Virtual patching for process control systems

Increase protection from software vulnerabilities sooner while allowing more control of your industrial network maintenance.


In today's industrial organizations, patching process control system software to remove security vulnerabilities is a regular, ongoing activity that is fraught with risk. Significant issues, such as a software regression, can be the result of installing a patch. At the same time, there is a potential for the system to become compromised if a patch has not been applied.

The calculation of whether to patch or not is governed by the trade-off between the risk of installing a defective patch versus the risk of a penetration, which pits two equally important objectives against one another. Patching a critical system may “break it”—but failing to do so could leave it open to a security vulnerability.

Vulnerability filters serve as a virtual patch to provide security for the unpatched systems, allowing better alignment of the patch process with production requirements. Courtesy: Honeywell

In addition to the security risk trade-off, there is a more pragmatic trade-off relative to the use of resources. Whether carried out automatically or manually, patching involves the application of resources, whose utilization and cost must be factored into the overall frequency of patching decisions.

An innovative technique known as virtual patching, however, allows industrial organizations to improve the patch process while raising a system’s security posture. Components like vulnerability filters provide security for the unpatched systems, allowing better alignment of the patch process with production requirements.

Today’s security risks

In manufacturing plants and other industrial facilities, the advent of open control system architectures and standard protocols has been a mixed blessing for enterprises. On one hand, the evolution from isolated proprietary applications to open technology has expanded process and business information availability. On the other hand, open technology has exposed the manufacturing enterprise to a variety of electronic threats. With the further integration of manufacturing assets to enterprise resource planning systems, the risks become even greater.

The increased vulnerability of the enterprise resulting from open architectures, coupled with increasing numbers of malware attacks, has made cyber security a major concern for manufacturers around the world. Accidental or malicious attacks can cause significant risk to the health and safety of personnel, production, and corporate reputation, to name only a few.

In order to minimize risks to plant automation and information systems, it is important to implement a defense-in-depth strategy, which incorporates multiple layers of protection. One such layer in particular includes hardening of the servers and stations.

Implementing patches in a process control network can be a time-consuming exercise, which apart from providing an increased resilience of the control system equipment against malware attacks, also introduces increased risk of failure during the patch installation process. Installing a software patch typically requires:

  • Coordination with the process operations staff to determine the appropriate time slot for patching
  • Actual installation of the patch
  • Swapping primary and secondary server functions to allow patching on the secondary server, and
  • Rebooting equipment to activate the modified software.

Together, these factors result in an average patch processing time for a server or station of between one and two hours per node. This exercise soon becomes costly, since security patches are normally issued monthly and are not necessarily aligned due to different patch release cycles from different manufacturers. While waiting for these elements to align, the vulnerability is public but the system is not patched, so there is an increased risk of a successful exploit—an infection by a network worm in the majority of the cases.

Virtual patching techniques

Virtual patching, unlike traditional patching, protects the system without touching the application, its libraries, or operating system. Additionally, virtual patches are available much sooner than actual software patches. Within days after disclosure of a vulnerability, a virtual patch can become active, where an application manufacturer might take weeks to months to modify and test the software.

Under most circumstances, industrial network traffic is predictable both in volume and in the nature of what communicates with what. Changes in that traffic may indicate an intrusion. Courtesy: Honeywell

Using a virtual patching technique, maintenance organizations can reduce the change frequency in a DCS, typically driven by the monthly distribution of the Microsoft security patches, and remain protected against network-based attacks.

The process is designed to place a shield around the control network that checks for the activity of known vulnerabilities and offers good protection against so-called “zero-day attacks” not indentified by protection mechanisms such as anti-virus software. A vulnerability filter is not impacted by this situation directly, since it filters the exploit of a specific vulnerability without being sensitive to changes in a particular signature.

The benefits of shielding are two-fold. Not only does it offer protection against network-based attacks or denial-of-service attacks, but it also stops the propagation of malware over the network. Malware—both viruses and network worms—often attempts to propagate to another node, frequently using the network. Virtual patching can stop this propagation effectively without having to physically disconnect a network segment, which would have a much greater impact.

Virtual patching in practice

Virtual patching filters the traffic between two points, using vulnerability filters which are designed to detect and block traffic that violates application protocols. These vulnerability filters behave like a network-based virtual software patch to protect downstream hosts from network-based attacks on unpatched vulnerabilities. The vulnerability filters are created as soon as new vulnerabilities are discovered to preempt any attacks. Specifically, this approach is used to shield the control network from traffic coming from Level 3 or above, or traffic flowing between communities. Various filters help redirect traffic to ensure smooth movement through the network while also ensuring security. Other filters monitor traffic levels to detect unusual spikes that may indicate a threat.

Of particular importance is the technique’s ability to rate-shape traffic flows based on application types, protocols, or IP addresses. Protocol anomaly filters run simultaneously via the threat suppression engine to detect out-of-spec network traffic. The filters detect conditions that are both necessary for an attack's success and guaranteed never to occur in normal traffic. They can detect multiple attacks without false negatives or false positives.

The vulnerability filters are reinforced by threshold filters, which establish a baseline of normal traffic levels by monitoring network traffic for a specified number of hours or days. These filters are configured to take specified actions when the traffic rises above or drops below a threshold.

Vulnerability filters can shield the control network from traffic coming from Level 3 or above, or traffic flowing between communities. Courtesy: Honeywell

The Nachi worm, for example, has the potential to cripple network performance by flooding the network with ICMP traffic, which could create excessive load on a router or host. Virtual patching would limit the traffic on the Level 3 network toward the Level 2 control network and force CPU utilization to normal stable levels to prevent system downtime. Thresholding filters enable security policy implementation based on the number of bytes in a particular stream, as well as connections and packets from particular hosts with user-defined time frames, from per minute to per month.

Moving forward

Plants today are faced with novel threats that must be met with dwindling resources, and protecting themselves from outside attacks is a priority that requires significant investment in terms of time and attention. Determining when and how to patch is a critical decision that should not be taken lightly.

However, by deploying virtual patching, industrial operations can ensure increased protection against the risks of zero-day attacks and can significantly reduce the impact of a malware infection. By reducing the rate of change induced by security patches for the shielded control networks, plants can provide increased reliability while improving security posture. Furthermore, facilities can improve the patch management process by having more control over the moment of security patch installation and, consequently, achieve significant cost savings.

Mike Spear is global operations manager, industrial IT solutions for Honeywell.

Key concepts:

  • Patching your industrial networks is necessary, but keeping current can be a challenge.
  • Virtual patching can provide the same protection as a real patch, but can be implemented more quickly and without some of the risks involved with regular patches.

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Pipe fabrication and IIoT; 2017 Product of the Year finalists
The future of electrical safety; Four keys to RPM success; Picking the right weld fume option
A new approach to the Skills Gap; Community colleges may hold the key for manufacturing; 2017 Engineering Leaders Under 40
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Power system design for high-performance buildings; mitigating arc flash hazards
VFDs improving motion control applications; Powering automation and IIoT wirelessly; Connecting the dots
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me