{"id":1552,"date":"2025-08-29T10:26:24","date_gmt":"2025-08-29T10:26:24","guid":{"rendered":"https:\/\/integrationobjects.com\/blog\/?p=1552"},"modified":"2026-04-20T14:40:58","modified_gmt":"2026-04-20T14:40:58","slug":"blog-opc-classic-security-risks-opc-ua-wrapper","status":"publish","type":"post","link":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/","title":{"rendered":"Securing OPC Classic Systems with OPC UA: How the OPC UA Wrapper Eliminates DCOM Security Risks"},"content":{"rendered":"<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">The security problem no one wants to talk about<\/h2>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Most industrial facilities running OPC Classic know, on some level, that their legacy protocol stack is not ideal from a security perspective. What fewer people appreciate is just how specific and well-documented those risks are.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">OPC Classic &#8211; covering OPC DA (Data Access), OPC HDA (Historical Data Access), and OPC AE (Alarms and Events) &#8211; was built on Microsoft&#8217;s COM\/DCOM technology. DCOM was a reasonable architectural choice in 1996, when OPC Classic was introduced. Industrial networks were air-gapped by default, cybersecurity was not an OT priority, and Windows dominated the automation world.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">None of those conditions reliably hold today.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">As IT\/OT convergence has progressed, as cloud connectivity has become standard, and as industrial cybersecurity has moved from a niche concern to a boardroom priority, the DCOM foundations of OPC Classic have become a genuine liability. Not a theoretical one &#8211; a documented, exploited, actively monitored liability.<\/p>\n<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">What DCOM vulnerabilities actually mean for your plant<\/h2>\n<h3 class=\"text-text-100 mt-2 -mb-1 text-base font-bold\">CVE-2021-26414: the patch that broke OPC Classic<\/h3>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">In June 2021, Microsoft disclosed <strong>CVE-2021-26414<\/strong>, a critical vulnerability in the Windows DCOM Server Security Feature. The vulnerability allowed remote attackers to bypass DCOM authentication controls, potentially enabling unauthorised access to any DCOM-exposed service including OPC Classic servers.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Microsoft&#8217;s response was mandatory security hardening via the <strong>KB5004442<\/strong> Windows update, which tightened DCOM authentication requirements. This was not optional: as of June 2023, the hardening is enforced by default on all supported Windows systems.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The practical consequence for OPC Classic users was significant. Many legacy OPC Classic client applications, particularly older SCADA systems, historians, and HMI platforms, relied on the looser DCOM authentication that KB5004442 eliminated. Applying the security patch caused connectivity failures in OPC Classic deployments across multiple industries. Organisations faced a difficult choice: apply the security patch and break their OPC infrastructure, or delay the patch and remain exposed to the vulnerability.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">This is not an edge case. It is an illustration of the fundamental architectural problem with DCOM-based OPC Classic: <strong>security improvements at the OS level break the protocol, because the protocol was never designed with security as a requirement.<\/strong><\/p>\n<h3 class=\"text-text-100 mt-2 -mb-1 text-base font-bold\">The structural DCOM security problems<\/h3>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Beyond CVE-2021-26414, DCOM introduces several persistent security problems that cannot be fixed without replacing the protocol:<\/p>\n<ul>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Dynamic port allocation.<\/strong> DCOM negotiates communication ports dynamically, typically using a range of 49152\u201365535. Properly configured industrial firewalls should restrict port access to exactly what is needed. With DCOM, this is impractical; either you open thousands of ports (expanding your attack surface) or you restrict them and break OPC Classic connectivity. Most OT environments have resolved this tension by leaving firewall rules too permissive, creating exactly the kind of lateral movement opportunity that attackers exploit after an initial compromise.<\/li>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>No message-level encryption.<\/strong> OPC Classic has no native mechanism for encrypting the data it carries. Process values, setpoints, alarm states, and historical data all travel in plaintext over the network. On an assumed-isolated OT network, this was acceptable. On a network with any IT\/OT connectivity (which now describes most industrial facilities) it means that any device with network access can read operational data in transit.