Managing MS Windows NT4

In a manufacturing environment, change to critical IT systems such as production controllers on the plant floor, enterprise resource planning (ERP) systems, and directory or DNS systems can present considerable business risk. One special class of systems where any change, authorized or not, creates a high-risk proposition is legacy systems running the Microsoft Windows NT4 operating system.


In a manufacturing environment, change to critical IT systems such as production controllers on the plant floor, enterprise resource planning (ERP) systems, and directory or DNS systems can present considerable business risk. One special class of systems where any change, authorized or not, creates a high-risk proposition is legacy systems running the Microsoft Windows NT4 operating system.

Several of the world’s largest manufacturers still utilize a significant number of NT4 systems running everything from ERP in the datacenter to production controllers on the plant floor. These systems are supporting fragile legacy applications and are doing so with very limited computing resources. Applications include NT4-based workstations and servers in the manufacturing environment being used as human-machine interfaces (HMIs) and machine control computers. The computers run applications such as gauging, test, measurement, and fastening systems on the production floor.

Changes to these systems, including simple operating system patches, were causing in-production outages and downtime that threatened overall plant production. Additionally, the difficult task of repairing the legacy applications further extended manufacturing downtime. And while the simple answer seemed to be “don’t patch or change these systems,” this isn’t an option given the security requirements of most IT organizations. NT4 systems on the network had many vulnerabilities and they needed to be protected. Failure to protect the NT4 systems could result in additional downtime, lost or compromised data, penalties due to regulatory non-compliance, and other costly business risks.

Take the case of a major automotive manufacturer confronted with a daunting task: either continue patching or migrate their NT systems to a current platform. Microsoft has agreed to extend NT4 patch support for critical security vulnerabilities through 2009, but has made the cost of this support even more expensive than it was prior to the original 2006 deadline. This cost will increase non-linearly as the 2009 deadline approaches and, even if patches are available, applying them to the legacy applications is a risky proposition.

“From a patching perspective, it became cost-prohibitive for us to maintain a secure and operational state of these platforms,” said a plant operations system engineer for the manufacturer. “We needed to eliminate our dependence on Microsoft patches, mitigate risks from zero-day threats, and gain increased control over change to our plant floor infrastructure.”

The manufacturer chose to adopt a new approach to risk management for its critical production and plant floor systems — a “lock down” method of change control that could:

  • Categorically prevent all unauthorized code from executing;

  • Allow desired changes to the system via defined processes;

  • Record all changes to authorized code, as well as critical files and registry keys;

  • Record all attempts to make unauthorized changes;

  • Have a small footprint with no performance impact on existing applications; and

  • Require no ongoing maintenance, configuration or update.

The automotive manufacturer determined that Solidcore and its S3 Control software was the best fit to lock down the critical NT4 systems and build a continuous service availability infrastructure. “Security is a subset of the broader business problem for us when you look at unapproved and undocumented changes that can happen to these critical production systems,” said a system engineer with the plant operations team.

Solidcore’s S3 Control software is agent-based change control software that installs on NT4 systems. The software controls what software can change, as well as how, when, and by whom. It also determines what code can run based on authorized change control policies.

The change control software provided the plant floor IT team with the capability to enforce what could be installed, uninstalled, upgraded, or modified to the base software image of the networked NT systems in production. According to the company, the IT team installed and setup the software quickly with low initial and ongoing operational overhead, then worked to harden the gold base image of the NT4 systems.

The software also allowed the senior IT management team to dictate the degree of flexibility given to system engineers on the plant floor, which translated into greater control over what could be installed on the NT4 systems once in production.

“We conducted a rigorous evaluation of technologies to find the right fit, and made sure to test our methodology and the software on a small set of servers,” said the system engineer. “With Solidcore installed, we were able to verify the protection of files, ensure a newly installed executable could not be run, ensure over-the-wire OS [operating system] functions worked as expected, and ensure memory protection was enabled.”

From a security perspective, the software provided protection against existing and unknown zero-day threats by helping to control what code could be executed on the NT4 machines. By acting as a “concrete wrapper” around the gold base image of an NT4 system, the change control software helps ensure a server on the production floor cannot be compromised. And because any changes attempted by malicious code or unauthorized users are prevented, the reliance upon anti-virus and other security software packages is reduced. This lockdown mode helped eliminate previous emergency patching, reduced the number and frequency of patching cycles, and enabled more time for testing before patches were deployed to in-production systems.

The runtime control element of Solidcore’s change control software also helped this manufacturer reduce the cost of operations by reducing both planned patching and unplanned recovery downtime, thereby increasing system availability across the plant.

The company’s system engineer said the solution “allowed us to lock down the NT4 environment, but also allowed us to make policy-based changes to our critical NT systems when we needed to. It lets us patch and migrate our NT systems on our own schedule.”

Author Information

Bob Vieraitis is vice president of product management for Solidcore Systems, a provider of real-time change control software based in Cupertino, CA.

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
A cool solution: Collaboration, chemistry leads to foundry coat product development; See the 2015 Product of the Year Finalists
Raising the standard: What's new with NFPA 70E; A global view of manufacturing; Maintenance data; Fit bearings properly
Sister act: Building on their father's legacy, a new generation moves Bales Metal Surface Solutions forward; Meet the 2015 Engineering Leaders Under 40
Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security
Upgrading secondary control systems; Keeping enclosures conditioned; Diagnostics increase equipment uptime; Mechatronics simplifies machine design
Designing positive-energy buildings; Ensuring power quality; Complying with NFPA 110; Minimizing arc flash hazards
Building high availability into industrial computers; Of key metrics and myth busting; The truth about five common VFD myths

Annual Salary Survey

After almost a decade of uncertainty, the confidence of plant floor managers is soaring. Even with a number of challenges and while implementing new technologies, there is a renewed sense of optimism among plant managers about their business and their future.

The respondents to the 2014 Plant Engineering Salary Survey come from throughout the U.S. and serve a variety of industries, but they are uniform in their optimism about manufacturing. This year’s survey found 79% consider manufacturing a secure career. That’s up from 75% in 2013 and significantly higher than the 63% figure when Plant Engineering first started asking that question a decade ago.

Read more: 2014 Salary Survey: Confidence rises amid the challenges

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.