11/18/2008
Well we won’t actually find out what the survey says until everyone finishes filling it out. If you live and breath OPC as most Foundation members do, then the direction and focus of the OPC Foundation is important to you. Therefore it is important that your voice should be heard and that you get the chance to help drive the future of the OPC Foundation.
Take 5 minutes and fill out the OPC Survey.
The data collected from these surveys do produce results. In previous data gathering exercises, the end-users have professed their demands for quality products from vendors. The result was the creation of the exhaustive certification program that includes self testing, interoperability workshops, and the new third-party certification lab. Products that are certified through all three venues provide the highest quality and reliable products.
Another way to supply feedback is by leaving comments on this blog and the forums on the OPC Foundation website and other OPC sites.
Now stop reading this, and go fill out that survey J 11/12/2008
Wow, there are a lot of things going this next couple of months in OPC. T’is the season for conferences, user groups and symposiums. Summer vacations are well and gone and there are just a few weeks before the start of the holiday season. Here’s a quick list of what’s happening on both sides of the pond:
OPC Training Seminar in Richmond on November 13, 2008
Last notice for this event, since it starts tomorrow. This is last one of the year for the vendor-neutral OPC training seminars. This one is in Richmond, VA at the Marriott Richmond located at 500 East Broad Street, Richmond, Virginia 23219. As usual the program will begin with a continental breakfast and registration at 8:00 a.m. followed by program start at 8:30 a.m. To register for this event, please click here.
OPC Foundation Europe at the SPS/IPC/Drives November 25-26, 2008 Nuremberg, Germany
The OPC Foundation Europe will have presentations on OPC Classic and OPC Unified Architecture at SPS/IPC/Drives conference. Event runs Nov 25-26, 2008 in Nuremberg Germany. Be sure to drop by and visit the booth Hall 6 – 244.
There is an additional free presentation, “OPC UA at a Glance” on November 26 in Room 111 / Service Center 1. Presentations given in both German and English.
SPS/IPC/DRIVES is the exhibition for electric automation technology. It covers all components down to the system and offers herewith integrated automation solutions. More info here.
OMAC Symposium--Evolve Your Systems, December 3-4, 2008
Register now for the second annual OMAC Integration Symposium--EVOLVE YOUR SYSTEM. Total System Evolution--the theme of this year's event--embraces all industries and is vital to the advancement and improvement of our processes, business functions, and ultimately our ability to meet the changing needs of our customers.
This event will be on December 3-4, 2008 at Partners in THINC, Charlotte, North Carolina.
Insightful presentations from across industry
- Emerging technology
- OPC
- PLM
- Robotics
- Connect-and-Pack™
- Hands-on demonstrations in the Partners in THINC
Check out the preliminary agenda and other information here.
SCS 2008 in Paris December 2-5, 2008.
The OPC Foundation will be present at SCS 2008 in Paris December 2-5, 2008.
The press release on this event reads: “More than ever, energy efficiency will be a core concern for businesses visiting the SCS Paris exhibition. A precise analysis of a company's energy consumption reveals ways of making savings and hence improving productivity and competitiveness.”
Those interested in sponsoring this event and exhibiting their products and services should contact ichel.Condemine@opcfoundation.org for more information. Registration deadlines are November 13th and 24th.
And for the arm-chair traveler, or those who are done jetting around until the holidays, you can keep up to date with the latest newsletters.
OPConnect – Issue 18
“Welcome to the November edition of OPConnect, the official newsletter of the OPC Foundation. As this is the final issue of OPConnect for 2008, I'd like to wrap up some of our recent successes and highlight our plans for 2009.
One of the major items the OPC Foundation has been working on is OPC Unified Architecture (UA) development. By facilitating vendor adoption of OPC UA, we anticipate that by the end of 2009 there will be more than 40 vendors who have support for OPC UA built into their products. This adoption curve is critical as OPC UA provides all the technology to completely interoperate and integrate existing classic OPC products into next-generation solutions... Read more”
OPC Update – Issue 3
OPC Products, News, Articles, Application Stories, Training, Events & Resources. Read OPC Update to find the latest products, news, articles, application stories, events, training and resources relating to OPC. More here.
