Advisory: Potential for Mandatory Microsoft DCOM Patch to Disrupt SCADA Communications

Author: Jennifer Walker

Created: Monday, March 13, 2023 - 21:28

Categories: OT-ICS Security, Security Preparedness

Action may be Required: Tomorrow (March 14, 2023), it will no longer be possible to disable the Microsoft DCOM hardening patch. This could result in the disruption of critical communications between ICS/SCADA/OT devices.

In other words, if ICS/OT/SCADA devices suddenly stop communicating after applying the Microsoft DCOM patch from March 14, 2023, it may be practical to consider this as a possible cause during your troubleshooting efforts.

ICS/OT/SCADA engineers and operators are encouraged to assess the use of the DCOM component in your industrial environment. It may be necessary to work with integrators or OEMs to determine usage/implementation in your environment as failure to address could result in loss of critical communications between impacted ICS/OT/SCADA devices.

This is an update to a notification included in the Security & Resilience Update (SRU) on December 22, 2022.

Background

What is DCOM? The Distributed Component Object Model (DCOM) is a protocol used for communication between software components on different computers on a network. DCOM is embedded in many Industrial Control Systems from companies such as Rockwell Automation, GE, Honeywell, Siemens, etc.

What is Microsoft DCOM hardening? Microsoft revealed the Windows DCOM Server Security Feature Bypass vulnerability (CVE-2021-26414: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414) on June 8, 2021. In order to minimize issues for end-users and provide time to migrate, Microsoft took a phased roll-out approach. The final phase of the DCOM hardening will be part of the Windows Update on March 14, 2023.

Additional resources:

Dino on DCOM Patch and ICS (Dale Peterson’s Unsolicited Response podcast) https://www.youtube.com/watch?v=Wtox8rMvA40
Are you DCOM Ready? (Velta Tech) https://uploads.strikinglycdn.com/files/45fb471b-67fc-4aff-9cd2-4fb127d61dc9/Get%20DCOM%20Ready%20Business%20Brief.pdf
New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch https://www.securityweek.com/new-open-source-ot-security-tool-helps-address-impact-of-upcoming-microsoft-patch/
Navigating the Final Phase of DCOM Hardening (Grantek) https://grantek.com/navigating-the-final-phase-of-dcom-hardening/
Product Notification 2022-01-001 – Rockwell Automation products unable to establish proper DCOM connection after installing Microsoft DCOM Hardening patch (CVE-2021-26414) https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1133982