<\/li>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>No application-level authentication.<\/strong> OPC Classic relies on Windows user accounts and DCOM security settings for access control. There is no concept of an application presenting a cryptographic certificate to prove its identity before being granted access to process data. This means that any application running as a sufficiently privileged Windows user can connect to an OPC Classic server without the server being able to verify what that application actually is.<\/li>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Firewall-hostile by design.<\/strong> The combination of dynamic port allocation and DCOM&#8217;s reliance on the Windows RPC endpoint mapper (port 135) makes OPC Classic inherently difficult to isolate with firewall rules. IEC 62443 Zone and Conduit models require precise control of communication paths between security zones. DCOM makes this precision extremely difficult to achieve in practice.<\/li>\n<\/ul>\n<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">Why replacing legacy systems is not always the answer<\/h2>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The obvious solution to OPC Classic security problems is to replace OPC Classic servers with native OPC UA servers. OPC UA was built from the ground up with security as a core requirement. It has mandatory encryption, X.509 certificate authentication, role-based access control, and a single configurable port that works cleanly with firewall rules.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">But &#8220;replace everything&#8221; is not a realistic plan for most industrial facilities. The reasons are straightforward:<\/p>\n<ul>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Installed base depth.<\/strong> An established manufacturing plant may have dozens or hundreds of OPC Classic server integrations, PLCs, DCSs, historians, SCADA systems, some of which have been running reliably for fifteen years. Replacing all of them requires significant engineering time, extensive testing, and operational risk during the transition.<\/li>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Vendor support timelines.<\/strong> Not every OPC Classic server has a supported upgrade path to OPC UA. Some legacy device vendors have discontinued the product lines involved. Others offer OPC UA upgrades that require hardware replacement, not just a firmware update.<\/li>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Budget and prioritisation.<\/strong> Capital expenditure for full protocol replacement competes with other operational and maintenance priorities. A phased approach that reduces security risk immediately, before full replacement is budgeted and planned, is often more realistic.<\/li>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Operational continuity requirements.<\/strong> Critical processes cannot be taken offline for extended migration windows. The risk of a migration-induced outage in a high-availability environment can outweigh the risk of a delayed migration.<\/li>\n<\/ul>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">This is the context in which the OPC UA Wrapper addresses a real operational need.<\/p>\n<h2 data-ccp-border-between=\"0px none #e5e7eb\" data-ccp-padding-between=\"0px\" aria-level=\"2\">How the OPC UA Wrapper eliminates DCOM security risks<\/h2>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The <a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/integrationobjects.com\/sioth-opc\/sioth-opc-unified-architecture\/opc-ua-wrapper\/\">OPC UA Wrapper<\/a> is a software bridge that sits between your existing OPC Classic infrastructure and the rest of your operational and enterprise architecture. It operates in two directions:<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>OPC Classic server \u2192 OPC UA clients (the Wrapper component).<\/strong> Existing OPC Classic servers, DA, HDA, and AE, continue to run exactly as they do today, communicating via DCOM on the local machine or within a tightly controlled network segment. The Wrapper connects to those servers using the legacy protocol internally, then re-exposes their data as a fully compliant OPC UA server to any external client. Those external clients, cloud platforms, analytics tools, MES systems, modern SCADA, connect using OPC UA with full encryption, certificate authentication, and RBAC. They never touch DCOM.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>OPC UA servers \u2192 OPC Classic clients (the Proxy component).