PLC and OPC UA: Modernising the Plant Without Stopping Production

Actualizado: 2026-05-03

OPC UA (Open Platform Communications Unified Architecture) is the standard communication protocol for industrial integration in the Industry 4.0 context. While proprietary protocols (Profibus, Modbus, EtherNet/IP) continue in the plant — and will for decades — OPC UA provides the unified integration layer toward IT that makes modern SCADA, digital twins and MES/ERP integration possible. This article covers how to adopt it on an existing plant without stopping production.

Key takeaways

• OPC UA is vendor-agnostic, platform-neutral, and has built-in security (TLS, X.509, authentication); Modbus has none of those properties.
• The gateway approach is most common for modernising legacy plants: an edge server reads PLCs via existing protocols and exposes OPC UA toward IT without touching the PLCs.
• Incremental migration in three phases (observer, bidirectional, consolidation) minimises production risk.
• Companion Specifications make integrations predictable and portable across manufacturers.
• NIS2 pushes OT compliance: OPC UA with active security is part of the correct answer.

Why OPC UA versus existing protocols

Modbus has been in plants for decades for its simplicity. EtherNet/IP and Profibus have mature ecosystems. But none of the three offers what OPC UA has out of the box:

• Vendor-agnostic: works with Siemens, Rockwell, Omron, Schneider, ABB.
• Platform-neutral: Windows, Linux, embedded, cloud.
• Built-in security: TLS, X.509, user and application authentication, audit logs.
• Rich information models: not just tag values, but semantics (Companion Specifications).
• Pub-sub since 1.04: publish/subscribe for distributed architectures.
• IEC 62541 standard: international normative backing.

The difference from Modbus is not only technical: it is the difference between a low-level communication protocol and a complete industrial integration platform.

The typical architecture

[PLCs]  ←— Profibus/EtherNet/IP —→  [OPC UA Server Gateway]
                                           ↓ OPC UA
                                     [SCADA/MES/Historian/Cloud]

The OPC UA server can be:

• Embedded in the PLC: modern Siemens S7-1500, current Rockwell ControlLogix have native OPC UA.
• Separate gateway: Kepware, Matrikon, Softing for legacy PLCs that do not speak OPC UA.
• Edge compute: Linux box with open-source server (e.g. open62541) for maximum flexibility.

For legacy plants, the separate gateway is the most common path: it requires no changes to PLCs, which continue doing their job with existing protocols.

Companion Specifications: real interoperability

Companion Specifications are industry-standard OPC UA information models, defined by the OPC Foundation consortium together with industry associations:

• OPC UA for Machinery: general machinery.
• Robotics CS: standardised robot information.
• PackML: packaging and filling lines.
• Energy CS: energy monitoring.
• Food & Beverage CS: food industry.

Adhering to the sector’s Companion Spec means a SCADA dashboard built for one machine works with any other machine that also implements it, regardless of manufacturer. It is the OT equivalent of an OpenAPI spec in the web world.

Basic example with open62541

open62541^[1] is the reference open-source C implementation:

#include <open62541/server.h>

int main(void) {
    UA_Server *server = UA_Server_new();
    UA_ServerConfig_setDefault(UA_Server_getConfig(server));

    UA_VariableAttributes attr = UA_VariableAttributes_default;
    UA_Int32 temperatureValue = 250; // example: 25.0°C in tenths
    UA_Variant_setScalar(&attr.value, &temperatureValue, &UA_TYPES[UA_TYPES_INT32]);
    attr.description = UA_LOCALIZEDTEXT("en-US", "Temperature sensor");
    attr.displayName = UA_LOCALIZEDTEXT("en-US", "Temperature");

    UA_Server_addVariableNode(server, UA_NODEID_NULL,
                              UA_NODEID_NUMERIC(0, UA_NS0ID_OBJECTSFOLDER),
                              UA_NODEID_NUMERIC(0, UA_NS0ID_HASCOMPONENT),
                              UA_QUALIFIEDNAME(1, "Temperature"),
                              UA_NODEID_NUMERIC(0, UA_NS0ID_BASEDATAVARIABLETYPE),
                              attr, NULL, NULL);

    UA_Boolean running = true;
    UA_Server_run(server, &running);
    UA_Server_delete(server);
}

For production projects, commercial solutions like Kepware KEPServerEX or Matrikon OPC UA are more production-ready with included support and certifications.

