When updating your computer security, why patch?

Why should you be concerned about applying security patches to the computers in your manufacturing zone? Simply put, because no buffer zone provides a perfect security solution for your automation system. The reality is that in order to operate your manufacturing plant, data and people need to move between enterprise and manufacturing zones.

01/01/2010


Why should you be concerned about applying security patches to the computers in your manufacturing zone? Simply put, because no buffer zone provides a perfect security solution for your automation system. The reality is that in order to operate your manufacturing plant, data and people need to move between enterprise and manufacturing zones. With this movement comes the possible transport of viruses, worms or other undesirable payloads. These undesirables can negatively impact the operation your manufacturing systems.

While the installation of a buffer zone in a manufacturing environment provides an excellent barrier to block direct attacks from the outside, no buffer zone provides a perfect security solution for your automation system. This is why you patch.

Be defensive

A buffer zone that forces all traffic to originate or terminate within it makes it very difficult for an attacker to communicate directly with your manufacturing zone. However, as intruder software becomes more sophisticated, more “Trojan horse” attacks take place where attackers gain a foothold in the enterprise network, and then gain access to a resource communicating with a computer in the buffer zone. From there, the attackers take control of a computer inside the manufacturing zone.

Many successful exploits could have been prevented with existing patches. In many cases, patches for the vulnerability existed more than six months before the attack occurred. For this reason, it is essential to keep computers in the manufacturing and enterprise zones up to date %%MDASSML%% the simplest, most effective security mitigation strategy. It also is essential to develop an elaborate and rigorous process for managing patches.

Nevertheless, patching computers in the manufacturing zone poses its challenges, especially with regard to downtime. Ironically, more manufacturing downtime results from poor or missing patch management processes than was caused by the exploitation of the vulnerability being patched. This is the primary reason why disabling automatic patch updates is considered a best practice in the manufacturing zone.

Minimize downtime

Installation should be scheduled for a time when the potential for lost production is minimal, and it should always be done by personnel who are trained on the equipment and process so that recovery from a failure can be handled as quickly as possible. It is crucial to have a backup image of all software loaded on all critical systems and a disaster recovery plan to back out any updates made to return the facility to an operational state quickly.

In most cases, downtime can be averted with well-designed patch management. A well-designed patch management process includes the following important steps:

1. Assess and create an inventory of all managed and unmanaged assets, including equipment, processes, security policies and assigned personnel. This step helps you understand what you have in place, where your risks might be, and who is qualified to help.

2. Identify whether updates are available for your installed application software or operation system, and if they are relevant to your production systems.

3. Evaluate each software update against a well-defined process to determine its business value versus the risk of deployment. The benefits to the business can include lowering the risk associated with a known security threat, increasing productivity, increasing reliability and better product quality. Then test it to be sure it works in your system.

4. Manually deploy the verified software update. The first part of this step is to communicate to users and administrators in advance about the pending update, allowing everyone to be prepared in the event of an unexpected consequence resulting from the installation. The second part of this step is the distribution of the updates to the impacted computers.

The convergence of manufacturing and enterprise networks provides greater access to manufacturing data, creating greater agility in making business decisions. At the same time, it also brings challenges and exposes manufacturing assets to the security threats that were traditionally found only in enterprise. The increased exposure resulting from this convergence means that now, more than ever, computers used in manufacturing need to be treated with the same level of security update rigor as those used in the enterprise.

 


Author Information

Michael Bush has been the manager of FactoryTalk Services at Rockwell Automation since Oct. 2004. Bush is a recognized speaker, presenter and author in the area of automation security.




No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Intelligent, efficient PLC programming: Cost-saving programming languages are available now; Automation system upgrades; Help from the cloud; Improving flow control; System integration tips
Smarter machines require smarter systems; Fixing PID, part 3; Process safety; Hardware and software integration; Legalities: Integrated lean project delivery
Choosing controllers: PLCs, PACs, IPCs, DCS? What's best for your application?; Wireless trends; Design, integration; Manufacturing Day; Product Exclusive
PLCs, robots, and the quest for a single controller; how OEE is key to automation solutions.
This article collection contains several articles on improving the use of PID.
Learn how Industry 4.0 adds supply chain efficiency, optimizes pricing, improves quality, and more.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Special report: U.S. natural gas; LNG transport technologies evolve to meet market demand; Understanding new methane regulations; Predictive maintenance for gas pipeline compressors
Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again