That’s all I got. If I missed anything, drop me a note and I’ll add it to the list. 10/27/2008
Ready to Go. That was the message from Reinhold Achatz, head of Siemens Corporate Research and Technologies and OPC Foundation Board member, in his opening keynote address at the OPC UA 2008 DevCon in Munich this morning. This pronouncement is backed by real action. Siemens has already released a major OPC UA enabled product line and is using OPC UA technology on a large power project. “For a company like Siemens to commit to releasing both a product line AND use the technology on a significant project is not a simple decision. We have to know that the technology we choose is reliable, and ready to be used in an industrial environment. We believe OPC UA is ready to go”
In September 2008, Siemens released their SIMATIC NET OPC UA product which supports an OPC UA Server built on the OPC UA C++ implementation, as well as an OPC UA Client built using the OPC UA .NET SDK. Achatz also outlined a Control Center Energy Transmission & Distribution project that uses OPC UA standardization work in IEC TC 57 WG 13 and is built using the C++ implementation. This leaves little doubt that OPC UA is ready for primetime applications in the industrial setting.
The rest of the afternoon sessions built on the theme of OPC UA as a ready to go technology. Tom Burke gave presentations on the motivating factors behind OPC and why so many companies are working on making OPC UA a success. Jim Luth and Juergen Lange gave talks on more of the details of OPC UA and its architecture while Paul Hunkar outlined the process and importance of Certification and Compliance. All and all an exciting first day.
Tomorrow promises more OPC UA details, demos and discussions. Stay tuned. 10/8/2008
OPC Foundation’s European Interoperability Workshop 2008 is happening this week in Nürnberg, Germany and runs from 1:00 PM on Monday, October 6th through Noon on Friday, October 10th. If you’re not there, looks like you missed the last one for this year. I’ll just assume as a committed OPC vendor you’ve attended either the North American IOP last April or the Japanese IOP at Tokyo in June.
If not, you’ve missed out on the opportunity to validate your products and correct any interoperability problems. Users get to validate Data Access (V1, V2 and V3) interoperability, XML-DA, Alarms and Events and Historical Data Access. In order for a DA Client to qualify to use the new 'Self-Tested' logo, the product must be tested at an Interoperability Workshop with other DA Servers and it must pass a supervised test with the OPC Analyzer. The interoperability workshops are the main venue where clients are tested with the Analyzer, so this is your chance to qualify for the new logo.
If your member company is there, you can follow the testing results on-line. I can see that our man-on-the-street, Curtis, is running the MatrikonOPC Desktop Historian and the OPC Security Gateway through the paces against Servers from Cyberlogic, Siemens, Wonderware and Kongsberg Marine. And of course the OPC Foundation compliance and testing tools too. The list of companies testing Clients against the MatrikonOPC servers is even longer. J Is your company there? How is their testing going?
If for some unavoidable reason you missed all three IOP events this year, don’t despair there are more events lining up for 2009, including more chances to validate OPC UA products.
It is also possible to have the OPC Foundation Compliance tests run via a remote connection which allows the tests to be performed outside of the Interoperability Workshop. There is a fee for this service and you can get more information by contacting the OPC Foundation at LabRequest_AT_opcfoundation.org. 10/2/2008
In case you missed the latest news, here is the OPC Foundation announcement on the OPC Analyzer Devices Integration draft specification release date.
The OPC Foundation has announced the release date for the OPC Analyzer Devices Integration draft specification for review. The OPC Foundation working group, composed of end-users: Abbott, Arla Foods, GlaxoSmithKline, Pfizer and vendors: ABB, CAS, Kaiser Optical Systems, Malvern Instruments, Mettler-Toledo AutoChem, Siemens, Software Toolbox, Sympatec, Thermo Fisher Scientific, Umetrics, and Yokogawa representing both Process Analytical Technology (PAT) and laboratory industries, are developing an information model for analyzer devices to allow plug-and-play multivendor interoperability. The Analyzer Device Integration working group is developing a common method for data exchange and an analyzer data model for process and laboratory analyzers. The model is developed as a logical extension of the OPC UA specifications. The release date for the draft specification is December 2008.
