March 14, 2023, is a date that organizations utilizing operational technology (OT) should have circled on their calendars. After that date, it will no longer be possible to disable a critical Microsoft DCOM hardening patch, which could trigger equipment shutdowns and lead to revenue disruptions, unless there are backups available prior to the patch enablement.
The update involves the Distributed Component Object Model (DCOM) — a software component embedded in industrial control systems (ICS) from companies like Rockwell Automation, Honeywell, Siemens and GE. Microsoft publicly disclosed the DCOM Server Security Feature Bypass on June 8, 2021, categorizing it as a medium security vulnerability.
What is the Microsoft DCOM patch?
The DCOM hardening patch was designed to strengthen authentication between DCOM clients and servers. However, Microsoft has indicated some ICS products will be unable to establish a proper DCOM connection once the hardening patch takes effect. Rockwell Automation has since issued its own statement acknowledging its machines will be unable to establish a proper DCOM connection after installation of the Microsoft DCOM hardening patch.
This puts a rapidly dwindling shelf life on any ICS equipment still reliant on DCOM protocols. If left unaddressed, manufacturing and critical infrastructure environments could be at high risk of disruption and negative implications — the most notable being inoperable machines and costly, unscheduled downtime. Additionally, the loss of visibility into machine controls could pose heightened risk to physical safety. This could result in potentially dangerous, uncontrollable operations as well as regulatory violations leading to heavy fines or penalties.
“This is a concerning situation for organizations whose operational technology is subject to the DCOM patch,” said Craig Duckworth, president and co-founder of Velta Technology. “Imagine showing up for work one morning, or getting a phone call, only to learn your plant floor is sitting idle, silent and unable to function due to a foreseeable Windows hardening patch.
“This is something that could potentially disrupt a company’s ability to generate revenue, and it’s advisable for them to get in front of this looming software update while there’s still time.”
Delaying the Microsoft DCOM patch
For the time being, industrial manufacturing and critical infrastructure operators have had the option of bypassing the update. However, that option will be removed starting March 14 when Microsoft requires a forced DCOM update.
To patch any asset in an operational environment, organizations must balance security and compatibility issues with the continuity of the product and system availability. Although his ultimate recommendation is to rebuild and/or replace these machines, Duckworth says there are appropriate instances such as this when additional time is needed to ensure continued operational functionality and system security. That’s what prompted him to form a partnership with TXOne Networks, a global leader in OT cybersecurity, and create a stopgap solution providing companies with more time to develop a permanent solution.
“Our collaboration with Velta Technology surfaced the urgent market need for these DCOM-impacted operations,” said Jeff DePasse, senior vice president of the Americas for TXOne Networks. “Velta Technology’s deep OT expertise paired with TXOne Networks’ Stellar technology creates this novel capability.”
TXOne’s Stellar endpoint solution uses a system lockdown feature to protect devices from updates, reconfigurations, malware and system changes without affecting regular operations. Delaying the DCOM hardening patch in this manner saves the trouble of having to rewrite codes or replace ICS before the March deadline, affording asset owners time to implement a permanent solution while keeping their plants securely online.
Said Duckworth: “Exactly how much time this method buys depends on many factors including the size and scope of the organization. The TXOne Stellar solution stops the patch and allows the organization to then confer internally over priorities, budget and a strategic path forward. Although the right permanent solution will look different for every industrial environment, this approach can provide organizations the valuable time needed to reach those conclusions without a plant shutdown and potential revenue loss.”
Building resilient ICS systems
Duckworth said companies without an accurate asset inventory are most at risk because they have limited insight into which ICS equipment is embedded with the soon-to-be-outdated DCOM software. Given the rapidly approaching deadline, it’s an opportune time for companies to include their DCOM status as part of their overall OT digital safety initiatives.
“This is another opportunity for organizations in the industrial space to become more resilient when it comes to their ICS systems,” Duckworth said. “It’s clear that implementing the proper DCOM remediation efforts is an important part of maintaining a strong digital safety posture.”
Added Dino Busalachi, Velta Technology chief technology officer and co-founder: “DCOM is embedded into most industrial control systems and puts your plant floor at major risk for disruptions and outages. We are excited to partner with TXOne Networks to provide a unique, cost-effective stopgap that buys organizations valuable time to implement a permanent solution.”
For more on the Microsoft DCOM hardening patch, check out this article from Control Engineering.