Reasons a Configurable TCP Port is Important for OPC Tunneling

Posted by Win Worrall on Jun 21, 2016 11:30:00 AM

This is Part 8 of our “25 Things to Consider when Choosing an OPC Tunnel” series.  What flexibility is there in how ports are configured?

Depending on your level of knowledge regarding OPC tunneling solutions, you may or may not be aware of how a tunneler uses TCP ports for transferring data between machines.  Your IT department likely gives you plenty of trouble whenever you mention needing to open a TCP port.  And with good reason - cyber attacks frequently exploit commonly used TCP ports.

This blog post will outline three top reasons why it's important for an OPC tunneling solution to support fully configurable TCP ports for transferring your data.


TCP Ports and OPC TunnelingI'm sure you're starting to see a common thread in this series of blog posts - DCOM is painful for many reasons, which is why an alternative is so desirable.  Port usage and flexibility comes into play as a result.  OPC relies on the Microsoft RCP service which uses Port 135.  OPC Tunneling solutions rely on TCP socket connections between machines to transfer your process data.

But why does that matter?  Cyber hackers also like to make use of TCP ports when designing attacks to exploit the vulnerabilities of a system.  So having the ability to choose less frequently utilized TCP ports can minimize the chances that a cyber attack would be successful.

Properly designed OPC tunneling software greatly contributes to cyber security in the following ways:

  1. Tunneling doesn't rely on DCOM TCP/IP port 135

    DCOM has no configurability when it comes to what TCP port will be used for a remote connection.  Since DCOM relies on Microsoft RPC services, Port 135 is always used, as well as some other ports needing to be open for communications.  As such, cyber hackers are fully aware of Port 135 and its vulnerability, making any connections that are not behind a firewall extremely risky.

  2. Poorly designed OPC tunnels might hard code the TCP/IP port

    Not much better than a remote DCOM connection is an OPC tunnel connection where the TCP port used for the tunnel is hard coded.  Considering that the tunnel vendor would have to document which TCP port is being used for their tunnel connection, all a hacker would need to do is access the software product manual to determine which port to attack.

  3. Fully selectable TCP/IP ports provides the ultimate flexibility for your IT department

    A well-designed OPC tunnel solution provides fully configurable TCP port settings for the tunnel connection.  This allows you to work with your IT department to determine which TCP port works the best for your network architecture.  Since you can define any TCP port, this makes it possible to select a port that isn't widely used and is much less likely to be the target of a cyber attack.  Selectable TCP ports also allow you to avoid duplicate port usage in your system.

Before purchasing a tunneler, make sure it allows you to configure the TCP port to be used for the tunnel connection.  To reiterate from our other posts, choosing an effective tunneler that takes into account your application requirements will make a big difference in your operational effectiveness, resiliency, and profitability, as well as network security. Learn about the other reasons in the free whitepaper “25 Considerations when choosing a tunneling solution”.

Download Free Whitepaper

Topics: Device Integration, OPC Tunnel, DCOM, Tunneling, DataHub

Win Worrall

Written by Win Worrall

Join Our Journey

Working in industrial automation since 1996, the Software Toolbox team has seen a lot. The level of automation system sophistication of our integrators and users has evolved, each driven by the demands of their market and clients.  Everyone's learning continues as technological change accelerates.

This blog is about sharing from these journeys.  From tips on implementing software, successes our clients have experienced, or new ideas and things to consider in your journey, we'll be sharing them here.

Subscribe to Our Blog

Recent Posts