OPC-UA makes subsea control more secure

headshot_darek_kominekby Darek Kominek, Matrikon

A new interface standard for subsea control systems, called MDIS, based on OPC-UA, is being developed to make communications between subsea and top side control systems more robust and less expensive to implement in terms of the time and effort needed to setup and maintain them.

The standard addresses communications between ‘Master Control Systems’ or MCSs, which typically tie together subsea equipment, and a ‘Distributed Control System’, or DCS, which performs a similar function topside. In other words, the standard aims at enabling many subsea components to be more easily controlled and monitored from one central control centre.

OPC-UA, the latest version of the OPC Foundation’s OPC standard, was chosen as the communications backbone based in part on its platform and OS independence, powerful data modelling capabilities, and flexible connectivity options. OPC-UA replaces the original OPC specifications that are now commonly referred to as classic OPC.

Unlike OPC-UA, classic OPC could only be run on Windows-based PCs because it relied on Microsoft’s proprietary “COM” (Component Object Model) and “DCOM” (Distributed Component Object Model) technologies to facilitate everything from security to the exchange of messages between OPC clients and OPC Servers.

As a dominant OS, Windows continues to be a prime target for hackers and malware applications that focus on exploiting the vulnerabilities inherent in the broad functionality that was built into the DCOM sub-system.

Based on such concerns, IT departments typically blocked DCOM communications outside of their networks using firewalls. This protected the control and operations networks with the unfortunate side effect of effectively shutting down classic OPC traffic.

“DCOM was not well suited for use in an industrial environment where uninterrupted access to control automation data is essential,” says Darek Kominek, global marketing manager for Matrikon OPC, a company which provides control automation data connectivity products based on the OPC standard.

Since OPC-UA does not require a Windows server to sit between control systems to facilitate sharing data between them, it can now be embedded directly on the devices and control systems themselves — making it possible for systems to communicate directly with each other as long as an OPC interface is available via wired or radio (wireless).

OPC-UA can carry different types of data. The main three are: streaming real time information; transferring archived data from a historian (e.g. if you want to view a graph of a day’s worth of data for a particular temperature sensor); and alarms and conditions (e.g. to display an alarm when the temperature moves out of an acceptable temperature range).

It can work in environments with data disconnections, and can also work over wireless and satellite.

Designed for use in virtually every environment, OPC-UA can be embedded on devices with low power microprocessors and limited memory (eg. like a smart phone processor). In addition, OPC-UA can even be implemented on devices that do not use an operating system.

OPC-UA includes robust modelling capabilities, which means you can fully describe systems (like a valve, production line, or even an entire plant) without losing the context of what the various status and control readings mean.

This can be used to allow OPC-UA clients to acquire complete device data from the OPC-UA servers they connect to, reducing configuration errors and setup time. In contrast, OPC Classic only provided individual reading values with no mechanism to tie them together to identify which points were related the same piece of equipment.

On the topic of security: OPC UA was built from the ground up with security best practices at every step.

“When OPC Classic was developed, awareness of security concerns were not so great compared to what we take for granted in today’s highly inter-connected world,” says Kominek.

“Companies generally thought that the proprietary communications protocols were so complicated no hacker would be able or willing to take the time to figure them out. In addition, most control systems were quite isolated with no link to the internet anyway.
High visibility examples, like STUXNET, removed all doubt that control automation security is a key issue that must be addressed.”

Matrikon builds tools to help equipment vendors embed OPC-UA in their devices. It also designs OPC servers and software for doing the data conversions required by OPC Classic.

Acronyms

UA stands for ‘unified architecture’.

OPC stands for Open Platform Communications”. The explanation of the acronym was changed in 2011.

Previously OPC stood for “OLE for Process Control”. OLE stands for “Object Linking and Embedding.” The OPC standard was originally developed in 1996.

The MDIS group

The OPC-UA standard form the OPC Foundation, has been adopted to serve as the communications backbone for a standard being developed by a group of companies under the name “MDIS,” which stands for MCS DCS Interface Standardization.

Companies involved include ABB, Aker Solutions, BP, Cameron, Chevron, ConocoPhillips, Dril-Quip, Emerson, ENGlobal, ExxonMobil, FMC Technologies, GE Oil and Gas, Honeywell, Invensys, WoodGroup Kenny, Kongsberg, Petrobras, Proserv, Rockwell Automation, Shell, Siemens, Statoil, Total, W-Industries, Woodside and Yokogawa.

The group is managed by OTM Consulting, part of technology company Sagentia. For more information, visit http://www.mdis-network.com

It has a number of different groups, including some identifying what are the best objects to manage, and other groups “validating” the standard (checking that everything works).

Interconnectivity with OPC Classic

OPC-UA standard was designed to maximize interconnectivity, while retaining compatibility with the previous generation of OPC (OPC Classic).

For example, if you have a user interface (known in the jargon as a HMI or Human Machine Interface) that is based on classic OPC connectivity, it is still possible for it to acquire data from new OPC-UA sources by using an OPC-UA Proxy (an application that translates between OPC-UA servers and classic OPC clients).

Today, the majority of OPC installations are still based on classic OPC and will continue to do so because once it is installed, automation equipment typically runs for a decade or more before being upgraded.

“One of the smart things that OPC Foundation did was to ensure that its existing classic OPC install base was not left behind in favour of the new UA standard. This allowed companies to preserve the investments they made in classic OPC infrastructure while being able to gradually migrate to OPC-UA, ” says Kominek.

Original article appeared in May 19, 2014 issue of Digital Energy Journal.