By Xavier Mesrobian

Microsoft took an important step this spring toward keeping industrial systems secure. It made its ‎KB5004442 security patch for DCOM mandatory. This affects all systems that network OPC DA, one of the ‎most widely used industrial protocols in the world. Now all OPC DA systems that use DCOM across a ‎network must use the highest security settings. Any networked connections with lower security settings ‎will fail. ‎

Thankfully, there is a solution to this problem: tunnel/mirroring. Tunnel/mirror software is designed to make local connections to OPC DA servers and clients. 

The tunnel eliminates DCOM by passing the data ‎across the network over TCP, using SSL if required. The data is mirrored between the server and client, so ‎both sides maintain a full, up-to date data set. If the network goes down for some reason, both the OPC ‎DA server and client stay connected to the tunnel/mirror software, and the client is informed of the break. ‎Once the network comes back, the connection is automatically re-established.‎

For moving data beyond the plant network, tunnel/mirror technology offers a more secure connection ‎than DCOM. You can secure it with SSL and configure it to make only outbound connections from the OPC ‎server side.

This keeps all inbound firewall ports closed, while still allowing the data to flow one way or ‎both ways.‎

As an additional benefit, a tunnel/mirror connection can be configured to connect OPC DA servers and ‎clients across isolated networks. The recent NIS 2 Directive and an ISA-95 standard for industrial ‎cybersecurity practice require completely isolating OT (operations technology) data from IT networks using ‎DMZs.  A well-designed tunnel/mirror application can sustain connections between isolated networks ‎through a DMZ. ‎

By installing the software on the DMZ, itself, each side can make outbound connections through firewalls, ‎and still maintain one-way or two-way data flow.‎

Because the tunnel/mirror connection uses TCP across the network, it can make outbound connections ‎from both the process side and the client side into the DMZ. This keeps all inbound firewall ports closed on ‎both sides, ensuring zero attack surface for both IT and OT networks.‎

Whatever your application, there’s no need to view Microsoft’s move to secure DCOM as a problem. ‎Switching to a well-designed tunnel/mirror technology can enhance your system, providing connectivity ‎options that are more flexible and more secure than DCOM.‎

Xavier Mesrobian is the vice president, sales and marketing, at Skkynet Cloud Systems. He can be reached at xavier.mesrobian@skkynet.com.

This content is sponsored by Skkynet.