Microsoft took an important step this spring towards keeping industrial systems secure. They made their KB5004442 security patch for DCOM mandatory. This affects all systems that network OPC DA, one of the most widely used industrial protocols in the world. Now all OPC DA systems that use DCOM across a network must use the highest security settings. Any networked connections with lower security settings will fail.
Thankfully, there is an solution to this problem: tunnel/mirroring. Tunnel/mirror software is designed to make local connections to OPC DA servers and clients. The tunnel completely eliminates DCOM by passing the data across the network over TCP, using SSL if required. The data is mirrored between the server and client, so both sides maintain a full, up-to date data set. If the network goes down for some reason, both the OPC DA server and client stay connected to the tunnel/mirror software, and the client is informed of the break. Once the network comes back, the connection is automatically re-established.
For moving data beyond the plant network, tunnel/mirror technology offers a more secure connection than DCOM. You can secure it with SSL, and configure it to make only outbound connections from the OPC server side. This keeps all inbound firewall ports closed, while still allowing the data to flow one way or both ways.
As an additional benefit, a tunnel/mirror connection can be configured to connect OPC DA servers and clients across isolated networks. The recent NIS 2 Directive and an ISA-95 standard for industrial cybersecurity practice require completely isolating OT (Operations Technology) data from IT networks using DMZs. A well-designed tunnel/mirror application can sustain connections between isolated networks through a DMZ. By installing the software on the DMZ itself, each side can make outbound connections through firewalls, and still maintain one-way or two-way data flow.
Whatever your application, there’s no need to view Microsoft’s move to secure DCOM as a problem. Switching to a well-designed tunnel/mirror technology can enhance your system, providing connectivity options that are actually more flexible and more secure than DCOM.