<\/strong> The reverse is equally supported. Where legacy OPC Classic client applications need to access modern OPC UA servers, the Proxy presents the OPC UA server as if it were an OPC Classic server. The legacy client connects via its familiar OPC Classic interface; the Proxy handles the OPC UA connection on the other side.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1547 aligncenter\" src=\"https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/PROXY-2-1024x576.png\" alt=\"OPC UA Wrapper\" width=\"464\" height=\"261\" srcset=\"https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/PROXY-2-1024x576.png 1024w, https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/PROXY-2-300x169.png 300w, https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/PROXY-2-768x432.png 768w, https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/PROXY-2.png 1536w\" sizes=\"auto, (max-width: 464px) 100vw, 464px\" \/><\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The security effect of this architecture is significant:<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>DCOM is contained.<\/strong> The Wrapper\/Proxy localises DCOM communication to a controlled, minimal network zone &#8211; ideally the same physical or virtual host as the OPC Classic server. DCOM traffic no longer traverses the broader OT or IT network. The attack surface of DCOM vulnerabilities like CVE-2021-26414 is reduced to a managed, isolated perimeter rather than spanning the full network.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>All external traffic uses <a href=\"https:\/\/integrationobjects.com\/blog\/blog-opc-ua-security\/\">OPC UA security.<\/a><\/strong> Every client connecting from outside that contained perimeter uses OPC UA with AES-256 encryption and X.509 certificate authentication. This satisfies the encrypted communications requirements of IEC 62443, NIS2 (for EU operators of essential services), and NERC CIP (for North American energy sector facilities).<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Audit logging improves.<\/strong> The Wrapper provides advanced session logging and diagnostics recording which clients connected, when, what data they accessed, and what operations they performed. This audit trail supports the incident detection and regulatory reporting requirements of NIS2, NERC CIP, and FDA 21 CFR Part 11.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>No changes to existing OPC Classic servers or clients.<\/strong> The Wrapper is transparent to the legacy infrastructure. Existing OPC Classic servers do not need to be modified, updated, or retested. The security improvement is achieved at the boundary, not inside the legacy systems.<i><\/i><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:720,&quot;335559740&quot;:360}\">\u00a0<\/span><\/p>\n<p><i><span data-contrast=\"auto\">Ready for a secure upgrade?\u00a0<\/span><\/i><span data-ccp-props=\"{}\">\u00a0<\/span><br \/>\n<a id=\"download\" class=\"btn_product_download\" href=\"https:\/\/integrationobjects.com\/FileDownload\/PDF\/OPCUAWrapperUserGuide3.2rev0.pdf\" target=\"_blank\" rel=\"noopener\">step-by-step OPC UA migration guide (PDF)<\/a><\/p>\n<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">What organisations in your sector are dealing with right now<\/h2>\n<ul>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Manufacturing (EU):<\/strong> The NIS2 Directive, effective October 2024, requires medium and large manufacturers classified as essential or important entities to implement appropriate technical cybersecurity measures. For OT environments, the most immediate gaps are typically unencrypted communications and inadequate access controls \u2014 precisely what DCOM-based OPC Classic fails to address. OPC UA Wrapper deployments can demonstrate measurable progress toward NIS2 compliance without requiring full infrastructure replacement.<\/li>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Energy and utilities (North America):<\/strong> NERC CIP standards require bulk electric system operators to maintain Electronic Security Perimeters with precise access controls. DCOM&#8217;s dynamic port requirements make this technically challenging. Replacing DCOM-exposed OPC Classic connections with OPC UA Wrapper-mediated connections simplifies firewall rule management and makes Electronic Security Perimeter compliance more achievable.<\/li>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Oil and gas (global):<\/strong> Wellsite and refinery environments frequently combine decades-old process control systems with modern data integration requirements. OPC Classic servers are common in these environments; so are requirements to push process data to cloud historians, AI analytics platforms, and corporate data warehouses. The OPC UA Wrapper enables this integration over secure OPC UA connections without touching the underlying control system.