Patching over software problems

Just as you would want to patch over a hole in your pants, you might find holes in your software that could be just as problematic and leave you with serious cyber security vulnerabilities. Patch those holes before something tears wide open.

10/19/2011


The number of cyber attacks on industrial control systems has been increasing and the activity is visible on a global scale by site, manufacturer, and even by actual control system specific parameters. Many of those attacks are possible because of vulnerabilities in operating systems and applications, which need to be fixed using software patches. Having a sound patch management program in place will greatly reduce your risk and make you a hard target to a would-be attacker. 

That sounds good, but what does it mean? What exactly is patching? According to dictionary.com, patch, in verb form means to mend, cover, or strengthen with or as if with a patch or patches. It’s also a noun, meaning a piece of material used to cover or protect a wound, an injured part, etc.

In the industrial world

In control system terminology, patching indicates the process required to address a known weakness in a platform with the ability to have patches or software fixes applied. Platforms include operator interfaces, human machine interfaces (HMIs), computers, networking devices, and associated software loaded on these platforms. 

Patches are typically electronic files with updated configuration information or executable processes that, when applied, correct a given weakness in the affected system. Patches are critical to the protection and security of a system and should be applied as soon as possible for many reasons. As stated above, patches address known weaknesses in a system. This should be disturbing to you as an industrial control system specialist as you do not want your weaknesses to be known. But the inherent nature of patching requires most software and hardware manufacturers to notify the public first, that there is a problem with their system or software and secondly, how to address or fix the weakness.

Since the public is informed through various means of publications including Microsoft operating system updates and antivirus definition updates that immunize systems from viruses, the bad guys have a freely available method to learn of your weaknesses. Without a proven manageable process to validate and apply patches to your systems in frequent intervals, you are exposed and at risk of having your weaknesses exploited by hackers, disgruntled employees, or worse – terrorists.

What is patch management?

Patch management is a methodical process that includes documentation, validation, backup and recovery, and a step-by-step tiered approach to the application of change on your critical systems. The core of effective patch management is the actual validation of the change to ensure the updated patches or security enhancements do not disrupt the functionality of your system. Validation should be performed in a lab or non-production environment on equipment and software that is representative of your production environment. Without this validation, you may apply patches that change security parameters of your system that could stop communication between your devices.

Upon effective validation, prior to application of patches to the actual production equipment, a sound backup and recovery or disaster recovery plan should be in place to backup your device information and configuration. As discussed, patches actually change your system or software from its original state. If the patch causes problems, you would want to restore to your previous state immediately to resume operation.

To apply patches to your production system, a strategy identifying the order that patches will be applied should be identified and documented to repeat as new patches are released. From your population, identify an early adopter or first unit that you can take off-line for the time it takes to apply the patch. Then monitor for a period of time before rolling patches out on the remainder of your devices. By taking this tiered approach – lab validation, early adopter, and remainder of devices – you are greatly reducing the risk of a change or patch causing disruption to your overall system. Any issues may be identified prior to the application of patches in a very controlled, documented, and repeatable manner.

Patching your critical industrial control systems involves the collection of known fixes or patches, validation of these changes prior to application to your system, and then methodical application of patches in a controlled manner. The more frequently you repeat this process, the more up-to-date and less vulnerable your system will be to attack. FoxGuard Solutions specializes in the process of validating changes to industrial control system devices that have patching capability. We can work with your team to identify a strategy that meets your needs while making your critical system less vulnerable to attack.

Mark Trump is the security program manager for FoxGuard Solutions.

www.foxguardsolutions.com

Safety and security channel includes information on cyber security.

http://www.controleng.com/channels/plant-safety-and-security.html



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Save energy with automation; Process control system upgrades; Dispelling controll myths; Time-sensitive networking; Control system integration; Road to IANA
Additive manufacturing advancements; Machine vision enhances robotics; Fieldbus evolution; Process safety; Advice from System Integrators of the Year; Road to IANA
Salary and career survey: Benchmarks and advice; Designing controls; Remote data collection, historians; Control valve advances; Hannover Messe; Control Engineering International
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
Getting to the bottom of subsea repairs: Older pipelines need more attention, and operators need a repair strategy; OTC preview; Offshore production difficult - and crucial
Digital oilfields: Integrated HMI/SCADA systems enable smarter data acquisition; Real-world impact of simulation; Electric actuator technology prospers in production fields

(copy 5)

click me