
By Xavier Mesrobian
Microsoft took an important step this spring toward keeping industrial systems secure. It made its KB5004442 security patch for DCOM mandatory. This affects all systems that network OPC DA, one of the most widely used industrial protocols in the world. Now all OPC DA systems that use DCOM across a network must use the highest security settings. Any networked connections with lower security settings will fail.

Thankfully, there is a solution to this problem: tunnel/mirroring. Tunnel/mirror software is designed to make local connections to OPC DA servers and clients.

The tunnel eliminates DCOM by passing the data across the network over TCP, using SSL if required. The data is mirrored between the server and client, so both sides maintain a full, up-to date data set. If the network goes down for some reason, both the OPC DA server and client stay connected to the tunnel/mirror software, and the client is informed of the break. Once the network comes back, the connection is automatically re-established.
For moving data beyond the plant network, tunnel/mirror technology offers a more secure connection than DCOM. You can secure it with SSL and configure it to make only outbound connections from the OPC server side.

This keeps all inbound firewall ports closed, while still allowing the data to flow one way or both ways.
As an additional benefit, a tunnel/mirror connection can be configured to connect OPC DA servers and clients across isolated networks. The recent NIS 2 Directive and an ISA-95 standard for industrial cybersecurity practice require completely isolating OT (operations technology) data from IT networks using DMZs. A well-designed tunnel/mirror application can sustain connections between isolated networks through a DMZ.

By installing the software on the DMZ, itself, each side can make outbound connections through firewalls, and still maintain one-way or two-way data flow.
Because the tunnel/mirror connection uses TCP across the network, it can make outbound connections from both the process side and the client side into the DMZ. This keeps all inbound firewall ports closed on both sides, ensuring zero attack surface for both IT and OT networks.
Whatever your application, there’s no need to view Microsoft’s move to secure DCOM as a problem. Switching to a well-designed tunnel/mirror technology can enhance your system, providing connectivity options that are more flexible and more secure than DCOM.
Xavier Mesrobian is the vice president, sales and marketing, at Skkynet Cloud Systems. He can be reached at xavier.mesrobian@skkynet.com.
This content is sponsored by Skkynet.