Introduction

This guide tells you how to configure Microsoft Distributed Component Object Model (DCOM) settings for OSIsoft PI OPC products, with special consideration given to security. The recommendations in this guide should be considered as part of an overall in-depth defence strategy for securing your control system from cyber-intrusion.

Although you can use firewalls to help protect your OPC server, this guide does not cover firewall strategies. Firewall configuration is complicated by the dynamic port allocation behavior of DCOM and is beyond the scope of this document. When configuring DCOM for non-OSIsoft OPC products, follow all recommendations and guidelines from your vendor.

PI OPC products include the following:

• PI OPC DA/HDA Server

• PI Interface for OPC DA

• PI Interface for OPC HDA

• PI Interface for OPC A&E

• PI OPC Client

Industrial control systems are often part of a critical infrastructure (such as electricity, gas, and water) and therefore of interest to parties with malicious intent. Cyber-intrusion can also come internally from personnel with good intentions but inappropriate training or access permissions. Reducing the attack surface of your control system is prudent, regardless of whether the control system is part of critical infrastructure.

To protect your business from downtime and data loss, employ a comprehensive cyber-security strategy that includes staying up to date with patches and updates, malicious software prevention through application whitelisting and antimalware solutions, training your users in safe practices, and following the security recommendations from this guide and those from other vendors. Other resources are available from organizations such as the United States Computer Emergency Readiness Team (US-CERT), at their website for Introduction to Recommended Practices.

Classic OPC server and client applications are based on Microsoft’s Component Object Model (COM)/DCOM communication model. COM provides a set of interfaces that enable software components to communicate on a single computer. DCOM lets software components communicate between networked nodes: a process on one computer can execute code on another. This technology has significant security implications. Permissions must be granted carefully, so that the client and server can communicate without compromising the security of the host computers.

The exact settings required to configure DCOM for OPC depend on operating system, domain or workgroup configuration, firewall configuration, network architecture, and your preferred user-account structure. This guide provides recommendations for the most common configurations.

Note: OSIsoft discourages the use of the Windows 2000, Windows 2003, Windows NT, or Windows XP operating systems in any OPC configuration. Microsoft has announced the end of support for these operating systems, as follows: Unsupported products or service packs pose a significant risk to your computer's security. Therefore, Microsoft advises customers to migrate to the latest supported service pack and/or product prior to the end of support.