Microsoft OPCDA and DCOM security issues
Security represents a problem and is typical of the ongoing challenge in the Automation sector to maintain a stable and functioning system in an environment with constantly evolving hardware and software. This is the case of a visual inspection system installed over 15 years ago with a significant investment. The change was necessary due to Microsoft's initiative to increase data networking security standards in Windows software.
In the factory, IT systems are deeply integrated with the production process and OT systems. Visual inspection systems, for example, have a direct, real-time connection to the main control system using OPC DA, the industry standard protocol based on Windows COM/DCOM technology.
Using OPC DA over a network requires DCOM to be active, and security settings can sometimes be complicated to configure. To manage the system efficiently and communicate faster, the Plant Automation Team has always used DCOM security to a minimum. Now, with the mandatory application of Microsoft's Windows security patch, however, only the two highest permission levels of DCOM are allowed. Configuring and enabling these higher settings created problems. The plant also had other security requirements that made recovery from any OPC outage extremely difficult and time-consuming, causing production delays of several hours.
A new approach: Tunneling
What Automation Manager Doody needed was a different way to connect the OPC clients on the PCs running the visual control systems with the OPC server on the main control system. The path of making an update from OPC/DA to OPC/UA, the "new" version of OPC, was explored to avoid continuing to use DCOM: unfortunately this option was not possible for technical reasons (OPC UA was not yet available for all devices and applications used) and economic (cost commitment for updating the devices, in addition to the need to revalidate the systems in use). A web search on how to bypass the DCOM bottleneck led to knowledge of the concept of OPC tunneling and the Cogent DataHub software.
“While I was studying how to use tunneling I found the website of Cogent DataHub, I read the case studies and supporting testimonials and found how easy the application was to integrate into systems like ours,” said Doody. “It seemed that once implemented, I could pass it on to our support group in Production, who could take charge of it without me having to continue to supervise it.”
For a test, on a production line he set up a tunnel connection between the main controller PC and four vision system PCs. Originally, security for both the vision system PCs and the main controller PC was configured on the plant LAN and all access was performed via the Active Directory domain controller and had to be identical.
With the tunnel, the DataHub instance on the primary controller connects to the OPC server using normal login credentials. The DataHub instance on each vision system PC makes a tunnel connection to the DataHub instance on the main controller and receives the data. Each of these DataHub instances is configured as an OPC DA server, allowing the vision system to connect as an OPC client.
Now, because the OPC client on each vision system controller connects to a local DataHub instance, the Automation Team was able to remove those PCs from the plant's LAN. It no longer needs to enforce user logins on the domain controller. Each user logs in independently of the master control's access. Any connection irregularity or interruption no longer requires resynchronizing security logins across multiple machines. After a week of testing the first system, Automation Manager Doody felt confident he could implement the solution on all three remaining lines. Now all connections use DataHub tunneling and the benefits are clear.
A look at validation
In addition to the ease of implementation with little effort from internal staff, the qualification/validation part was also carried out with an easy effort. Cogent DataHub is a completely standard software layer, used in a considerable number of installations around the world. The developers use development methods and tools according to the highest security criteria and compliance with international and market regulations and standards. Once documented and qualified on the infrastructure on which it is installed, Cogent DataHub becomes absolutely transparent and allows full functionality of the applications without introducing changes to the applications themselves. Cogent DataHub it is supplied with a monitoring and control console, the DataHub Data Browser, which allows you to evaluate performance and any anomalies as well as verify the integrity of the data in network communication.
Some thoughts on the solution
“Previously, if an OPC connection went down, it could take anywhere from one to five hours to power up the PCs that were out of the domain, register, authenticate with the user account, initialize the network cards, connect to the plant LAN and PC line, connect to OPC, calibrate the application and more,” Doody said.
“Now I no longer receive significant reports of downtime,” he continued. “Our application connects even faster to the local OPC server instance. Tunneling with DataHub makes it much easier to debug why the connection doesn't fail. So far we have only had one case where OPC failed to connect to our application and by looking at the DataHub Data Browser we could see that this was due to the tunneling application not being active on the server side. Previously this would have been much more difficult to diagnose and would have involved numerous reboots of the PC waiting and hoping that this connection could be re-established."
“Putting the entire solution in place was practically child's play for management and easy to justify as an investment, because it saved a lot of money, rather than updating the lines with expensive revamping interventions. IT and Engineering were also involved, because it was easy to implement and really easy to maintain. And then the Try-and-Buy helped too: getting the trial licenses so easily, reading the instructions to implement them on our systems was fantastic, seamless, for our work.”
Taken and integrated from: Case Study: Pharmaceutical Device Manufacturing