"PAT users are looking for true plug-and-play interoperability. A well defined information standard and its implementation such as OPC-ADI is a great step in that direction. OPC-ADI can help minimize custom integrations that users have to take on themselves. This directly will improve the time to benefit from PAT implementations" said Lou Pillai, Director, Strategic Architecture at Pfizer.
"Since its launch in February 08, the OPC Foundation Analyser Device Integration (ADI) Group has steadily developed in terms of numbers of participants and importance to the Pharmaceutical Industry to become one of the key activities to enable and expedite future PAT & Quality by Design initiatives. By quickly recognising the critical role that process & laboratory analyser connectivity, control & integration play when creating a QbD Data Management Infrastructure, the group - comprising analyser and automation vendors, systems integrators and end users - has focused on the current issue of multiple vendor data formats and protocols to begin to create an industry standard approach using the principles of OPC Unified Architecture (UA).
The OPCF ADI UA specification will ultimately provide an open standard to resolve todays analyser integration & data exchange challenges and empower the industry to achieve improved process understanding, real-time process and quality control, and its ultimate goal, Real Time Release" said Phil Litherland, Technical Director of Process Analysis & Control Technologies for GlaxoSmithKline.
"We are focusing on bringing new analyzer device types into the development labs as well as into production facilities. Sometimes integration is needed just to test out the instrument. Thus it is crucial for us to be up and running with the analyzer connected to our MES platforms in hours, not days. An OPC Analyzer Device Interface supported by vendors will give us the speed and flexibility we need to implement reliable and adaptive integration. Adaptive integration will give us the ability to add additional instrument information as the need arises in a structured and standard way" adds Arne Svendsen, Head of Manufacturing IT for Arla Foods.
"Based on experience in PAT implementations, we recognize the complexity and effort of interfacing with a variety of analyzers. Standardization has proven its ability to increase efficiency and reliability; a common standard for analyzer integration offers opportunities to reduce complexity, cost and risk" said Pascal Marly, Sr. Consultant PAT for Siemens.
The OPC Analyzer Device Interface is based on the OPC-Unified Architecture specification. OPC Unified Architecture is designed to facilitate building complex systems that are composed of products from multiple vendors and providing the infrastructure for integration to solve both simple and complex information integration opportunities.
"The OPC ADI effort demonstrates the commitment of the OPC Foundation to providing standard, workable interfaces, to the wide range of industrial devices used in modern manufacturing environments. The ADI effort builds on the secure, reliable, and standards based communication methods built into OPC-UA." said Tom Burke, President of OPC Foundation.
The OPC-ADI interface is planned to support a wide range of existing and future analyzers including but not limited to: Spectrometers (IR/NIR, visible, UV, Raman), particle size analyzer, chromatographs (Gas, Liquid), acoustic and TeraHertz spectrometers, Nuclear Magnetic Resonance spectrometers, mass spectrometers, automated microscopy, and imaging systems (visible, NIR, cell counting, etc.). 9/24/2008
Digital Bond has posted Part 3: Specification Vulnerabilities and Part 4: SDK Vulnerabilities of their OPC UA Security Audit. As expected the audit turned up many points, good, bad and ugly.
The Good: These were covered in a previous post, but two items to highlight are
1. The OPC UA SDK code is very clean, well written, easy to follow and contains good use of comments.
2. Mandating that an OPC UA server make use of certificates prior to creating secure channels is essential.
The Bad: I suppose one obvious bad point is that any vulnerability was found in the code and specification, but that was to be expected. The code issues will be corrected in the next revision and the OPC Foundation is addressing many of the specifications findings. The test that brought the OPC UA server down using the Test Application as a ‘fuzzer’ does raise concerns. This sort of security focused testing is exactly the reason the OPC Foundation had the audit performed in the first place. It highlights the need for more application testing as well as considering OPC applications when planning your Network Security system.