<\/li>\n<li class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><strong>Pharmaceuticals (US and EU):<\/strong> FDA 21 CFR Part 11 and EU Annex 11 require electronic records to be trustworthy and traceable. Unencrypted, unauthenticated OPC Classic communications are difficult to defend in a regulatory audit context. OPC UA Wrapper deployments add the authentication and audit trail that compliance requires.<\/li>\n<\/ul>\n<h2 data-ccp-border-between=\"0px none #e5e7eb\" data-ccp-padding-between=\"0px\" aria-level=\"2\">What customers say<\/h2>\n<div style=\"margin-bottom: 15px; padding: 10px 15px; background-color: #fff; border-left: 5px solid #2C3A66; display: inline-block; text-align: left; max-width: 90%; margin-left: 50px;\">\n<p style=\"font-style: italic; margin-bottom: 0px;\">\u201cOPC UA Wrapper allowed us to enhance security across our legacy OPC servers without disrupting operations. The encryption and authentication features have been critical to implement security measures recommended during cyber security audits\u201d<\/p>\n<p style=\"font-weight: bold; text-align: right; margin-bottom: 0px;\">\u2013 IT Security Manager, Chemical Manufacturing<\/p>\n<\/div>\n<div style=\"margin-bottom: 15px; padding: 10px 15px; background-color: #fff; border-right: 5px solid #2C3A66; display: inline-block; text-align: left; max-width: 90%; margin-left: 50px;\">\n<p style=\"font-style: italic; margin-bottom: 0px;\">\u201cOur transition to Industry 4.0 was further facilitated with our migration to OPC UA via the Wrapper. It helped bridging old and new systems securely.<\/p>\n<p style=\"font-weight: bold; text-align: right; margin-bottom: 0px;\">\u2013 Automation Engineer, Automotive Industry<\/p>\n<\/div>\n<div style=\"margin-bottom: 15px; padding: 10px 15px; background-color: #fff; border-left: 5px solid #2C3A66; display: inline-block; text-align: left; max-width: 90%; margin-left: 50px;\">\n<p style=\"font-style: italic; margin-bottom: 0px;\">The OPC UA Wrapper provided peace of mind by closing security gaps and allowing us to integrate modern applications without replacing legacy servers.&#8221;<\/p>\n<p style=\"font-weight: bold; text-align: right; margin-bottom: 0px;\">&#8211; Digital Transformation Lead, Energy Sector<\/p>\n<\/div>\n<div class=\"wp-block-button has-custom-width wp-block-button__width-50 is-style-fill\" style=\"margin-bottom: 20px; margin: auto; position: relative; display: block;\"><a class=\"wp-block-button__link has-luminous-vivid-orange-background-color has-background no-border-radius\" style=\"\/*! width: max-content; *\/display: block; \/*! position: relative; *\/width: max-content; margin: auto;\" href=\"https:\/\/www.youtube.com\/watch?v=Ve4vhzObs38e\" target=\"_blank\" rel=\"noreferrer noopener\"><strong> how-to video on configuring OPC UA Wrapper <\/strong><\/a><\/div>\n<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">Getting started<\/h2>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The OPC UA Wrapper is a plug-and-play deployment \u2014 no changes to existing OPC Classic servers, no PLC modifications, no process downtime required. Integration Objects provides full documentation and video tutorials to guide the configuration process.<\/p>\n<ul class=\"[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3\">\n<li class=\"whitespace-normal break-words pl-2\"><a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/www.youtube.com\/watch?v=Ve4vhzObs38e\">Watch the OPC UA Wrapper configuration video<\/a><\/li>\n<li class=\"whitespace-normal break-words pl-2\"><a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/integrationobjects.com\/FileDownload\/PDF\/OPCUAWrapperUserGuide3.2rev0.pdf\">Download the OPC UA Wrapper User Guide (PDF)<\/a><\/li>\n<li class=\"whitespace-normal break-words pl-2\"><a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/integrationobjects.com\/sioth-opc\/sioth-opc-unified-architecture\/opc-ua-wrapper\/\">Explore the OPC UA Wrapper product page<\/a><\/li>\n<li class=\"whitespace-normal break-words pl-2\"><a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/integrationobjects.com\/contact\/\">Contact Integration Objects to discuss your environment<\/a><\/li>\n<\/ul>\n<h2>Frequently asked questions<\/h2>\n<style>#sp-ea-1828 .spcollapsing { height: 0; overflow: hidden; transition-property: height;transition-duration: 300ms;}#sp-ea-1828.sp-easy-accordion>.sp-ea-single {margin-bottom: 10px; border: 1px solid #e2e2e2; }#sp-ea-1828.sp-easy-accordion>.sp-ea-single>.ea-header a {color: #444;}#sp-ea-1828.sp-easy-accordion>.sp-ea-single>.sp-collapse>.ea-body {background: #fff; color: #444;}#sp-ea-1828.sp-easy-accordion>.sp-ea-single {background: #eee;}#sp-ea-1828.sp-easy-accordion>.sp-ea-single>.ea-header a .ea-expand-icon { float: left; color: #444;font-size: 16px;}.sp-easy-accordion .sp-ea-single .ea-header a{\r\n  display: block;\r\n    text-decoration: none;\r\n    cursor: pointer;\r\n    font-weight: 600;\r\n    color: #444;\r\n    font-size: 16px;\r\n    line-height: 1;\r\n  box-shadow: none;}<\/style><div id=\"sp_easy_accordion-1776355791\"><div id=\"sp-ea-1828\" class=\"sp-ea-one sp-easy-accordion\" data-ea-active=\"ea-click\" data-ea-mode=\"vertical\" data-preloader=\"\" data-scroll-active-item=\"\" data-offset-to-scroll=\"0\"><div class=\"ea-card ea-expand sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-18280\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse18280\" aria-controls=\"collapse18280\" href=\"#\" aria-expanded=\"true\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-minus\"><\/i> What is CVE-2021-26414 and how does it affect OPC Classic?