PLC-PLC Communication with OPC-UA

In this post, we learn how to use OPC UA to communicate between two PLCs by setting up an S7-1500 as an OPC UA Server with a dedicated server interface and user authentication.

OPC UA is an open data exchange standard for industrial communication. It describes a protocol for exchanging data from machine to machine, or a machine to PC. OPC UA is short for Open Platform Communications Unified Architecture and, as the name implies, is a communication protocol that is independent of manufacturers, system suppliers, and programming languages.

In this demo, we will learn how to implement OPC UA for PLC to PLC communication, also known as horizontal communication. This is not the only application of OPC UA though - it is also used for communication between PLCs and higher levels systems like SCADA and MES, also known as vertical communication.

In more recent firmware versions, S7-1500 PLCs also have a built-in OPC UA client. This OPC UA client can be used for vertical integration with slave devices like barcode scanners and printers. A PLC using OPC UA to communicate with these devices could retrieve a barcode from a barcode scanner or send data to a printer to print.

Advantages of OPC UA.

OPC UA Server Interface

The major advantage of OPC UA is that it is manufacturer-independent. OPC UA provides an open way to exchange data between devices manufactured by any manufacturer without using gateway devices to convert communications from one proprietary format to another. Other communication protocols like Modbus/TCP and TCP/IP are supported by many manufacturers, but OPC UA is quickly emerging as the preferred communication protocol for industrial communications.

Since OPC UA is based on TCP/IP, it is routable over an Ethernet network. This means that devices that are not located in the same subnet can communicate with each other through the use of routers. Other industrial protocols like I-Device communication were limited because they were not routable over Ethernet and, therefore, could only be used for communication between devices in the same subnet.

OPC UA has built-in diagnostics so that communication errors can be detected and handled in the user program. The diagnostics are also useful for troubleshooting communication issues while monitoring a system.

Unlike older protocols, OPC UA supports the use of optimized data blocks for data exchange. This means that you can follow Siemens recommendations to exclusively use optimized data blocks in the user program while communicating between two PLCs.

Although OPC UA is not a single-sided communication protocol like PUT/GET, there is no programming required for the server PLC. The server PLC simply makes data available to a third party. This makes it very easy to engineer data exchange between two PLCs using OPC UA.

On the subject of exposing data from the server PLC, OPC UA supports the use of companion specification requirements. An OPC companion specification is a way to order data so that it is supplied to a client in a structured format. When a client browses the data exposed by the server, the data is presented in a structured way with standard data in a standard format. Companion specifications help to provide some security in an OPC UA connection by making sure that only specific data is exposed.

Of course, since OPC UA is a modern protocol, OPC UA communication can be secured with modern, internet standard security. The security mechanisms available for OPC communication include encryption and digital signing of data to make sure that transmitted data cannot be intercepted and read or modified by malicious third parties.

Disadvantages of OPC UA

Because OPC UA is a modern, cross-platform communication protocol, there are very few disadvantages to using OPC UA for PLC to PLC communication. The only disadvantage that I can think of is not to do with OPC UA itself, but rather with the way the OPC UA server is enabled in TIA Portal.

When you enable the OPC UA server in a PLC in TIA Portal, all of the data in the PLC is exposed without security by default. This means that immediately after you enable OPC UA, any OPC UA client could connect to the PLC and browse and modify any of the data that lives in that PLC including data blocks, instance data blocks, inputs, outputs, and memory bits.

This is actually worse than legacy communication protocols like PUT/GET because OPC UA exposes data from the PLC symbolically. Since the data is exposed symbolically, a malicious actor could browse through tags symbolically to get a more clear picture of exactly what data they were accessing.

The good news is that when set up correctly, OPC UA is a very secure communication protocol. In the next sections, I will show you how to set up OPC UA communication to exchange data between two PLCs and how to secure that communication to make sure that malicious actors can't interfere with the systems involved in the communication.


In this demo, two PLCs will exchange data via OPC UA. PLC_2 acts as an OPC UA server, which exposes data to PLC_1, the OPC UA client. We will incrementally improve the security of the communication as we go through the demo.

In TIA Portal, I have created a new project, added two PLCs, and run through the security wizard.

Configure the Server

In PLC_2, I will enable the OPC UA server. Since OPC UA is a licensed product, I need to select the type of runtime license that I have purchased for the PLC in Properties > General > Runtime Licenses. Select the type of license purchased in the dropdown. For now, you don't need to provide proof that you have actually purchased a license although this may change in the future.

The type of license required depends on the CPU that you are using. You can see what type of license is required for a PLC in this SIOS entry.

Select OPC UA Runtime License in TIA Portal

Next, I enable the OPC UA server in PLC_2 by activating the checkbox "Activate OPC UA server" under Properties > General > OPC UA > Accessibility of the server. A warning pops up to highlight that the OPC UA server must be properly secured. Click OK to dismiss this warning after reading it carefully.

Activate the OPC UA server

If you scroll down to the Server Addresses section of this window, you will see that we have two OPC UA server addresses. That's because this PLC has two ports and the OPC UA server is enabled for both ports.

