Solving DCOM Security Patch Issues

Oct. 16, 2023

Using tunnel/mirroring to make local connections to OPC DA servers and clients eliminates DCOM by passing the data across the network over TCP.

Xavier Mesrobian, Skkynet

Microsoft took an important step this spring towards keeping industrial systems secure. They made their KB5004442 security patch for DCOM mandatory. This affects all systems that network OPC DA, one of the most widely used industrial protocols in the world. Now all OPC DA systems that use DCOM across a network must use the highest security settings. Any networked connections with lower security settings will fail.

Tunnel/mirror software eliminates DCOM by passing the data across the network over TCP using SSL if required.

Thankfully, there is a solution to this problem: tunnel/mirroring. Tunnel/mirror software is designed to make local connections to OPC DA servers and clients. The tunnel completely eliminates DCOM by passing the data across the network over TCP, using SSL if required. The data is mirrored between the server and client, so both sides maintain a full, up-to date data set. If the network goes down for some reason, both the OPC DA server and client stay connected to the tunnel/mirror software, and the client is informed of the break. Once the network comes back, the connection is automatically re-established.

More Secure

For moving data beyond the plant network, tunnel/mirror technology offers a more secure connection than DCOM. You can secure it with SSL and configure it to make only outbound connections from the OPC server side. This keeps all inbound firewall ports closed while still allowing the data to flow one way or both ways.

Isolated networks

As an additional benefit, a tunnel/mirror connection can be configured to connect OPC DA servers and clients across isolated networks. The recent NIS 2 directive and an ISA-95 standard for industrial cybersecurity practice require completely isolating OT (operations technology) data from IT networks using DMZs. A well-designed tunnel/mirror application can sustain connections between isolated networks through a DMZ. By installing the software on the DMZ itself, each side can make outbound connections through firewalls and still maintain one-way or two-way data flow.

Because the tunnel/mirror connection uses TCP across the network, it can make outbound connections from both the process side and the client side into the DMZ. This keeps all inbound firewall ports closed on both sides, ensuring zero attack surface for both IT and OT networks.

Whatever your application, there's no need to view Microsoft's move to secure DCOM as a problem. Switching to a well-designed tunnel/mirror technology can enhance your system, providing connectivity options that are more flexible and secure than DCOM.