Virtual patching for process control systems

Increase protection from software vulnerabilities sooner while allowing more control of your industrial network maintenance.

11/20/2012

Flash is required!

Mike Spear discusses virtual patching at HUG 2012 in Phoenix.




In today's industrial organizations, patching process control system software to remove security vulnerabilities is a regular, ongoing activity that is fraught with risk. Significant issues, such as a software regression, can be the result of installing a patch. At the same time, there is a potential for the system to become compromised if a patch has not been applied.

The calculation of whether to patch or not is governed by the trade-off between the risk of installing a defective patch versus the risk of a penetration, which pits two equally important objectives against one another. Patching a critical system may “break it”—but failing to do so could leave it open to a security vulnerability.

Vulnerability filters serve as a virtual patch to provide security for the unpatched systems, allowing better alignment of the patch process with production requirements. Courtesy: Honeywell

In addition to the security risk trade-off, there is a more pragmatic trade-off relative to the use of resources. Whether carried out automatically or manually, patching involves the application of resources, whose utilization and cost must be factored into the overall frequency of patching decisions.

An innovative technique known as virtual patching, however, allows industrial organizations to improve the patch process while raising a system’s security posture. Components like vulnerability filters provide security for the unpatched systems, allowing better alignment of the patch process with production requirements.

Today’s security risks

In manufacturing plants and other industrial facilities, the advent of open control system architectures and standard protocols has been a mixed blessing for enterprises. On one hand, the evolution from isolated proprietary applications to open technology has expanded process and business information availability. On the other hand, open technology has exposed the manufacturing enterprise to a variety of electronic threats. With the further integration of manufacturing assets to enterprise resource planning systems, the risks become even greater.

The increased vulnerability of the enterprise resulting from open architectures, coupled with increasing numbers of malware attacks, has made cyber security a major concern for manufacturers around the world. Accidental or malicious attacks can cause significant risk to the health and safety of personnel, production, and corporate reputation, to name only a few.

In order to minimize risks to plant automation and information systems, it is important to implement a defense-in-depth strategy, which incorporates multiple layers of protection. One such layer in particular includes hardening of the servers and stations.

Implementing patches in a process control network can be a time-consuming exercise, which apart from providing an increased resilience of the control system equipment against malware attacks, also introduces increased risk of failure during the patch installation process. Installing a software patch typically requires:

  • Coordination with the process operations staff to determine the appropriate time slot for patching
  • Actual installation of the patch
  • Swapping primary and secondary server functions to allow patching on the secondary server, and
  • Rebooting equipment to activate the modified software.

Together, these factors result in an average patch processing time for a server or station of between one and two hours per node. This exercise soon becomes costly, since security patches are normally issued monthly and are not necessarily aligned due to different patch release cycles from different manufacturers. While waiting for these elements to align, the vulnerability is public but the system is not patched, so there is an increased risk of a successful exploit—an infection by a network worm in the majority of the cases.

Virtual patching techniques

Virtual patching, unlike traditional patching, protects the system without touching the application, its libraries, or operating system. Additionally, virtual patches are available much sooner than actual software patches. Within days after disclosure of a vulnerability, a virtual patch can become active, where an application manufacturer might take weeks to months to modify and test the software.

Under most circumstances, industrial network traffic is predictable both in volume and in the nature of what communicates with what. Changes in that traffic may indicate an intrusion. Courtesy: Honeywell

Using a virtual patching technique, maintenance organizations can reduce the change frequency in a DCS, typically driven by the monthly distribution of the Microsoft security patches, and remain protected against network-based attacks.

The process is designed to place a shield around the control network that checks for the activity of known vulnerabilities and offers good protection against so-called “zero-day attacks” not indentified by protection mechanisms such as anti-virus software. A vulnerability filter is not impacted by this situation directly, since it filters the exploit of a specific vulnerability without being sensitive to changes in a particular signature.

The benefits of shielding are two-fold. Not only does it offer protection against network-based attacks or denial-of-service attacks, but it also stops the propagation of malware over the network. Malware—both viruses and network worms—often attempts to propagate to another node, frequently using the network. Virtual patching can stop this propagation effectively without having to physically disconnect a network segment, which would have a much greater impact.

Virtual patching in practice

Virtual patching filters the traffic between two points, using vulnerability filters which are designed to detect and block traffic that violates application protocols. These vulnerability filters behave like a network-based virtual software patch to protect downstream hosts from network-based attacks on unpatched vulnerabilities. The vulnerability filters are created as soon as new vulnerabilities are discovered to preempt any attacks. Specifically, this approach is used to shield the control network from traffic coming from Level 3 or above, or traffic flowing between communities. Various filters help redirect traffic to ensure smooth movement through the network while also ensuring security. Other filters monitor traffic levels to detect unusual spikes that may indicate a threat.

Of particular importance is the technique’s ability to rate-shape traffic flows based on application types, protocols, or IP addresses. Protocol anomaly filters run simultaneously via the threat suppression engine to detect out-of-spec network traffic. The filters detect conditions that are both necessary for an attack's success and guaranteed never to occur in normal traffic. They can detect multiple attacks without false negatives or false positives.

The vulnerability filters are reinforced by threshold filters, which establish a baseline of normal traffic levels by monitoring network traffic for a specified number of hours or days. These filters are configured to take specified actions when the traffic rises above or drops below a threshold.

Vulnerability filters can shield the control network from traffic coming from Level 3 or above, or traffic flowing between communities. Courtesy: Honeywell

The Nachi worm, for example, has the potential to cripple network performance by flooding the network with ICMP traffic, which could create excessive load on a router or host. Virtual patching would limit the traffic on the Level 3 network toward the Level 2 control network and force CPU utilization to normal stable levels to prevent system downtime. Thresholding filters enable security policy implementation based on the number of bytes in a particular stream, as well as connections and packets from particular hosts with user-defined time frames, from per minute to per month.

Moving forward

Plants today are faced with novel threats that must be met with dwindling resources, and protecting themselves from outside attacks is a priority that requires significant investment in terms of time and attention. Determining when and how to patch is a critical decision that should not be taken lightly.

However, by deploying virtual patching, industrial operations can ensure increased protection against the risks of zero-day attacks and can significantly reduce the impact of a malware infection. By reducing the rate of change induced by security patches for the shielded control networks, plants can provide increased reliability while improving security posture. Furthermore, facilities can improve the patch management process by having more control over the moment of security patch installation and, consequently, achieve significant cost savings.

Mike Spear is global operations manager, industrial IT solutions for Honeywell.

Key concepts:

  • Patching your industrial networks is necessary, but keeping current can be a challenge.
  • Virtual patching can provide the same protection as a real patch, but can be implemented more quickly and without some of the risks involved with regular patches.


No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
The true cost of lubrication: Three keys to consider when evaluating oils; Plant Engineering Lubrication Guide; 11 ways to protect bearing assets; Is lubrication part of your KPIs?
Contract maintenance: 5 ways to keep things humming while keeping an eye on costs; Pneumatic systems; Energy monitoring; The sixth 'S' is safety
Transport your data: Supply chain information critical to operational excellence; High-voltage faults; Portable cooling; Safety automation isn't automatic
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Synchronizing industrial Ethernet networks; Selecting protocol conversion gateways; Integrating HMIs with PLCs and PACs
Why manufacturers need to see energy in a different light: Current approaches to energy management yield quick savings, but leave plant managers searching for ways of improving on those early gains.

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.