Microsoft took an important step this spring towards keeping industrial systems secure. They made their KB5004442 security patch for DCOM mandatory. This affects all systems that network OPC DA, one of the most widely used industrial protocols in the world. Now all OPC DA systems that use DCOM across a network must use the highest security settings. Any networked connections with lower security settings will fail.
More Secure
For moving data beyond the plant network, tunnel/mirror technology offers a more secure connection than DCOM. You can secure it with SSL and configure it to make only outbound connections from the OPC server side. This keeps all inbound firewall ports closed while still allowing the data to flow one way or both ways.
Isolated networks
As an additional benefit, a tunnel/mirror connection can be configured to connect OPC DA servers and clients across isolated networks. The recent NIS 2 directive and an ISA-95 standard for industrial cybersecurity practice require completely isolating OT (operations technology) data from IT networks using DMZs. A well-designed tunnel/mirror application can sustain connections between isolated networks through a DMZ. By installing the software on the DMZ itself, each side can make outbound connections through firewalls and still maintain one-way or two-way data flow.
Because the tunnel/mirror connection uses TCP across the network, it can make outbound connections from both the process side and the client side into the DMZ. This keeps all inbound firewall ports closed on both sides, ensuring zero attack surface for both IT and OT networks.
Whatever your application, there's no need to view Microsoft's move to secure DCOM as a problem. Switching to a well-designed tunnel/mirror technology can enhance your system, providing connectivity options that are more flexible and secure than DCOM.
