Managing MS Windows NT4

In a manufacturing environment, change to critical IT systems such as production controllers on the plant floor, enterprise resource planning (ERP) systems, and directory or DNS systems can present considerable business risk. One special class of systems where any change, authorized or not, creates a high-risk proposition is legacy systems running the Microsoft Windows NT4 operating system.

01/01/2008


In a manufacturing environment, change to critical IT systems such as production controllers on the plant floor, enterprise resource planning (ERP) systems, and directory or DNS systems can present considerable business risk. One special class of systems where any change, authorized or not, creates a high-risk proposition is legacy systems running the Microsoft Windows NT4 operating system.

Several of the world’s largest manufacturers still utilize a significant number of NT4 systems running everything from ERP in the datacenter to production controllers on the plant floor. These systems are supporting fragile legacy applications and are doing so with very limited computing resources. Applications include NT4-based workstations and servers in the manufacturing environment being used as human-machine interfaces (HMIs) and machine control computers. The computers run applications such as gauging, test, measurement, and fastening systems on the production floor.

Changes to these systems, including simple operating system patches, were causing in-production outages and downtime that threatened overall plant production. Additionally, the difficult task of repairing the legacy applications further extended manufacturing downtime. And while the simple answer seemed to be “don’t patch or change these systems,” this isn’t an option given the security requirements of most IT organizations. NT4 systems on the network had many vulnerabilities and they needed to be protected. Failure to protect the NT4 systems could result in additional downtime, lost or compromised data, penalties due to regulatory non-compliance, and other costly business risks.

Take the case of a major automotive manufacturer confronted with a daunting task: either continue patching or migrate their NT systems to a current platform. Microsoft has agreed to extend NT4 patch support for critical security vulnerabilities through 2009, but has made the cost of this support even more expensive than it was prior to the original 2006 deadline. This cost will increase non-linearly as the 2009 deadline approaches and, even if patches are available, applying them to the legacy applications is a risky proposition.

“From a patching perspective, it became cost-prohibitive for us to maintain a secure and operational state of these platforms,” said a plant operations system engineer for the manufacturer. “We needed to eliminate our dependence on Microsoft patches, mitigate risks from zero-day threats, and gain increased control over change to our plant floor infrastructure.”

The manufacturer chose to adopt a new approach to risk management for its critical production and plant floor systems — a “lock down” method of change control that could:

  • Categorically prevent all unauthorized code from executing;

  • Allow desired changes to the system via defined processes;

  • Record all changes to authorized code, as well as critical files and registry keys;

  • Record all attempts to make unauthorized changes;

  • Have a small footprint with no performance impact on existing applications; and

  • Require no ongoing maintenance, configuration or update.

The automotive manufacturer determined that Solidcore and its S3 Control software was the best fit to lock down the critical NT4 systems and build a continuous service availability infrastructure. “Security is a subset of the broader business problem for us when you look at unapproved and undocumented changes that can happen to these critical production systems,” said a system engineer with the plant operations team.

Solidcore’s S3 Control software is agent-based change control software that installs on NT4 systems. The software controls what software can change, as well as how, when, and by whom. It also determines what code can run based on authorized change control policies.

The change control software provided the plant floor IT team with the capability to enforce what could be installed, uninstalled, upgraded, or modified to the base software image of the networked NT systems in production. According to the company, the IT team installed and setup the software quickly with low initial and ongoing operational overhead, then worked to harden the gold base image of the NT4 systems.

The software also allowed the senior IT management team to dictate the degree of flexibility given to system engineers on the plant floor, which translated into greater control over what could be installed on the NT4 systems once in production.

“We conducted a rigorous evaluation of technologies to find the right fit, and made sure to test our methodology and the software on a small set of servers,” said the system engineer. “With Solidcore installed, we were able to verify the protection of files, ensure a newly installed executable could not be run, ensure over-the-wire OS [operating system] functions worked as expected, and ensure memory protection was enabled.”

From a security perspective, the software provided protection against existing and unknown zero-day threats by helping to control what code could be executed on the NT4 machines. By acting as a “concrete wrapper” around the gold base image of an NT4 system, the change control software helps ensure a server on the production floor cannot be compromised. And because any changes attempted by malicious code or unauthorized users are prevented, the reliance upon anti-virus and other security software packages is reduced. This lockdown mode helped eliminate previous emergency patching, reduced the number and frequency of patching cycles, and enabled more time for testing before patches were deployed to in-production systems.

The runtime control element of Solidcore’s change control software also helped this manufacturer reduce the cost of operations by reducing both planned patching and unplanned recovery downtime, thereby increasing system availability across the plant.

The company’s system engineer said the solution “allowed us to lock down the NT4 environment, but also allowed us to make policy-based changes to our critical NT systems when we needed to. It lets us patch and migrate our NT systems on our own schedule.”



Author Information

Bob Vieraitis is vice president of product management for Solidcore Systems, a provider of real-time change control software based in Cupertino, CA.




No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
The true cost of lubrication: Three keys to consider when evaluating oils; Plant Engineering Lubrication Guide; 11 ways to protect bearing assets; Is lubrication part of your KPIs?
Contract maintenance: 5 ways to keep things humming while keeping an eye on costs; Pneumatic systems; Energy monitoring; The sixth 'S' is safety
Transport your data: Supply chain information critical to operational excellence; High-voltage faults; Portable cooling; Safety automation isn't automatic
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Synchronizing industrial Ethernet networks; Selecting protocol conversion gateways; Integrating HMIs with PLCs and PACs
Why manufacturers need to see energy in a different light: Current approaches to energy management yield quick savings, but leave plant managers searching for ways of improving on those early gains.

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.