OPC UA Server Addresses

Security Check #1

Now, the OPC UA Server is enabled. Any OPC UA client could browse to this PLC and access the data exposed via the OPC UA Server. That includes inputs, outputs, memory addresses, and DBs.

To demonstrate this, I have created some inputs and outputs in the PLC and enabled the Clock Byte in the Hardware Configuration. After downloading these changes, I launched UAExpert, a free OPC UA client, to browse the PLC.

In UAExpert, I click Server > Add and switch to the Advanced tab. Here, I can enter the Endpoint URL for the OPC UA Server, which I have copied from the Hardware Config of PLC_2. Click OK to add the server.

Configure the OPC UA Server in UA Expert

The OPC UA server is added to the project tree in the left pane. Right-click the server and select Connect to connect to the OPC UA Server.

Connect to OPC UA Server

An error window pops up to inform us that there are issues with the security certificate presented by the PLC_2 OPC UA server. Click on Trust Server Certificate to ignore these warnings.

Trust OPC UA Server Certificate

Finally, click Continue to connect to the OPC UA Server.

Click Continue to Connect to the OPC UA Server

With a connection to the OPC UA Server, we can browse through the exposed data in the Address Space pane on the left. You can see here that we can browse the exposed data symbolically and see all of the inputs, outputs, and memory areas that are configured in the PLC.

I have selected the inputs, outputs, and memory bits and dragged them to the center pane of UA Expert.

Browse for Tags in the OPC UA Server

Now I can monitor the values of these tags. I can also modify the value of the tags by double-clicking on them. Here, you can see that I have modified the output Q_01_01_M11_MTR to True.

Writing Tags from the OPC UA Server

This is a very dangerous situation - any OPC UA Client can connect to this PLC to view and modify any data. In fact, this situation is less secure than using PUT/GET because OPC UA exposes data symbolically so it is easy for a malicious actor to find the data that will do the most damage to a system through an OPC UA Client.

Configure the Server Interface

We can improve the security of the OPC UA Server by carefully choosing what data to expose to OPC UA Clients.

To do this, we need to disable the Standard Server Interface in the Hardware Configuration of PLC_2. The Standard Server Interface is the server interface that exposes all of the data from the PLC to an OPC UA client. You can disable this server interface in Properties > General > OPC UA> Standard server interface (SIMATIC namespace):

Disable the standard SIMATIC server interface

With this server interface switched off, we can create a new server interface that exposes specific data from the PLC to OPC UA clients.

To add a new server interface, double click on the Add new server interface button in the Project Tree under PLC_2 > OPC UA communication > Server interfaces. Give your server interface a name and click OK to create the interface and open the server interface editor.

Add a New OPC UA Server Interface

In the Server Editor window, you have two panes. In the left pane, you have the OPC UA Server Interface namespace. This namespace defines all of the data that is accessible to OPC UA Clients. Only the data in this namespace can be browsed by OPC UA Clients. On the right, you have the OPC UA elements of the project that can be added to the OPC UA Server Interface namespace.

To add elements from the project to the OPC UA Server Interface namespace, you can simply drag and drop them from the left to the right pane. In this example, I have added the photocell inputs and clock bit tags to the server interface namespace.

Add Tags to OPC UA Server Interface

I will download these changes and switch back to the UAExpert OPC UA Client to see these changes.

Security Check #2

Back in UAExpert, I have disconnected and reconnected to the OPC UA Server. Now I see that data is not exposed directly via the PLC anymore, but the tags that we have chosen to expose are exposed through a new folder called Server_Interface_1. This is the server interface namespace that we created in TIA Portal.

When you expand this folder, you see that it contains all of the data that we chose to expose. Once again, we can monitor and modify the values of the data exposed via this server interface namespace.

Server Interface Namespace in OPC UA Client

Now, we have made the connection slightly more secure by limiting the amount and type of data that is exposed to OPC UA Clients. In the next section, we will improve the security of the connection even more by implementing authentication so that only devices with the correct user name and password can connect to the server.

Configure the Authentication

Guest Authentication allows any client to access the OPC UA server without providing a username in password. To implement authentication, we want to disable Guest Authentication in the OPC UA Server. You can do this in TIA Portal by deactivating the "Enable guest authentication" checkbox in the PLC Properties under General > OPC UA > Guest authentication

Disable Guest Authentication for the OPC UA Server

Just below this section, we can enable authentication with a user name and password by activating the "Enable user name and password authentication" checkbox. After enabling authentication with a user name and password, you can define a user name and password that will be used by OPC Clients to connect to the OPC Server.

Enable Authentication for OPC UA Server

Security Check #3

After downloading the changes to the PLC, I can go back to UAExpert and disconnect and reconnect to the OPC UA Server. This time when I try to connect, I see a "BadIdentityTokenInvalid" error is thrown. That's because Guest Authentication is no longer allowed by the OPC UA Server

BadIdentityTokenInvalid Error in UAExpert

We can configure a user name and password to use to connect to the OPC UA Server in the server connection properties. To access the server connection properties, right-click on OPC UA Demo and choose Properties.

