Patching over software problems

Just as you would want to patch over a hole in your pants, you might find holes in your software that could be just as problematic and leave you with serious cyber security vulnerabilities. Patch those holes before something tears wide open.

10/19/2011


The number of cyber attacks on industrial control systems has been increasing and the activity is visible on a global scale by site, manufacturer, and even by actual control system specific parameters. Many of those attacks are possible because of vulnerabilities in operating systems and applications, which need to be fixed using software patches. Having a sound patch management program in place will greatly reduce your risk and make you a hard target to a would-be attacker. 

That sounds good, but what does it mean? What exactly is patching? According to dictionary.com, patch, in verb form means to mend, cover, or strengthen with or as if with a patch or patches. It’s also a noun, meaning a piece of material used to cover or protect a wound, an injured part, etc.

In the industrial world

In control system terminology, patching indicates the process required to address a known weakness in a platform with the ability to have patches or software fixes applied. Platforms include operator interfaces, human machine interfaces (HMIs), computers, networking devices, and associated software loaded on these platforms. 

Patches are typically electronic files with updated configuration information or executable processes that, when applied, correct a given weakness in the affected system. Patches are critical to the protection and security of a system and should be applied as soon as possible for many reasons. As stated above, patches address known weaknesses in a system. This should be disturbing to you as an industrial control system specialist as you do not want your weaknesses to be known. But the inherent nature of patching requires most software and hardware manufacturers to notify the public first, that there is a problem with their system or software and secondly, how to address or fix the weakness.

Since the public is informed through various means of publications including Microsoft operating system updates and antivirus definition updates that immunize systems from viruses, the bad guys have a freely available method to learn of your weaknesses. Without a proven manageable process to validate and apply patches to your systems in frequent intervals, you are exposed and at risk of having your weaknesses exploited by hackers, disgruntled employees, or worse – terrorists.

What is patch management?

Patch management is a methodical process that includes documentation, validation, backup and recovery, and a step-by-step tiered approach to the application of change on your critical systems. The core of effective patch management is the actual validation of the change to ensure the updated patches or security enhancements do not disrupt the functionality of your system. Validation should be performed in a lab or non-production environment on equipment and software that is representative of your production environment. Without this validation, you may apply patches that change security parameters of your system that could stop communication between your devices.

Upon effective validation, prior to application of patches to the actual production equipment, a sound backup and recovery or disaster recovery plan should be in place to backup your device information and configuration. As discussed, patches actually change your system or software from its original state. If the patch causes problems, you would want to restore to your previous state immediately to resume operation.

To apply patches to your production system, a strategy identifying the order that patches will be applied should be identified and documented to repeat as new patches are released. From your population, identify an early adopter or first unit that you can take off-line for the time it takes to apply the patch. Then monitor for a period of time before rolling patches out on the remainder of your devices. By taking this tiered approach – lab validation, early adopter, and remainder of devices – you are greatly reducing the risk of a change or patch causing disruption to your overall system. Any issues may be identified prior to the application of patches in a very controlled, documented, and repeatable manner.

Patching your critical industrial control systems involves the collection of known fixes or patches, validation of these changes prior to application to your system, and then methodical application of patches in a controlled manner. The more frequently you repeat this process, the more up-to-date and less vulnerable your system will be to attack. FoxGuard Solutions specializes in the process of validating changes to industrial control system devices that have patching capability. We can work with your team to identify a strategy that meets your needs while making your critical system less vulnerable to attack.

Mark Trump is the security program manager for FoxGuard Solutions.

www.foxguardsolutions.com

Safety and security channel includes information on cyber security.

http://www.controleng.com/channels/plant-safety-and-security.html



The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me