Another warning is an oldie but a goodie; “the same OPC protocol implementations, even interoperable, will have different quality of implementations from different vendors”. This is true from a security perspective and other aspects. It’s also true for any product built to meet a particular standard; OPC, Modbus, DNP, etc. Anyone who has worked with standards knows that there is a balance that needs to be struck between ensuring a common ground and providing the flexibility for innovation in products. The good news is that OPC UA has mandated a core set of security features that must be implemented, and outlines what the user is getting by way of different Profile levels. However this will not completely remove the need for users to evaluate who their OPC vendor will be. Does your OPC vendor provide security in their products? Are they active members in progressing the OPC UA standards and products? Do they maintain high compliance and interoperability testing standards? These sorts of questions should reflect on what the quality of the end products will be.
The Ugly: The main finding that is both good and bad, so ends up ugly is the use of certificates and public key infrastructure [PKI]. They are good because they are a proven way of ensuring that only authorized users are accessing the system. They are bad in that depending on how they’re implemented they could either; not provide sufficient protection or become a barrier to interoperability. Two of the goals of OPC UA are to provide seamless interoperability and a high level of security. To achieve both these goals the OPC UA specification makes use of self-signed certificates, and the option to set the Message Security Mode to NONE. Vendors must implement security, but users have the ability to essentially turn it off. If it is turned OFF, then this needs to be very apparent to users to avoid instilling a false sense of security.
As the audit revealed, the specifications are not clear enough or offers conflicting details on how to get this implemented properly. So the main action points for clarifying the specification are:
1. The OPC UA specification has to be clear on how certificates are explicitly trusted through a PKI or other process prior to use, for both the OPC UA client and server.
2. If Secure Channels are allowed to be created and closed without security the specifications to need to clearly indicate Secure vs Unsecure Channels.
This will most probably have an impact on Security Profiles as well.
Personally I wasn’t too surprised by the overall findings. We felt the code was good, but not perfect. The process of implementing a secure but interoperable framework, even leveraging existing security standards, is a tricky task. After looking at all the possibilities, considering the various requirements and putting the results onto paper (and into code) it is all too easy to ‘lose the forest for the trees’ so to speak. We knew that having someone with a strong security background and a fresh view audit the results would show the areas that might be confusing and conflicting. And they did.
As has been noted all these issues are being addressed. When that's done we can rename this post ‘OPC UA Security: Good and Pretty’ (or at least Pretty Good J )
As a closing note, I hope to see many of you out to the OPC UA DevCon and Workshop in Munich in October. It will be a great chance to meet with the specification developers and discuss OPC UA security and other topics. I encourage you readers out there to track me down at the conference, and we can have a chat on OPC over a good German beverage.
UPDATE: It seems that some of my thoughts on the OPC UA Security audit raised the question on why security experts were not involved in the early design of OPC UA. In fact many such experts have been actively involved since the start. My point was that the external audit was an extra step to ensure that nothing was missed when reviewed by fresh set of eyes from the outside. Below is a response from the Randy Armstrong on the matter:
"The OPC Foundation has actively sought advice from numerous security experts from the very beginning and the specification already includes many updates based on feedback from those experts. Dale’s recent review was the first review that included an analysis of the code and, for obvious reasons, could not start before the code base was reasonably stable. We received the results of this review a month ago and are in the process of updating the specifications and the codebase accordingly." 9/12/2008
The latest builds of the OPC UA SDK for the .NET programming environment have been released. The current version Build 222 of the SDK includes:
- Implementations of the XML Web Services and UA Native Binary stack profiles
- Server and Client development toolkits
- Sample Applications
- A wrapper for COM-DA Servers (DA 2.05a, DA3.00 and AE1.1)
- A proxy for COM-DA and COM-AE clients (DA 2.05a and AE1.1)
- Local Discovery Server
- Configuration Tool
Quite a few modifications in this round, most notably is support for wrapping classic A&E servers and support for 64-bit processers. There are also numerous bug fixes, enhancements and corrections for a backward compatibility issue. The sample source now includes the examples on how to create a custom NodeManager. There also appears to be quite a few modifications related to security and auditing. (I would suspect those are a result of the security audit.)
