{"id":475,"date":"2019-10-25T14:51:43","date_gmt":"2019-10-25T14:51:43","guid":{"rendered":"http:\/\/opcconnect.integrationobjects.com\/?p=475"},"modified":"2026-04-03T15:11:10","modified_gmt":"2026-04-03T15:11:10","slug":"secure-opc-data-transfers","status":"publish","type":"post","link":"https:\/\/integrationobjects.com\/blog\/secure-opc-data-transfers\/","title":{"rendered":"Secure OPC Data Transfer Across Industrial Networks: A Complete Guide"},"content":{"rendered":"\r\n

Securing OPC data transfers is one of the most pressing challenges in modern industrial automation. OPC Classic was built for closed, trusted networks – not the IT\/OT-integrated, cloud-connected environments most industrial organizations now operate. As industrial data pipelines stretch from PLCs and SCADA systems through enterprise IT networks and into cloud platforms, every hop in that journey is a potential security exposure.<\/p>\r\n

This guide explains why OPC data transfer security matters, what the specific risks are for OPC Classic and OPC UA environments, how a DCOM-free, encrypted architecture looks in practice, and how to implement it using proven industrial tools.<\/p>\r\n

Why securing OPC data transfers is critical<\/h2>\r\n

OPC data carries real-time process values, alarm states, historical trends, and equipment telemetry – the operational intelligence that drives production decisions, safety responses, and predictive maintenance. When that data is intercepted, tampered with, or disrupted, the consequences go beyond a data breach: they can affect physical processes, compromise safety systems, and cause operational downtime.<\/p>\r\n

Three structural factors make OPC data transfer security particularly challenging:<\/p>\r\n

OPC Classic’s dependence on DCOM.<\/strong> OPC DA, HDA, and AE use Microsoft’s DCOM<\/a> protocol for remote communication. DCOM was designed for closed, trusted Windows networks and has no native encryption. OPC traffic transmitted over raw DCOM can be intercepted by anyone with network access between the client and server machines. Beyond confidentiality, DCOM’s authentication model is weak by modern standards – a vulnerability Microsoft acknowledged with the CVE-2021-26414<\/a> hardening update in 2023.<\/p>\r\n

Expanding network perimeters.<\/strong> Industrial networks that were once fully air-gapped now connect to corporate IT networks, remote monitoring platforms, and cloud services for analytics, reporting, and AI-driven insights. Each new connection is a potential ingress point. Data flowing from a SCADA historian to an Azure or AWS environment crosses multiple network boundaries, each of which must be secured without disrupting data continuity.<\/p>\r\n

Lack of encryption by default.<\/strong> Neither OPC Classic nor older OPC UA deployments always enforce encryption in practice. Many industrial installations run with OPC UA’s security mode set to “None” for simplicity, and OPC Classic has no encryption capability at all at the protocol level. This means sensitive process data often travels in plain text across networks that are less isolated than operators assume.<\/p>\r\n

OPC Classic vs OPC UA: security differences<\/h2>\r\n

Understanding the security gap between OPC Classic and OPC UA is essential before choosing a secure transfer approach.<\/p>\r\n

OPC Classic (DA, HDA, AE)<\/strong> has no built-in transport security. All remote communication goes through DCOM, which relies on Windows authentication and does not encrypt the data payload. Securing OPC Classic traffic requires either layering a tunneling solution on top (which provides encryption and replaces DCOM)<\/a> or migrating to OPC UA entirely. Firewall traversal is complex – DCOM uses port 135 plus dynamic high ports, making it very difficult to lock down properly.<\/p>\r\n

OPC UA<\/strong> was designed with security as a core requirement. It uses its own TCP-based transport stack, supports TLS encryption, X.509 certificate-based authentication, and has three defined security modes: None, Sign, and Sign & Encrypt. When correctly configured with Sign & Encrypt mode, OPC UA provides strong end-to-end security without requiring any additional tunneling layer. However, “correctly configured” is the key phrase, many real-world OPC UA deployments run in None or Sign-only mode, leaving data unencrypted in transit.<\/p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\n

\u00a0<\/p>\r\n<\/td>\r\n

OPC Classic (DA\/HDA\/AE)<\/strong><\/td>\r\nOPC UA<\/strong><\/td>\r\n<\/tr>\r\n
\r\n

Native encryption<\/p>\r\n<\/td>\r\n

\r\n

None<\/p>\r\n<\/td>\r\n

\r\n

TLS (when configured)<\/p>\r\n<\/td>\r\n<\/tr>\r\n

\r\n

Authentication<\/p>\r\n<\/td>\r\n

\r\n

Windows\/DCOM<\/p>\r\n<\/td>\r\n

\r\n

X.509 certificates<\/p>\r\n<\/td>\r\n<\/tr>\r\n

\r\n

Firewall-friendly<\/p>\r\n<\/td>\r\n

\r\n

No (dynamic ports)<\/p>\r\n<\/td>\r\n

\r\n

Yes (single TCP port)<\/p>\r\n<\/td>\r\n<\/tr>\r\n

\r\n

Security mode options<\/p>\r\n<\/td>\r\n

\r\n

None<\/p>\r\n<\/td>\r\n

\r\n

None \/ Sign \/ Sign & Encrypt<\/p>\r\n<\/td>\r\n<\/tr>\r\n

\r\n

Requires tunneling for security?<\/p>\r\n<\/td>\r\n

\r\n

Yes<\/p>\r\n<\/td>\r\n

\r\n

No (if properly configured)<\/p>\r\n<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n

What a secure OPC data transfer architecture looks like<\/h2>\r\n

A robust secure OPC data transfer architecture addresses three layers: transport security (how data moves), access control (who can read or write what), and reliability (what happens when the connection drops).<\/p>\r\n

The reference architecture: OPC Easy Archiver + OPCNet Broker\u00ae<\/h3>\r\n

Integration Objects’ OPC Easy Archiver<\/a> and OPCNet Broker\u00ae<\/a> together form a complete, DCOM-free, encrypted OPC data pipeline. Here is how each component contributes and how they work together.<\/p>\r\n

OPCNet Broker\u00ae: secure DCOM-free transport layer<\/strong><\/p>\r\n

OPCNet Broker\u00ae<\/a> sits on the OPC server side and replaces DCOM entirely as the communication transport. OPC clients connect to OPCNet Broker\u00ae locally (avoiding remote DCOM), and OPCNet Broker\u00ae handles all remote communication using a single, configurable TCP port – making firewall rules simple and predictable.<\/p>\r\n

Security features OPCNet Broker\u00ae provides at the transport layer:<\/p>\r\n