Patching over software problems

Just as you would want to patch over a hole in your pants, you might find holes in your software that could be just as problematic and leave you with serious cyber security vulnerabilities. Patch those holes before something tears wide open.

10/19/2011


The number of cyber attacks on industrial control systems has been increasing and the activity is visible on a global scale by site, manufacturer, and even by actual control system specific parameters. Many of those attacks are possible because of vulnerabilities in operating systems and applications, which need to be fixed using software patches. Having a sound patch management program in place will greatly reduce your risk and make you a hard target to a would-be attacker. 

That sounds good, but what does it mean? What exactly is patching? According to dictionary.com, patch, in verb form means to mend, cover, or strengthen with or as if with a patch or patches. It’s also a noun, meaning a piece of material used to cover or protect a wound, an injured part, etc.

In the industrial world

In control system terminology, patching indicates the process required to address a known weakness in a platform with the ability to have patches or software fixes applied. Platforms include operator interfaces, human machine interfaces (HMIs), computers, networking devices, and associated software loaded on these platforms. 

Patches are typically electronic files with updated configuration information or executable processes that, when applied, correct a given weakness in the affected system. Patches are critical to the protection and security of a system and should be applied as soon as possible for many reasons. As stated above, patches address known weaknesses in a system. This should be disturbing to you as an industrial control system specialist as you do not want your weaknesses to be known. But the inherent nature of patching requires most software and hardware manufacturers to notify the public first, that there is a problem with their system or software and secondly, how to address or fix the weakness.

Since the public is informed through various means of publications including Microsoft operating system updates and antivirus definition updates that immunize systems from viruses, the bad guys have a freely available method to learn of your weaknesses. Without a proven manageable process to validate and apply patches to your systems in frequent intervals, you are exposed and at risk of having your weaknesses exploited by hackers, disgruntled employees, or worse – terrorists.

What is patch management?

Patch management is a methodical process that includes documentation, validation, backup and recovery, and a step-by-step tiered approach to the application of change on your critical systems. The core of effective patch management is the actual validation of the change to ensure the updated patches or security enhancements do not disrupt the functionality of your system. Validation should be performed in a lab or non-production environment on equipment and software that is representative of your production environment. Without this validation, you may apply patches that change security parameters of your system that could stop communication between your devices.

Upon effective validation, prior to application of patches to the actual production equipment, a sound backup and recovery or disaster recovery plan should be in place to backup your device information and configuration. As discussed, patches actually change your system or software from its original state. If the patch causes problems, you would want to restore to your previous state immediately to resume operation.

To apply patches to your production system, a strategy identifying the order that patches will be applied should be identified and documented to repeat as new patches are released. From your population, identify an early adopter or first unit that you can take off-line for the time it takes to apply the patch. Then monitor for a period of time before rolling patches out on the remainder of your devices. By taking this tiered approach – lab validation, early adopter, and remainder of devices – you are greatly reducing the risk of a change or patch causing disruption to your overall system. Any issues may be identified prior to the application of patches in a very controlled, documented, and repeatable manner.

Patching your critical industrial control systems involves the collection of known fixes or patches, validation of these changes prior to application to your system, and then methodical application of patches in a controlled manner. The more frequently you repeat this process, the more up-to-date and less vulnerable your system will be to attack. FoxGuard Solutions specializes in the process of validating changes to industrial control system devices that have patching capability. We can work with your team to identify a strategy that meets your needs while making your critical system less vulnerable to attack.

Mark Trump is the security program manager for FoxGuard Solutions.

www.foxguardsolutions.com

Safety and security channel includes information on cyber security.

http://www.controleng.com/channels/plant-safety-and-security.html



No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Leaders Under 40 program features outstanding young people who are making a difference in manufacturing. View the 2013 Leaders here.
The new control room: It's got all the bells and whistles - and alarms, too; Remote maintenance; Specifying VFDs
2014 forecast issue: To serve and to manufacture - Veterans will bring skill and discipline to the plant floor if we can find a way to get them there.
2013 Top Plant: Lincoln Electric Company, Cleveland, Ohio
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Bring focus to PLC programming: 5 things to avoid in putting your system together; Managing the DCS upgrade; PLM upgrade: a step-by-step approach
Balancing the bagging triangle; PID tuning improves process efficiency; Standardizing control room HMIs
Commissioning electrical systems in mission critical facilities; Anticipating the Smart Grid; Mitigating arc flash hazards in medium-voltage switchgear; Comparing generator sizing software

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.