All the fine details can be found in the Readme file.
As the SDK continues to improve, more and more OPC UA products are emerging. Companies working on their OPC UA products will want to get upgraded to the latest SDK builds in order to be read for the next OPC UA Early Adopter Plug Fest in Nürnberg, Germany. This workshop will run from 1:00 PM on Monday, October 6th, 2008 through Noon on Friday, October 10th, 2008. The UA Plug Fest is free for qualified participants. To attend you must have a UA client and/or server developed sufficiently such that it already interoperates with the OPC Test client/server and is ready to be tested with other vendors clients and servers. The Plug Fest will run concurrently with the OPC Interoperability Workshop (IOP), but you must register for each separately and a single person can not adequately cover both the IOP and the plug fest.
Of course, don’t forget the OPC UA DevCon and Workshop the week of October 27th, in Munich. I plan to be presenting, and always look forward to meeting more blog readers.
See you there. 9/4/2008
As many readers might be aware, the team at Digital Bond has conducted a security assessment on the OPC UA protocol, SDK and source code. They have recently posted some of the positive findings that will be part of their final report. The full details can be found here. I’ve included some of the more note worthy remarks and recapped the major findings:
Noteworthy quotes:
“…there are numerous examples of positive findings and text in the report. In fact, there is no comparison between the security in OPC UA and the security of any other control system protocol, with the possible exception of Secure DNP3 and its IEC equivalent. The OPC Foundation should be commended for their security efforts and pressure should be applied to other protocols to step up.”
“the current profiles have leveraged existing, vetted crypto primitives and algorithms rather than try to tackle the difficult process of developing a new security algorithm”
“[the OPC UA SDK code] is among the cleanest code Digital Bond has seen in the control system space. The code is well written, easy to follow and contains good use of comments.”
“The security event logging required by the specification will be a fantastic help to attack detection and after incident analysis. It is the best the Digital Bond team has seen in this space by far.”
The major positive security findings include:
· Options for the use of encryption for confidentiality and signatures for source authentication and integrity, which means the protocol has ‘built-in’ security
· OPC UA uses a profile approach for specifying functionality including the crypto algorithms and key lengths. This provides flexibility and extensibility. Additionally, the current profiles have leveraged existing, vetted crypto primitives and algorithms.
· The OPC UA SDK code base is surprisingly clean of vulnerabilities for a code base of its size. Many common coding errors were not found and there are a number of well-written OPC wrappers of common C functionality. Comments in the code remind developers to use safe functions.
· Excellent security event logging requirements by the specification.
Of course the whole point of security assessments is to highlight findings that could lead to vulnerabilities, and we know that the Digital Bond team has found some. The reason the OPC Foundation so strongly supports this initiative is to find and correct these issues before they make their way into live systems. Many of the findings have already or are in the process of being addressed. A lot of folks have put a lot of effort into ensuring the OPC UA specification stands up to its promise of being secure. Those efforts are clearly paying of in the form of a solid specification. 9/1/2008
Some interesting things happening with OPC UA over the last few weeks while I was vacationing. One of which the whitepaper/OPC UA book excerpt which gives some background on the perceived complexity of OPC UA. Is OPC UA complicated? The answer to that seems to differ from person to person based on their point of view. The whitepaper talks in more detail about what is involved with OPC UA and why some people consider it complicated. Here’s my take on the whole thing:
Is OPC UA completed to use? No. OPC UA has all the familiar concepts from classic OPC; Client/Server architecture, browsable address space, data subscriptions, read/write operations. For the most part, end users will not see a difference, except that OPC UA now offers additional standardized functionality like security, redundancy, richer browsing and data organization, and access to more server information and diagnostics. Users of the classic OPC interfaces did not need to know the full details of COM/DCOM or the functionality of the proxy components. Similarly with OPC UA users will not need to understand the details of security certificate handling, wire transport encoding or bulk interface transactions.
