent?
    • What ports does the agent require?
    • Can the agent subscribe to data streams from other agents?
  • Troubleshooting
    • ardpkg error: TypeError: 'NoneType' object is not subscriptable
    • Offline device (Ardexa agent is offline)
      • Remote checks
      • On-site checks
    • Agent continually restarts
    • Workgroup Invitations
    • Slack Invitation
    • Advantech Computer will not connect to the Internet
    • Edge Computer is not fully serviceable
    • The agent won't connect
    • My agent is online, but there is no data in the cloud
    • Agent upgrade failed: Unknown error
    • Device Config Update every log interval
    • Other Agent related issue
    • Running the agent in Debug Mode
    • Agent Maintenance on SysV
    • Connecting a device securely to a network segment that does not have Internet access
    • EXPECT_ERROR: Decimal conversion failed
    • Docker Interface Conflict
    • Failed to fetch...IP Not Found
  • Ardexa API
    • API
      • API Quick Start Guide
      • Python examples
      • Automated API Token Renewal
      • General
        • Issue API token
        • Examine API Token
        • WebSockets
      • Consumer
      • Security
      • Devices
        • Websocket
      • Search
        • API Search Functions
        • Search scrolling
        • Timeframe
        • Consuming data via the API
      • Energy
Powered by GitBook
On this page
  • References
  • OPC DA Security and Data Access
  • Recommendations

Was this helpful?

  1. Configure the Edge Device
  2. Ardexa Machine Plugins
  3. Programmable Logic Controllers (PLCs)

Access to OPC DA Data

PreviousProgrammable Logic Controllers (PLCs)NextInstalling the OpenOPC utility

Last updated 2 years ago

Was this helpful?

References

  1. Security of OPCA DA:

  2. Introduction to OPC -

  3. OPC Server and Client Data Communications -

  4. OPC DA and UA DCOM and security issues -

  5. OPC DA Overview -

OPC DA Security and Data Access

The OPC DA server standard was in use during the years 1995-2009. The OPC DA defines real time data, OPC HDA defines historical data and OPC AE defines alarm and events access. These are also known as "Classic OPC". These have all been replaced by the next generation known as OPC UA (Unified Architecture).

OPC DA operates on a client/server model. It was originally developed as a way to allow a single OPC DA server to communicate with one or more proprietary PLCs or other SCADA devices. Usually these PLCs or devices were connected via serial lines, before the widespread use of Ethernet on plant networks. The OPC DA would use inbuilt drivers to talk the (usually) proprietary language to get data, or control, to/from the PLCs/devices. The OPC DA standard was built around the Windows operations system, and sharing out data via DCOM (Distributed Common Object Model).

OPC DA Client/Server communications across an Ethernet network are authenticated using DCOM, which is a low level network interface ONLY available on Windows machines. DCOM is not required if talking to an OPC DA server on the local Windows machine (ie; not across a network). It is required if talking to a server across a local or remote network. DCOM dates back to Windows NT (in the early 1990s) and introduces very serious security vulnerabilities, even on a local plant's Ethernet network. This DCOM interface IS NOT SECURE and should not be used in a modern network. See Reference 1 (above) from the US Cert, which recommended it not be used back in 2006. Opening up DCOM access on a plant network will almost certainly expose the OPC DA server to viruses (including ransomware) attacks very easily. Configuring DCOM for maximum security is far from trivial and requires an experienced Windows security network engineer. Not only does DCOM need to be configured, but only Windows clients in the same Windows Domain or Workgroup would be allowed to access the OPC DA server. Overall, opening up access to an OPC DA server represents very significant security risks that are not recommended by Ardexa.

Recommendations

The options to obtain data from legacy OPC DA servers are as follows. Note that some of these options are not recommended. These are presented in order.

  1. Install an OPC DA gateway. This does not change the OPC DA server, and it means that data can be accessed via a much more secure OPC UA connection. There are many software gateways available such as the "Kepware OPC Connectivity Suite", the "Cogent DataHub OPC Gateway" or the "Unified Automation OPC Expert". There are many more. Most of these are under $1000, some are significantly cheaper. Ardexa uses OpenOPC (), which is free and allows secure access to the OPC DA data without exposing it on a network via OPC DA.

  2. (Not recommended). Get the data directly from the source, eg Port 102 for Siemens PLC, or via Modbus. This may not be possible if the OPC DA server connected to the PLCs/devices via serial line(s). And allowing Ethernet connections to old, legacy equipment may introduce many more, very serious, security issues.

  3. (Not recommended). Get an OPC DA client to talk to the OPC DA server. This will require DCOM security on the Windows OPC DA server to be configured so that a client can access the Windows. Unless someone with very detailed knowledge on DCOM security configures the DCOM security access, serious security vulnerabilities will be introduced. In any case, DCOM has security vulnerabilities which cannot be patched.

https://us-cert.cisa.gov/sites/default/files/recommended_practices/Security Implications for OPC-OLE-DCOM-RPC in ICS_S508C.pdf
https://www.youtube.com/watch?v=E6ELXwzJFgE
https://www.youtube.com/watch?v=u6E9uAtyhow
https://www.youtube.com/watch?v=0kLXepCuyOw
https://www.win911.com/Enterprise/1/14/1/OPC-DA_Overview.htm
https://github.com/sightmachine/OpenOPC