Securely connect to IoT software with OPC UA or MQTT

By Mark Crossley

The Anybus CompactCom IIoT Secure enables your industrial devices to communicate using OPC UA and MQTT.

The Anybus Compact IIoT Secure exchanges industrial Ethernet protocol data (for example, PROFINET or EtherNet/IP) with the controller as usual but also uses the OPC UA or MQTT protocols to send data to IT systems. Companies can then analyze the data without needing to develop custom software.

How the CompactCom transfers data

OPC UA on CompactCom

The Anybus CompactCom uses the OPC UA Device Integration (DI) model to implement an OPC UA server in the device’s address space. The OPC UA server models the customer’s device as a device. The application will enable the OPC UA functionality where the ADIs (application parameters) are readable as variable nodes through OPC UA. The modelled device is of type CompactCom40DeviceType which is a subtype of the OPC UA DeviceType. 

  • Support for micro-embedded profile
  • Supports Discovery Services
  • User name and password authentication
  • Supports DataChange Subscription, 10 Subscriptions up to 100 monitored items
  • Write Access Enabled, the descriptor of the ADI defines the access level
  • Timestamp supported via discovery server or time protocol of the industrial network
  • OPC UA extension to all standard Anybus features
  • Available for PROFINET and EtherNet/IP

MQTT on CompactCom

The Anybus CompactCom acts as a publisher on the network using data from the host application. The data will be encoded using an encoding technology chosen by the host application before published, JSON or transparent encoding is supported. Data is tagged with a topic string that is used by the clients that would like to receive the data published by a device when subscribing for the data from the broker.

  • MQTT client acting as publisher
  • MQTT version 3.1.1 supported
  • MQTT over TLS, encrypted communication
  • JSON data encoding with Time stamp supported
  • Transparent transfer supported
  • Last Will and QoS 0-2 supported
  • User name and password authentication
  • Maximum 32k data from host application (maximum 32k on network including JSON encoding).
  • Available for PROFINET and EtherNet/IP

How the CompactCom keeps your data secure

Security Chip

  • Secret data is stored on a special security chip to prevent keys and certificates from being stolen or altered by hackers.

Secure Boot

  • Protects CompactCom IIoT Secure against any attempt to use malware.

Certificate Management

  • Enable proper device authentication and authorization to let CompactCom IIoT Secure communicate to trusted parties only.


  • Protects CompactCom IIoT Secure data exchange from interception or influence by third parties.


Three steps to secure device connectivity with CompactCom IIoT Secure

  1. Certification at the factory
    Every Anybus CompactCom IIoT Secure is prepared with an identification certificate in production. The security chip sends a public key to a secure certification server that provides the appropriate certificate.

  2. Identification at the customer site
    When booting the industry device, the identity certificate is sent to the on-site certification software which provides the device certificate to the machine.

  3. Secured and identified communication
    All certified machines at the site are identified so that every machine knows that the source of the data is the correct one. All data sent is encrypted.



Products tested for robustness

 Security is an ever ongoing process and HMS Networks continually test the Anybus CompactCom 40-series products to check resistance against packet storms, known security holes and malformed packets. Some of the methods and tools we use in different development projects are Achilles, Netload and Nessus.

 To prevent unauthorized or malicious code from being downloaded, the CompactCom 40-series only accept firmware that has been digitally signed by HMS. The included FPGA design is encrypted. Using our own technology, we are in full control of the design, allowing us to optimize performance and fix possible vulnerabilities easily. Unused protocols and functionality can be disabled as necessary by the host application.