UAExpert Server Connection Properties

In the Authentication Settings section, you can provide a username and password to connect to the OPC UA Server with. You can, optionally, store these credentials so that you don't have to provide them every time you connect to the OPC UA Server.

Authentication Settings in UA Expert

After providing the correct user name and password for the OPC UA Server, you can once again connect, browse tags in the server interface namespace, and monitor and write tag values.

Now that we have taken steps to secure the OPC UA server, let's configure the OPC UA Client and see how we can use OPC UA for PLC to PLC communication.

Configure the OPC UA Client

In PLC_1, I activate the OPC UA Client in the PLC Properties under General > OPC UA > Client.

Activate the OPC UA Client

Once again, we have to specify the type of license purchased in the PLC Properties under General > Runtime Licenses > OPC UA.

Just like an OPC UA Server has a Server Interface, an OPC UA Client has a Client Interface. Add a Client Interface for PLC_1 by double clicking on "Add new client interface" in the Project Tree under PLC_1 > OPC UA communication > Client Interfaces. A client interface called Client_Interface_1 is automatically created and opened.

Add a Client Interface

In the bottom pane of the editor, provide the IP Address and, if modified, the port of the OPC UA Server. You will see the server address update with the new information.

Configure the Server IP Address

In the Security tab, scroll down to the User Authentication section. In the User authentication dropdown, select "User name and password". In the following two boxes, provide the user name and password that you previously configured in the OPC UA Server.

Set Up Security for OPC UA Client

After completing these changes, download them to the PLC.

Configure Data Exchange

Next, we can specify the data exchange between the OPC UA Server and Client. In the "OPC UA client interface" tree, you can see that you have various options for data access including read lists, write lists, and method lists. Read lists contain data that is read from the OPC UA Server and write lists contain data that is written to the OPC UA Server. In this demo, we will read data from the OPC UA Server.

Double click on "Add new read list" to create and open a new read list called Read list_1.

Create a New Read List

Now, we want to add data from the server interface namespace to the read list.

We could do this by exporting the server interface namespace from PLC_2 in XML format and importing it back into the Client Interface in PLC_1. An easier option, if an online connection with the server is available, is to browse the data of the OPC UA Server Interface namespace. To do that, select Online [] from the OPC UA server interface source drop down and click on "Online access" to browse for an OPC UA Server Interface.

Browse for an OPC UA Server Interface

In the dialog box that opens, paste in the address of the OPC UA Server and click "Find selected server'. Once the server is found, choose the security level "No security" and specify the correct type of user authentication along with the user name and password you created previously. Finally, click "Connect" to connect to the OPC UA Server.

Connect to the OPC UA Server

In the pop up box, choose to trust the certificate of the OPC UA Server by clicking "Yes".

If everything went well, you should be able to see the data exposed by the OPC UA Server in the OPC UA server interface pane. From here, you can drag the data that you want to consume over to the read list of the OPC UA Client. In this example, I have taken the Clock_1Hz boolean tag over to the client's read list.

Add Data to the OPC UA Client Read List

Finally, we need to poll the data. To do that, I will use the OPC_UA_ReadList_C block available under Instructions > Communication > OPC UA > OPC UA Client. This is a compact communication block which means that it establishes a connection with the OPC UA Server and handles the data exchange.

Create a call to the instruction in the Main OB and launch the configuration wizard.

Configuration Wizard for OPC_UA_ReadList_C

Follow the steps in the configuration wizard to parameterize the block and set up the REQ pin to cyclically poll the data from the server. If configured correctly, you should see the STATUS pin of the block change value to show that data is being received.

Finish Parameterizing OPC_UA_ReadList_C

Now, if I make a trace of the data being received from the server (which is available in "Client interface_1_Data"."Read list_1".Variable.Clock_1Hz), I can see that data is being received and updated from the OPC UA Server

OPC UA Data Trace

Wrap Up

In this post, I introduced you to OPC UA and explained some of the advantages and disadvantages of using OPC UA as a communication protocol for horizontal and vertical communication in PLC systems.

I also showed you how to use OPC UA to communicate between two PLCs. Along the way, we learned how to set up an S7-1500 PLC as an OPC UA server and how to properly secure server connections using server interfaces and user authentication.

We also learned how to configure an S7-1500 PLC as an OPC UA client and how to consume data from a server.

I hope that you have enjoyed this introduction to OPC UA and I hope that you will consider using it in future projects. It really is a powerful and modern communication protocol that will only grow in popularity and acceptance in the coming years. Already, we see many higher-level systems such as SCADA and MES adapting OPC UA and it is only a matter of time until lower-level components like PLCs and intelligent sensors come with OPC UA included out of the box.

Learn Something New Every Week

Sign up to the mailing list to get a new post about industrial automation and controls engineering delivered to your inbox every week.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

PLC Bootcamp

Learn the skills you need to start your journey as a PLC programmer. Enroll in PLC Bootcamp to learn how to write and test your first PLC program for free.