Ensure Your Control System Functions after DCOM is Hardened

Since the 90’s Microsoft has included the Distributed Component Object Model (DCOM), under a few different names, in its versions of Windows to allow interfaces between applications, both locally on single computer and remotely between applications on different computers. Over the years, many software vendors in the OT space have taken advantage of this model to help transport the plant data that we use in the OT space for SCADA, MES, historians, and reporting.

Now Microsoft is hardening DCOM in response to a security vulnerability, CVE-2021-26414, and applications that use the lowest level of security in the model (basically, no security) could be impacted. Microsoft is giving vendors and its customers time to respond with patch releases that happen in stages. Specifically, on June 8, 2021, a patch was introduced that left the no-security option of DCOM enabled by default. The next patch will be released on June 14, 2022 and will turn off the no-security option of DCOM by default while still providing for it to be re-enabled. On March 14, 2023, a patch will be released that will permanently disable it.

How do I know if my system will be affected?

The changes to DCOM are going to impact many of the major vendors of software in the OT space including Rockwell Automation, Siemens, AVEVA, Kepware, Emerson, ABB, and many others. That is not the end of the story, though. While many of these vendors have software products that will be impacted, it does not necessarily mean that your system will be. In order to have the full picture the implementation of the software in your specific system will need to be examined.
Let’s take the scenario of a plant that has a historian collecting data from a variety of PLCs on the production floor. Even if the software vendor lists the historian product as having a dependency on DCOM (and the chances are that it probably does), it is still not necessarily true that your system is impacted. If the historian and OPC servers are on the same machine then DCOM would not come into play and this historian should continue to collect data after the system is patched. If the OPC servers are on other systems throughout the plant then more investigation would be needed to see how the data is transported and what level of DCOM is configured.

We are recommending two basic steps to identifying problem spots in your system:

1) Check with your vendors: All the major software vendors with whom we have talked have notices up. In some cases, these are available publicly, and in others they can be found in the support pages associated with your software support contract. These notices and tech notes will identify the products that are affected and may offer solutions for mitigating your system. These pages have been changing as more information has become available and more testing has been done, so it is a good idea to keep checking back.

2) Consult with your systems integrator partner: Your systems integrator partner can help review your OT system and identify areas of your software architecture that will be affected by the upcoming patches. ACE has already begun offering this type of review to our customers so that they can avoid interruption in their operations.

My OT System uses DCOM, what should I do?

This is a developing situation so it can be difficult to know how to proceed. Some scenarios will have a straightforward workaround that can be implemented fairly easily. Other situations may not be as easy.

Keep in mind that the patch coming out in June will have a registry switch that will allow DCOM to work until the next patch comes out next March. By then software vendors will have had more time to release software updates, guidelines, and tech notes to address the issues.

Finally, if you are patching your systems, please follow the guidance from your software vendor on what patches can be installed with your system. If the software is not ready for a patch, it will not appear on the vendor’s list of approved patches. As always, ACE recommends installing approved patches on a test bed or training system first, if you have one. This allows for a better chance of detecting problems with a patch before you do anything to your production system.

Your systems integrator partner can help you navigate this situation especially in cases where multiple software vendors are present. Contact ACE today if you would like to talk with someone about your specific situation.