Skip to main content
opc-uaot-securityread-onlyplc

Read-Only OPC-UA: Condition Monitoring Without Touching Your PLC

Prevly Team·
Auf Deutsch lesen →Czytaj po polsku →Leer en español →Lire en français →日本語で読む →

Read-Only OPC-UA: Condition Monitoring Without Touching Your PLC

The fastest way to kill a predictive maintenance project is to tell the OT-security team it needs write access to the PLC. The moment a new tool can change setpoints, force outputs, or issue actuator commands, it stops being a monitoring system and becomes a control-system risk — and now you're in a months-long security review instead of a pilot.

There's a cleaner path: read-only OPC-UA. Subscribe to the tags you need, never write a single value back. The control system behaves exactly as it did before; you've just added a passive observer.

What read-only actually prevents

OPC-UA is a request/response and subscription protocol. A client can read, write, and call methods. "Read-only machine monitoring" means the client is constrained to a strict subset:

  • Subscribe / read only. The client opens monitored-item subscriptions on the tags it needs (vibration, temperature, pressure, current, RPM) and receives value updates. It never issues a Write service call.
  • No method calls. No invoking PLC methods that could change machine behavior.
  • No actuator path. There is no code path — none — that maps a model output back into a control-system write.

This is an architectural property, not a configuration toggle you hope nobody flips. The monitoring agent should have no write capability in its codebase at all. When an auditor asks "what's the worst thing this tool can do to my line?", the answer is: read a value it's already allowed to read.

Prevly's edge agent is built this way on purpose. It subscribes to OPC-UA tags read-only and pushes telemetry into the on-premise pipeline. There is no write_tag, no method invocation, no actuator command anywhere in the ingestion path — and that's verified, not assumed.

Why this clears IT-security review faster

OT-security frameworks like IEC 62443 are built around restricting and accounting for every interaction with control systems. A read-only monitoring agent maps cleanly onto the parts of those frameworks reviewers care about most:

| Concern | Read-only OPC-UA answer | |---|---| | Can it alter the process? | No write path exists. | | Can it disrupt the PLC? | Subscriptions are passive; the OPC-UA server controls update rates. | | What network access does it need? | One inbound subscription to the OPC-UA endpoint (typically TCP 4840); no internet egress required. | | What's the blast radius if compromised? | An attacker gains read access to tag values already visible to the historian — not control. | | Is there a credential that can change machine state? | The monitoring credential is scoped read-only at the server. |

Compare that to a tool that needs write access or a cloud round-trip: every one of those rows turns into a finding, a compensating control, or a "come back next quarter."

Read-only doesn't mean low-fidelity

Engineers sometimes assume that passive monitoring means coarse, slow data. It doesn't. Through OPC-UA subscriptions you can pull:

  • High-rate vibration channels (X/Y/Z axes) for spectral and bearing-frequency analysis.
  • Process variables (temperature, pressure, flow, current, voltage) for cross-sensor correlation.
  • Machine state and RPM for context — so a model knows the difference between "stopped" and "anomalous."

That's enough to drive real condition monitoring: rolling-window features, FFT, trend detection, and ML models for anomaly detection, remaining-useful-life prediction, and fault classification. The model quality is bounded by sensor quality and sampling rate — not by the fact that you chose to read instead of write.

The defense-in-depth layering

Read-only OPC-UA is one layer. A well-architected monitoring deployment stacks it with others:

  1. Read-only at the protocol level — no write service calls.
  2. Read-only at the credential level — the OPC-UA server grants the monitoring account read scope only.
  3. Read-only at the network level — the agent sits in a monitoring segment; firewall rules permit the subscription and nothing back into the control segment.
  4. No outbound egress — for on-premise deployments, the agent doesn't need to reach the internet at all.

Defense in depth means that even if one layer were misconfigured, the others still prevent a write. That's the posture that gets a "yes" from a security team that has learned to be skeptical.

Questions to ask your monitoring vendor

  1. Does the agent have any write capability in its code, even unused? ("It's configured read-only" is weaker than "it cannot write.")
  2. What exact network paths does it need? Inbound subscription only, or something back into the control network?
  3. Does it require internet egress to function?
  4. What credential scope does it need on the OPC-UA server?
  5. Can you show the data-flow diagram an auditor would need?

If condition monitoring is supposed to reduce risk on your line, the tool that watches it shouldn't add a new way to touch it.

Prevly ingests machine data via read-only OPC-UA — passive subscriptions, zero PLC write path, no required internet egress — as part of an IEC 62443 SL-1-aligned on-premise deployment. See the architecture or request a technical walkthrough.

Related reading: Predictive maintenance for Ignition SCADA · On-premise vs cloud PdM · PdM for medical-device manufacturing · From sensors to predictions