<\/a><\/h3><div class=\"sp-collapse spcollapse collapsed show\" id=\"collapse18280\" data-parent=\"#sp-ea-1828\" role=\"region\" aria-labelledby=\"ea-header-18280\"> <div class=\"ea-body\"><p>CVE-2021-26414 is a critical vulnerability in the Windows DCOM Server Security Feature that allowed attackers to bypass DCOM authentication. Microsoft's mandatory KB5004442 patch, enforced from June 2023, tightened DCOM authentication in a way that broke many legacy OPC Classic client-server connections. Organisations were left choosing between leaving the vulnerability unpatched or accepting OPC Classic connectivity failures. The OPC UA Wrapper resolves this by moving external client connections off DCOM entirely and onto OPC UA.<\/p><\/div><\/div><\/div><div class=\"ea-card sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-18281\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse18281\" aria-controls=\"collapse18281\" href=\"#\" aria-expanded=\"false\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-plus\"><\/i> Can the OPC UA Wrapper work without modifying existing OPC Classic servers?<\/a><\/h3><div class=\"sp-collapse spcollapse \" id=\"collapse18281\" data-parent=\"#sp-ea-1828\" role=\"region\" aria-labelledby=\"ea-header-18281\"> <div class=\"ea-body\"><p>Yes. The OPC UA Wrapper connects to existing OPC Classic servers using the standard OPC Classic (DCOM) interface. The same way any OPC Classic client does. No changes are required to the OPC Classic server, its configuration, or the underlying device or control system. The security improvement is applied at the Wrapper boundary, not inside the legacy server.<\/p><\/div><\/div><\/div><div class=\"ea-card sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-18282\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse18282\" aria-controls=\"collapse18282\" href=\"#\" aria-expanded=\"false\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-plus\"><\/i> Does the OPC UA Wrapper support OPC DA, HDA, and AE?<\/a><\/h3><div class=\"sp-collapse spcollapse \" id=\"collapse18282\" data-parent=\"#sp-ea-1828\" role=\"region\" aria-labelledby=\"ea-header-18282\"> <div class=\"ea-body\"><p>Yes. The Wrapper component supports bridging from OPC DA (real-time data), OPC HDA (historical data), and OPC AE (alarms and events) servers to OPC UA clients. This means that OPC UA clients can access real-time process values, historical records, and alarm\/event data from legacy OPC Classic servers through a single, secured OPC UA interface.<\/p><\/div><\/div><\/div><div class=\"ea-card sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-18283\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse18283\" aria-controls=\"collapse18283\" href=\"#\" aria-expanded=\"false\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-plus\"><\/i> Does the OPC UA Wrapper help with IEC 62443 compliance?<\/a><\/h3><div class=\"sp-collapse spcollapse \" id=\"collapse18283\" data-parent=\"#sp-ea-1828\" role=\"region\" aria-labelledby=\"ea-header-18283\"> <div class=\"ea-body\"><p>The OPC UA Wrapper contributes to IEC 62443 compliance by enabling encrypted, authenticated communications across the boundary between security zones - a core requirement of the IEC 62443 Zone and Conduit model. By containing DCOM to a minimal, controlled segment and exposing OPC UA to external clients, the Wrapper makes it practical to define and enforce the conduit controls that IEC 62443 requires.<\/p><\/div><\/div><\/div><div class=\"ea-card sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-18284\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse18284\" aria-controls=\"collapse18284\" href=\"#\" aria-expanded=\"false\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-plus\"><\/i> What is the difference between the OPC UA Wrapper and the OPC UA Proxy components?<\/a><\/h3><div class=\"sp-collapse spcollapse \" id=\"collapse18284\" data-parent=\"#sp-ea-1828\" role=\"region\" aria-labelledby=\"ea-header-18284\"> <div class=\"ea-body\"><p>The OPC UA Wrapper component bridges OPC Classic <em>servers<\/em> to OPC UA <em>clients;<\/em>\u00a0legacy servers are exposed as modern OPC UA servers. The OPC UA Proxy component bridges OPC UA <em>servers<\/em> to OPC Classic <em>clients<\/em>; modern OPC UA servers are exposed as legacy OPC Classic servers. Both components are included in the OPC UA Wrapper product, enabling migration in both directions without disrupting either side of the existing architecture.