When updating your computer security, why patch?

Why should you be concerned about applying security patches to the computers in your manufacturing zone? Simply put, because no buffer zone provides a perfect security solution for your automation system. The reality is that in order to operate your manufacturing plant, data and people need to move between enterprise and manufacturing zones.


Why should you be concerned about applying security patches to the computers in your manufacturing zone? Simply put, because no buffer zone provides a perfect security solution for your automation system. The reality is that in order to operate your manufacturing plant, data and people need to move between enterprise and manufacturing zones. With this movement comes the possible transport of viruses, worms or other undesirable payloads. These undesirables can negatively impact the operation your manufacturing systems.

While the installation of a buffer zone in a manufacturing environment provides an excellent barrier to block direct attacks from the outside, no buffer zone provides a perfect security solution for your automation system. This is why you patch.

Be defensive

A buffer zone that forces all traffic to originate or terminate within it makes it very difficult for an attacker to communicate directly with your manufacturing zone. However, as intruder software becomes more sophisticated, more “Trojan horse” attacks take place where attackers gain a foothold in the enterprise network, and then gain access to a resource communicating with a computer in the buffer zone. From there, the attackers take control of a computer inside the manufacturing zone.

Many successful exploits could have been prevented with existing patches. In many cases, patches for the vulnerability existed more than six months before the attack occurred. For this reason, it is essential to keep computers in the manufacturing and enterprise zones up to date %%MDASSML%% the simplest, most effective security mitigation strategy. It also is essential to develop an elaborate and rigorous process for managing patches.

Nevertheless, patching computers in the manufacturing zone poses its challenges, especially with regard to downtime. Ironically, more manufacturing downtime results from poor or missing patch management processes than was caused by the exploitation of the vulnerability being patched. This is the primary reason why disabling automatic patch updates is considered a best practice in the manufacturing zone.

Minimize downtime

Installation should be scheduled for a time when the potential for lost production is minimal, and it should always be done by personnel who are trained on the equipment and process so that recovery from a failure can be handled as quickly as possible. It is crucial to have a backup image of all software loaded on all critical systems and a disaster recovery plan to back out any updates made to return the facility to an operational state quickly.

In most cases, downtime can be averted with well-designed patch management. A well-designed patch management process includes the following important steps:

1. Assess and create an inventory of all managed and unmanaged assets, including equipment, processes, security policies and assigned personnel. This step helps you understand what you have in place, where your risks might be, and who is qualified to help.

2. Identify whether updates are available for your installed application software or operation system, and if they are relevant to your production systems.

3. Evaluate each software update against a well-defined process to determine its business value versus the risk of deployment. The benefits to the business can include lowering the risk associated with a known security threat, increasing productivity, increasing reliability and better product quality. Then test it to be sure it works in your system.

4. Manually deploy the verified software update. The first part of this step is to communicate to users and administrators in advance about the pending update, allowing everyone to be prepared in the event of an unexpected consequence resulting from the installation. The second part of this step is the distribution of the updates to the impacted computers.

The convergence of manufacturing and enterprise networks provides greater access to manufacturing data, creating greater agility in making business decisions. At the same time, it also brings challenges and exposes manufacturing assets to the security threats that were traditionally found only in enterprise. The increased exposure resulting from this convergence means that now, more than ever, computers used in manufacturing need to be treated with the same level of security update rigor as those used in the enterprise.


Author Information

Michael Bush has been the manager of FactoryTalk Services at Rockwell Automation since Oct. 2004. Bush is a recognized speaker, presenter and author in the area of automation security.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.