Patching over software problems

Just as you would want to patch over a hole in your pants, you might find holes in your software that could be just as problematic and leave you with serious cyber security vulnerabilities. Patch those holes before something tears wide open.


The number of cyber attacks on industrial control systems has been increasing and the activity is visible on a global scale by site, manufacturer, and even by actual control system specific parameters. Many of those attacks are possible because of vulnerabilities in operating systems and applications, which need to be fixed using software patches. Having a sound patch management program in place will greatly reduce your risk and make you a hard target to a would-be attacker. 

That sounds good, but what does it mean? What exactly is patching? According to, patch, in verb form means to mend, cover, or strengthen with or as if with a patch or patches. It’s also a noun, meaning a piece of material used to cover or protect a wound, an injured part, etc.

In the industrial world

In control system terminology, patching indicates the process required to address a known weakness in a platform with the ability to have patches or software fixes applied. Platforms include operator interfaces, human machine interfaces (HMIs), computers, networking devices, and associated software loaded on these platforms. 

Patches are typically electronic files with updated configuration information or executable processes that, when applied, correct a given weakness in the affected system. Patches are critical to the protection and security of a system and should be applied as soon as possible for many reasons. As stated above, patches address known weaknesses in a system. This should be disturbing to you as an industrial control system specialist as you do not want your weaknesses to be known. But the inherent nature of patching requires most software and hardware manufacturers to notify the public first, that there is a problem with their system or software and secondly, how to address or fix the weakness.

Since the public is informed through various means of publications including Microsoft operating system updates and antivirus definition updates that immunize systems from viruses, the bad guys have a freely available method to learn of your weaknesses. Without a proven manageable process to validate and apply patches to your systems in frequent intervals, you are exposed and at risk of having your weaknesses exploited by hackers, disgruntled employees, or worse – terrorists.

What is patch management?

Patch management is a methodical process that includes documentation, validation, backup and recovery, and a step-by-step tiered approach to the application of change on your critical systems. The core of effective patch management is the actual validation of the change to ensure the updated patches or security enhancements do not disrupt the functionality of your system. Validation should be performed in a lab or non-production environment on equipment and software that is representative of your production environment. Without this validation, you may apply patches that change security parameters of your system that could stop communication between your devices.

Upon effective validation, prior to application of patches to the actual production equipment, a sound backup and recovery or disaster recovery plan should be in place to backup your device information and configuration. As discussed, patches actually change your system or software from its original state. If the patch causes problems, you would want to restore to your previous state immediately to resume operation.

To apply patches to your production system, a strategy identifying the order that patches will be applied should be identified and documented to repeat as new patches are released. From your population, identify an early adopter or first unit that you can take off-line for the time it takes to apply the patch. Then monitor for a period of time before rolling patches out on the remainder of your devices. By taking this tiered approach – lab validation, early adopter, and remainder of devices – you are greatly reducing the risk of a change or patch causing disruption to your overall system. Any issues may be identified prior to the application of patches in a very controlled, documented, and repeatable manner.

Patching your critical industrial control systems involves the collection of known fixes or patches, validation of these changes prior to application to your system, and then methodical application of patches in a controlled manner. The more frequently you repeat this process, the more up-to-date and less vulnerable your system will be to attack. FoxGuard Solutions specializes in the process of validating changes to industrial control system devices that have patching capability. We can work with your team to identify a strategy that meets your needs while making your critical system less vulnerable to attack.

Mark Trump is the security program manager for FoxGuard Solutions.

Safety and security channel includes information on cyber security.

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Sister act: Building on their father's legacy, a new generation moves Bales Metal Surface Solutions forward; Meet the 2015 Engineering Leaders Under 40
2015 Mid-Year Report: Manufacturing's newest tool: In a digital age, digits will play a key role in the plant of the future; Ethernet certification; Mitigate harmonics; World class maintenance
2015 Lubrication Guide: Green and gold in lubrication: Environmentally friendly fluids and sealing systems offer a new perspective
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security
Cyber security attack: The threat is real; Hacking O&G control systems: Understanding the cyber risk; The active cyber defense cycle
Designing positive-energy buildings; Ensuring power quality; Complying with NFPA 110; Minimizing arc flash hazards
Building high availability into industrial computers; Of key metrics and myth busting; The truth about five common VFD myths
New industrial buildings: Greener, cleaner, leaner; New building designs for industry; Take a new look at absorption cooling; Offshored jobs start to come back

Annual Salary Survey

After almost a decade of uncertainty, the confidence of plant floor managers is soaring. Even with a number of challenges and while implementing new technologies, there is a renewed sense of optimism among plant managers about their business and their future.

The respondents to the 2014 Plant Engineering Salary Survey come from throughout the U.S. and serve a variety of industries, but they are uniform in their optimism about manufacturing. This year’s survey found 79% consider manufacturing a secure career. That’s up from 75% in 2013 and significantly higher than the 63% figure when Plant Engineering first started asking that question a decade ago.

Read more: 2014 Salary Survey: Confidence rises amid the challenges

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.