<\/p><\/div><\/div><\/div><script type=\"application\/ld+json\">{ \"@context\": \"https:\/\/schema.org\", \"@type\": \"FAQPage\", \"@id\": \"sp-ea-schema-1828-69fb640649bcb\", \"mainEntity\": [{ \"@type\": \"Question\", \"name\": \"What is CVE-2021-26414 and how does it affect OPC Classic?\", \"acceptedAnswer\": { \"@type\": \"Answer\", \"text\": \"CVE-2021-26414 is a critical vulnerability in the Windows DCOM Server Security Feature that allowed attackers to bypass DCOM authentication. Microsoft's mandatory KB5004442 patch, enforced from June 2023, tightened DCOM authentication in a way that broke many legacy OPC Classic client-server connections. Organisations were left choosing between leaving the vulnerability unpatched or accepting OPC Classic connectivity failures. The OPC UA Wrapper resolves this by moving external client connections off DCOM entirely and onto OPC UA.\" } },{ \"@type\": \"Question\", \"name\": \"Can the OPC UA Wrapper work without modifying existing OPC Classic servers?\", \"acceptedAnswer\": { \"@type\": \"Answer\", \"text\": \"Yes. The OPC UA Wrapper connects to existing OPC Classic servers using the standard OPC Classic (DCOM) interface. The same way any OPC Classic client does. No changes are required to the OPC Classic server, its configuration, or the underlying device or control system. The security improvement is applied at the Wrapper boundary, not inside the legacy server.\" } },{ \"@type\": \"Question\", \"name\": \"Does the OPC UA Wrapper support OPC DA, HDA, and AE?\", \"acceptedAnswer\": { \"@type\": \"Answer\", \"text\": \"Yes. The Wrapper component supports bridging from OPC DA (real-time data), OPC HDA (historical data), and OPC AE (alarms and events) servers to OPC UA clients. This means that OPC UA clients can access real-time process values, historical records, and alarm\/event data from legacy OPC Classic servers through a single, secured OPC UA interface.\" } },{ \"@type\": \"Question\", \"name\": \"Does the OPC UA Wrapper help with IEC 62443 compliance?\", \"acceptedAnswer\": { \"@type\": \"Answer\", \"text\": \"The OPC UA Wrapper contributes to IEC 62443 compliance by enabling encrypted, authenticated communications across the boundary between security zones - a core requirement of the IEC 62443 Zone and Conduit model. By containing DCOM to a minimal, controlled segment and exposing OPC UA to external clients, the Wrapper makes it practical to define and enforce the conduit controls that IEC 62443 requires.\" } },{ \"@type\": \"Question\", \"name\": \"What is the difference between the OPC UA Wrapper and the OPC UA Proxy components?\", \"acceptedAnswer\": { \"@type\": \"Answer\", \"text\": \"The OPC UA Wrapper component bridges OPC Classic<em>servers<\/em>to OPC UA<em>clients;<\/em>\u00a0legacy servers are exposed as modern OPC UA servers. The OPC UA Proxy component bridges OPC UA<em>servers<\/em>to OPC Classic<em>clients<\/em>; modern OPC UA servers are exposed as legacy OPC Classic servers. Both components are included in the OPC UA Wrapper product, enabling migration in both directions without disrupting either side of the existing architecture.\" } }] }<\/script><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>The security problem no one wants to talk about Most industrial facilities running OPC Classic know, on some level, that their legacy protocol stack is<\/p>\n","protected":false},"author":1,"featured_media":1554,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[184,183],"tags":[194,50],"class_list":["post-1552","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-opc-classic","category-opc-ua","tag-opc-ua-security","tag-opc-ua-wrapper"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>OPC Classic Security Risks: Secure DCOM Safely<\/title>\n<meta name=\"description\" content=\"OPC classic security risks often stem from DCOM vulnerabilities, including CVE-2021-26414. Learn how an OPC UA Wrapper helps secure legacy systems without replacing infrastructure.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OPC Classic Security Risks: Secure DCOM Safely\" \/>\n<meta property=\"og:description\" content=\"OPC classic security risks often stem from DCOM vulnerabilities, including CVE-2021-26414. Learn how an OPC UA Wrapper helps secure legacy systems without replacing infrastructure.