Is OPC UA more complicated than OPC DA? In a word, Yes. OPC UA stands for Unified Architecture, which means it covers all aspects of classic OPC, including real-time, history, alarms, batch, security, commands and OPC XML. It is supposed to be encompassing than simply an OPC DA replacement. There are multiple reasons we’ve created a new architecture:
· Microsoft has deemphasized COM in favor of cross-platform capable Web Services and SOA (Service Oriented Architecture)
· OPC Vendors want a single sent of services to expose the OPC data models (DA, A&E, HDA ...)
· OPC Vendors want to implement OPC on non-Microsoft systems, including embedded devices
· Other collaborating organizations need a reliable, efficient way to move higher level structured data
In addition to these goals, the standards must also be industrially reliable and performant, meet security requirements of today’s systems AND provide a manageable migration path for the countless thousands of classic OPC installations. I fully understand why someone comparing the OPC UA to the OPC DA 2.05 documentation would say OPC UA is complicated.
Is OPC UA complicated to implement? No. The caveat to that is; when using the OPC Foundation supplied SDK or other toolkits. Anyone trying to develop a fully featured OPC UA server from ground zero would consider it complicated. Another caveat would be the more Profiles an application supports, the more complicated the server development becomes. An OPC UA server that meets the profile for serving real-time data from an embedded device would we undeniably less complex than an OPC UA server that meets the profiles for real-time, historical and events as well as multiple security options and full query support for an enterprise-wide address space. However these two OPC UA applications will still interoperate in a standard way. That means they both rely on a standardized architecture and a core set of services. The whitepaper/book excerpt touch on some of these, such as secure connections and publish mechanisms. The reason the OPC Foundation provides the SDK, wrappers, sample code, etc is to ensure these common framework components are implemented properly.
Boiled down, OPC UA can be considered a standardized set of web services designed to meet the needs of industrial automation. Web services should not be confused with Web applications in that they involve application-to-application communication, and are not intended to be accessed via a Web browser. Web delivery of process and business data enhances collaboration between work groups and multi-location plants across the enterprise. OPC UA can be considered the industrial automation equivalent of web services used in Supply Chain Management, Customer Relationship Management, Enterprise Application Integration and a plethora of other software services designed to facilitate optimal decision-making at all levels. Every vendor, customer, application writer and developer in the SOA space will tell you they have a simpler answer to web service integration of the enterprise. 10 years ago there where those who said Windows, DCOM and client/server architecture was too complicated, yet OPC has far and away proven itself to be the solution to control application integration.
The simple fact is OPC UA is the right answer to the industrial automation integration needs of today and tomorrow. The many OPC Foundation members who are developing and releasing products and actively supporting the OPC UA initiatives know this and are making it happen. 8/1/2008
The OPC UA opportunities for facilitating OPC UA adoption continue, this time in Europe, Germany to be precise.
Looking to start developing OPC UA products? Then the European session of the highly popular OPC UA Developers Conference and Workshop, slated for October 27-31 in Munich, Germany is the place to be. The week long event is really two separate focuses. The first two days is the Developer Conference, which is more of a higher level overview of what is OPC UA and it’s current state. Limit 95 participants. The following three-day Developer Workshop is really a training event targeted specifically for product developers. The first day covers the details of OPC UA and the next two full days of specific instructions using either C++ / ANSCI C or .NET programming. This is course is hands-on development on building OPC UA servers and clients. The workshop is limited to 25 participants per track (50 total) and attendance will be on a first-come, first-served basis. With OPC UA in high gear and the next round of Released specifications and updated codebase due in mid-August, the rush will be on. Don’t delay and get registered now. The deadline is Oct 10th, but I suspect it will fill long before then. For full details on pricing, hotels, etc go here.
For those on this side of the pond looking to find out what OPC is all about, the fall sessions of the OPC Foundation Roadshows are starting up soon. The next session is in Milwaukee, WI on September 4th. Details and registration here. I’ve said it before, and I’ll say it again these events are a great opportunity to learn about OPC, how to use the technology and best practices for implementing, as well as a chance to talk with industry experts from the numerous vendor sponsors.
Lots of things happening on the OPC UA front. More updates on to the OPC UA SDK, sample code and other redistributables. You can find the latest downloads here. |
|
|
|
|