\n| OPC UA security modes \u2014 choosing the right policy<\/td>\n | OPC UA supports multiple security policies (None, Sign, Sign & Encrypt) and algorithms (Basic256Sha256, Aes128_Sha256_RsaOaep, Aes256_Sha256_RsaPss). Choosing incorrectly creates either security gaps or unnecessary performance overhead<\/td>\n | For all production connections: use Sign & Encrypt with Aes256_Sha256_RsaPss or Aes128_Sha256_RsaOaep. Reserve Security Mode: None for isolated test environments only<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n10. OPC UA migration and regulatory compliance<\/h2>\nOPC UA migration is not just a technical upgrade, in many jurisdictions and sectors it is becoming a compliance requirement. Here is how migration maps to the frameworks most relevant to industrial operators.<\/p>\n NIS2 Directive (European Union)<\/h3>\nApplicable to medium and large operators of essential services across manufacturing, energy, water, transport, and healthcare sectors in the EU. NIS2 (effective October 2024) requires appropriate technical cybersecurity measures including encrypted communications and access controls for OT systems. Migrating to OPC UA – with its AES-256 encryption and certificate-based authentication – directly addresses the encrypted communications requirement. The OPC UA Wrapper allows EU operators to demonstrate compliance progress on existing infrastructure without a full replacement programme.<\/p>\n NERC CIP (North America: energy sector)<\/h3>\nNERC CIP standards require bulk electric system operators to maintain Electronic Security Perimeters with precise, auditable communication controls. DCOM’s dynamic port requirements make this technically challenging to achieve cleanly. Replacing DCOM-exposed OPC Classic connections with OPC UA Wrapper-mediated connections reduces the Electronic Security Perimeter to a single, configurable port significantly simplifying NERC CIP compliance for OT network boundaries.<\/p>\n IEC 62443 (global: industrial cybersecurity)<\/h3>\nIEC 62443 Zone and Conduit models require defined, controlled communication paths between security zones. OPC UA provides the encryption, authentication, and access control primitives that IEC 62443-compliant conduit design requires. The Wrapper approach – containing DCOM to a local zone and exposing only OPC UA at the conduit boundary – is a practical implementation of IEC 62443 conduit security for brownfield environments.<\/p>\n FDA 21 CFR Part 11 \/ EU Annex 11 (pharmaceuticals)<\/h3>\nBoth regulations require electronic records to be trustworthy and traceable, with audit trails for all significant system operations. OPC UA’s session-level audit logging, recording connection events, data access, and write operations, supports the audit trail requirements. User authentication via OPC UA certificates or username\/password over an encrypted channel supports the individual user accountability requirements of both regulations.<\/p>\n 11. Migration by industry<\/h2>\nManufacturing (EU and North America)<\/h3>\nManufacturing organisations face a dual pressure: NIS2 compliance timelines (EU) and the growing expectation from Tier 1 customers that supply chain OT networks meet minimum cybersecurity standards. The OPC UA Wrapper provides an immediate, demonstrable improvement in security posture without the capital expenditure of a full system replacement, making it straightforward to present to management as a compliance investment with defined ROI.<\/p>\n Oil and gas (global: North America, Middle East, North Sea)<\/h3>\nWellsite and refinery environments combine decades-old process control infrastructure with modern requirements to stream data to cloud historians, AI analytics platforms, and corporate data warehouses. OPC Classic servers are common in these environments – as are strict uptime requirements that make any migration involving process downtime very difficult to justify. The Wrapper-based approach, which requires no changes to existing servers, is the appropriate migration path for most upstream and downstream oil and gas deployments.<\/p>\n Energy and utilities (North America – NERC CIP)<\/h3>\nNERC CIP Electronic Security Perimeter requirements directly motivate migration away from DCOM. Utilities that have historically run OPC Classic across their OT network for SCADA-to-historian communication can use the OPC UA Wrapper to replace those wide-area DCOM connections with single-port OPC UA connections improving both security posture and NERC CIP auditability simultaneously.<\/p>\n Pharmaceuticals (US – FDA 21 CFR Part 11; EU – Annex 11)<\/h3>\nBatch manufacturing systems using OPC Classic for process data collection face increasing scrutiny in regulatory audits over the adequacy of their audit trails. Deploying the OPC UA Wrapper adds encryption and session-level logging to existing OPC Classic data flows, providing the traceability evidence that 21 CFR Part 11 and Annex 11 auditors require.<\/p>\n 12. How to get started<\/h2>\nOPC UA migration does not need to start with a full programme plan. The most effective approach is to begin with a contained deployment that delivers immediate security benefit and builds organisational confidence in the migration path.<\/p>\n Step 1: Identify your highest-exposure OPC Classic connections.<\/strong> Start with OPC Classic servers that are accessible from the IT network, from cloud platforms, or from remote access VPNs. These carry the most DCOM exposure risk and will deliver the most immediate security improvement.<\/p>\nStep 2: Deploy the OPC UA Wrapper on those connections.<\/strong> The Wrapper is a plug-and-play deployment – no changes to existing OPC Classic servers, no PLC modifications. Configure the OPC UA<\/a> side with Sign & Encrypt security. New client connections to those servers now use OPC UA.<\/p>\nStep 3: Configure address space and verify data integrity.<\/strong> Use the Wrapper’s configuration tool to review the automatically mapped address space. Validate that data values, historical records (if using HDA), and alarms (if using AE) are being correctly bridged. Integration Objects provides step-by-step configuration documentation<\/a> and video tutorials<\/a> for this process.<\/p>\nStep 4: Establish your certificate management process.<\/strong> Even for a small initial deployment, putting a certificate management process in place from the start saves significant operational overhead later. For larger deployments, implement a Global Discovery Server.<\/p>\nStep 5: Plan the broader migration roadmap.<\/strong> With the Wrapper in place and working, plan the phased replacement of remaining OPC Classic servers aligned with system refresh cycles and budget planning.<\/p>\n13. Frequently asked questions<\/h2>\n |