Patching over software problems
The number of cyber attacks on industrial control systems has been increasing and the activity is visible on a global scale by site, manufacturer, and even by actual control system specific parameters. Many of those attacks are possible because of vulnerabilities in operating systems and applications, which need to be fixed using software patches. Having a sound patch management program in place will greatly reduce your risk and make you a hard target to a would-be attacker.
That sounds good, but what does it mean? What exactly is patching? According to dictionary.com, patch, in verb form means to mend, cover, or strengthen with or as if with a patch or patches. It’s also a noun, meaning a piece of material used to cover or protect a wound, an injured part, etc.
In the industrial world
In control system terminology, patching indicates the process required to address a known weakness in a platform with the ability to have patches or software fixes applied. Platforms include operator interfaces, human machine interfaces (HMIs), computers, networking devices, and associated software loaded on these platforms.
Patches are typically electronic files with updated configuration information or executable processes that, when applied, correct a given weakness in the affected system. Patches are critical to the protection and security of a system and should be applied as soon as possible for many reasons. As stated above, patches address known weaknesses in a system. This should be disturbing to you as an industrial control system specialist as you do not want your weaknesses to be known. But the inherent nature of patching requires most software and hardware manufacturers to notify the public first, that there is a problem with their system or software and secondly, how to address or fix the weakness.
Since the public is informed through various means of publications including Microsoft operating system updates and antivirus definition updates that immunize systems from viruses, the bad guys have a freely available method to learn of your weaknesses. Without a proven manageable process to validate and apply patches to your systems in frequent intervals, you are exposed and at risk of having your weaknesses exploited by hackers, disgruntled employees, or worse – terrorists.
What is patch management?
Patch management is a methodical process that includes documentation, validation, backup and recovery, and a step-by-step tiered approach to the application of change on your critical systems. The core of effective patch management is the actual validation of the change to ensure the updated patches or security enhancements do not disrupt the functionality of your system. Validation should be performed in a lab or non-production environment on equipment and software that is representative of your production environment. Without this validation, you may apply patches that change security parameters of your system that could stop communication between your devices.
Upon effective validation, prior to application of patches to the actual production equipment, a sound backup and recovery or disaster recovery plan should be in place to backup your device information and configuration. As discussed, patches actually change your system or software from its original state. If the patch causes problems, you would want to restore to your previous state immediately to resume operation.
To apply patches to your production system, a strategy identifying the order that patches will be applied should be identified and documented to repeat as new patches are released. From your population, identify an early adopter or first unit that you can take off-line for the time it takes to apply the patch. Then monitor for a period of time before rolling patches out on the remainder of your devices. By taking this tiered approach – lab validation, early adopter, and remainder of devices – you are greatly reducing the risk of a change or patch causing disruption to your overall system. Any issues may be identified prior to the application of patches in a very controlled, documented, and repeatable manner.
Patching your critical industrial control systems involves the collection of known fixes or patches, validation of these changes prior to application to your system, and then methodical application of patches in a controlled manner. The more frequently you repeat this process, the more up-to-date and less vulnerable your system will be to attack. FoxGuard Solutions specializes in the process of validating changes to industrial control system devices that have patching capability. We can work with your team to identify a strategy that meets your needs while making your critical system less vulnerable to attack.
Mark Trump is the security program manager for FoxGuard Solutions.
Safety and security channel includes information on cyber security.