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/\" \/>\n<meta property=\"og:site_name\" content=\"OPC Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Integration.Objects.OPC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-29T10:26:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-20T14:40:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/Banner-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"450\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"OPCBlogAdmin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@IntegObjects\" \/>\n<meta name=\"twitter:site\" content=\"@IntegObjects\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"OPCBlogAdmin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OPC Classic Security Risks: Secure DCOM Safely","description":"OPC classic security risks often stem from DCOM vulnerabilities, including CVE-2021-26414. Learn how an OPC UA Wrapper helps secure legacy systems without replacing infrastructure.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/","og_locale":"en_US","og_type":"article","og_title":"OPC Classic Security Risks: Secure DCOM Safely","og_description":"OPC classic security risks often stem from DCOM vulnerabilities, including CVE-2021-26414. Learn how an OPC UA Wrapper helps secure legacy systems without replacing infrastructure.","og_url":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/","og_site_name":"OPC Blog","article_publisher":"https:\/\/www.facebook.com\/Integration.Objects.OPC\/","article_published_time":"2025-08-29T10:26:24+00:00","article_modified_time":"2026-04-20T14:40:58+00:00","og_image":[{"width":800,"height":450,"url":"https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/Banner-1.jpg","type":"image\/jpeg"}],"author":"OPCBlogAdmin","twitter_card":"summary_large_image","twitter_creator":"@IntegObjects","twitter_site":"@IntegObjects","twitter_misc":{"Written by":"OPCBlogAdmin","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/","url":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/","name":"OPC Classic Security Risks: Secure DCOM Safely","isPartOf":{"@id":"https:\/\/integrationobjects.com\/blog-\/#website"},"primaryImageOfPage":{"@id":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/#primaryimage"},"image":{"@id":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/#primaryimage"},"thumbnailUrl":"https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/Banner-1.jpg","datePublished":"2025-08-29T10:26:24+00:00","dateModified":"2026-04-20T14:40:58+00:00","author":{"@id":"https:\/\/integrationobjects.com\/blog-\/#\/schema\/person\/6efbaf488a07e418b93ff77f00af386b"},"description":"OPC classic security risks often stem from DCOM vulnerabilities, including CVE-2021-26414. Learn how an OPC UA Wrapper helps secure legacy systems without replacing infrastructure.","breadcrumb":{"@id":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/#primaryimage","url":"https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/Banner-1.jpg","contentUrl":"https:\/\/integrationobjects.com\/blog\/wp-content\/uploads\/2025\/07\/Banner-1.jpg","width":800,"height":450,"caption":"OPC Classic security risks"},{"@type":"BreadcrumbList","@id":"https:\/\/integrationobjects.com\/blog\/blog-opc-classic-security-risks-opc-ua-wrapper\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/integrationobjects.com\/blog-\/"},{"@type":"ListItem","position":2,"name":"Securing OPC Classic Systems with OPC UA: How the OPC UA Wrapper Eliminates DCOM Security Risks"}]},{"@type":"WebSite","@id":"https:\/\/integrationobjects.com\/blog-\/#website","url":"https:\/\/integrationobjects.com\/blog-\/","name":"OPC Blog","description":"OPC and related technologies news from Integration Objects","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/integrationobjects.com\/blog-\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/integrationobjects.com\/blog-\/#\/schema\/person\/6efbaf488a07e418b93ff77f00af386b","name":"OPCBlogAdmin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/integrationobjects.com\/blog-\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f2d787c3c48eb147d5b4d0c9d05c6f35a5946c7dc40af2eedbe64030e99ea299?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f2d787c3c48eb147d5b4d0c9d05c6f35a5946c7dc40af2eedbe64030e99ea299?s=96&d=mm&r=g","caption":"OPCBlogAdmin"}}]}},"_links":{"self":[{"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/posts\/1552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/comments?post=1552"}],"version-history":[{"count":7,"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/posts\/1552\/revisions"}],"predecessor-version":[{"id":1835,"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/posts\/1552\/revisions\/1835"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/media\/1554"}],"wp:attachment":[{"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/media?parent=1552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/categories?post=1552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/integrationobjects.com\/blog\/wp-json\/wp\/v2\/tags?post=1552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}