Incremental migration in three phases

Phase 1: Observer (weeks, zero risk)

• Deploy an edge OPC UA gateway that reads PLCs via their existing protocols.
• Expose data via OPC UA to IT consumers (new SCADA, historian, cloud).
• Touch nothing on current PLCs.

PLCs keep doing exactly what they were doing. Only visibility is added.

Phase 2: Bidirectional (months, controlled risk)

• Enable controlled writes via OPC UA: setpoints, sequence start/stop.
• Strict permissions: no destructive writes.
• Complete audit of who writes what and when.

This phase requires careful validation with the automation team: what can be written remotely, within what limits and with what authorisation.

Phase 3: Consolidation (years, by sector)

• Gradually replace legacy SCADA using proprietary protocols.
• Direct MES and ERP integration via OPC UA.
• Digital twin fed in real time by OPC UA.

OT timelines are long: an industrial asset may have a 20–30 year service life. Consolidation is a years-long process, not months.

OT security: the critical point

OPC UA has the most complete security stack of any industrial protocol:

• Message Security: Sign + Encrypt with X.509.
• User authentication: user/password, certificates, Kerberos.
• Application authentication: mutual client-server certificates.
• Audit logs: who accessed what and when.

The real problem: many legacy implementations have security disabled to simplify initial configuration. Activating it is an operational responsibility, requires certificate management and has implications for the asset lifecycle.

NIS2 pushes directly in this direction for operators of critical infrastructure and manufacturers in essential sectors. See NIS2 transposition status for the full regulatory context.

Bridges toward IT

OPC UA does not end at SCADA: industrial data must reach IT systems for analysis, reporting and decision-making:

• OPC UA → MQTT: for cloud IoT platforms (AWS IoT, Azure IoT Hub).
• OPC UA → Kafka: for streaming to the data lake and real-time analytics.
• OPC UA → REST: APIs for business applications.
• OPC UA → InfluxDB (via Telegraf): historian for industrial time series.

Each bridge exposes industrial semantics in the format IT understands without losing the information model.

Ecosystem tools

• UAExpert: reference client for diagnostics and address space exploration.
• Kepware KEPServerEX: industry-standard gateway with drivers for hundreds of PLCs.
• Siemens OPC UA (TIA Portal): integrated into Siemens’ programming environment.
• Node-RED + OPC UA nodes: quick integrations for prototypes and edge computing.
• InfluxDB Telegraf OPC UA input: direct scrape to time series.

OPC UA pub-sub: for distributed architectures

Since version 1.04 of the standard, OPC UA supports publish/subscribe in addition to the classic client-server model:

• UDP multicast: ultra-low latency on the same LAN.
• MQTT: IoT platform integration.
• AMQP: enterprise messaging.

For architectures with many publishers and many subscribers — production lines with dozens of machines — pub-sub scales better than the client-server model.

Real cases

• Siemens MindSphere: pervasive OPC UA in the industrial IoT platform.
• Bosch Connected Industry: OPC UA as integration pillar.
• European petrochemical plants: OPC UA mandatory for new assets in several groups.

Conclusion

OPC UA is the de facto standard for modern industrial integration and the gateway to Industry 4.0. Adopting it incrementally — observer mode first, bidirectional later, gradual consolidation — minimises risk in production plants. Companion Specifications make integrations predictable and portable across manufacturers. For legacy plants with PLCs lacking native OPC UA, gateways enable adoption without replacing hardware. NIS2 adds regulatory urgency for the sector. The tools ecosystem — both open-source and commercial — is mature enough for production projects.

1. open62541