'DONA' forget about security

There are some headlines that every manufacturing IT professional should dread. A recent one was the late October announcement that Microsoft was releasing an out-of-band security patch. This patch fixes a problem that allows remote code execution if a Microsoft Windows 2000, Windows XP, or Windows Server 2003 system receive a specially crafted RFC request and can be exploited in an internet/in...

12/01/2008


There are some headlines that every manufacturing IT professional should dread. A recent one was the late October announcement that Microsoft was releasing an out-of-band security patch. This patch fixes a problem that allows remote code execution if a Microsoft Windows 2000, Windows XP, or Windows Server 2003 system receive a specially crafted RFC request and can be exploited in an internet/intranet worm attack. Even months after this announcement, many manufacturing IT systems are undoubtedly still vulnerable.

Patching control systems is a problem, and the Department of Homeland Security is working on recommended practices for control system patch management. This report will address the special concerns of control systems, such as a 99.999% or greater uptime requirement, and potentially thousands of systems requiring near simultaneous patches. The report assumes that each company, and possibly each site within a company, has resources assigned to monitoring for patches, testing patches, and coordinating patch installs. Many sites handle routine patches through a scheduled update process run by the application owners. This method, however, does not always cover the infrastructure parts of manufacturing IT systems.

You can use the acronym “DONA” to remember the four main elements that must be considered in patch management: Databases, Operating systems, Networks, and Applications.

Databases are an often overlooked element of patch management. Many control system applications will silently install a database, such as Microsoft SQL Server, MYSQL, PostgreSQL, MSQLDB, or Oracle SQL, and these provide an interpreted query language that is the target for vulnerability attacks. SQL-based worm attacks have been some of the most damaging incidents.

Operating systems are the obvious target for patch management because they receive the most press coverage. Network devices and applications, such as routers and switches, are also the target of attacks and require patch management. Network attacks are particularly nasty, because they can affect an entire company and prevent the normal communication needed to correct a problem.

The final elements to be considered are the control applications. Normally, because of their dedicated purpose and limited network visibility, there are only limited attack targets available for control applications. Some distributed applications, such as historians, material and equipment tracking systems, and KPI (key performance indicator) systems, are designed for open communication and may be require a more proactive approach to patching.

Control applications often include middleware, such as enterprise service busses and message queuing systems. These applications are also designed for open communication and require a proactive approach to patching.

Effective patch management

Effective patch management is based on knowledge of the available patches and vulnerabilities for all DONA elements. The best way to collect that knowledge is through RSS feeds from your suppliers. Most manufacturing applications run on a Microsoft operating system and a manufacturing IT professional in your facility should be receiving security bulletins from www.microsoft.com/technet/security/bulletin .

Similar feeds are available for Oracle databases, applications, and middleware at www.oracle.com/rss , and for Cisco's network infrastructure at tools.cisco.com/security/center . Check, too, with your control system vendors to see if they provide RSS feeds for security problems and patches.

Once you know about a problem, your organization should have a process in place to handle urgent patches in any of the DONA elements. “Urgent patches” are those that are required to address problems with 1) no other defense or work around, 2) where there is external access and exposure, and 3) where there is a public exploit available.

Other resources to help your patch management processes are the US-CERT web site ( www.us-cert.gov/control_systems/ ), which has information and reporting methods for control system security incidents, and Carnegie Mellon University's security response site at www.cert.org/csirts/resources.html .


Author Information

Dennis Brandl is president of BR&L Consulting in Cary, NC, dbrandl@brlconsulting.com .




No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Big Data and IIoT value; Monitoring Big Data; Robotics safety standards and programming; Learning about PID
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me