Virtual patching for process control systems

Increase protection from software vulnerabilities sooner while allowing more control of your industrial network maintenance.
By Mike Spear November 20, 2012

In today’s industrial organizations, patching process control system software to remove security vulnerabilities is a regular, ongoing activity that is fraught with risk. Significant issues, such as a software regression, can be the result of installing a patch. At the same time, there is a potential for the system to become compromised if a patch has not been applied.

The calculation of whether to patch or not is governed by the trade-off between the risk of installing a defective patch versus the risk of a penetration, which pits two equally important objectives against one another. Patching a critical system may “break it”—but failing to do so could leave it open to a security vulnerability.

Vulnerability filters serve as a virtual patch to provide security for the unpatched systems, allowing better alignment of the patch process with production requirements. Courtesy: Honeywell

In addition to the security risk trade-off, there is a more pragmatic trade-off relative to the use of resources. Whether carried out automatically or manually, patching involves the application of resources, whose utilization and cost must be factored into the overall frequency of patching decisions.

An innovative technique known as virtual patching, however, allows industrial organizations to improve the patch process while raising a system’s security posture. Components like vulnerability filters provide security for the unpatched systems, allowing better alignment of the patch process with production requirements.

Today’s security risks

In manufacturing plants and other industrial facilities, the advent of open control system architectures and standard protocols has been a mixed blessing for enterprises. On one hand, the evolution from isolated proprietary applications to open technology has expanded process and business information availability. On the other hand, open technology has exposed the manufacturing enterprise to a variety of electronic threats. With the further integration of manufacturing assets to enterprise resource planning systems, the risks become even greater.

The increased vulnerability of the enterprise resulting from open architectures, coupled with increasing numbers of malware attacks, has made cyber security a major concern for manufacturers around the world. Accidental or malicious attacks can cause significant risk to the health and safety of personnel, production, and corporate reputation, to name only a few.

In order to minimize risks to plant automation and information systems, it is important to implement a defense-in-depth strategy, which incorporates multiple layers of protection. One such layer in particular includes hardening of the servers and stations.

Implementing patches in a process control network can be a time-consuming exercise, which apart from providing an increased resilience of the control system equipment against malware attacks, also introduces increased risk of failure during the patch installation process. Installing a software patch typically requires:

  • Coordination with the process operations staff to determine the appropriate time slot for patching
  • Actual installation of the patch
  • Swapping primary and secondary server functions to allow patching on the secondary server, and
  • Rebooting equipment to activate the modified software.

Together, these factors result in an average patch processing time for a server or station of between one and two hours per node. This exercise soon becomes costly, since security patches are normally issued monthly and are not necessarily aligned due to different patch release cycles from different manufacturers. While waiting for these elements to align, the vulnerability is public but the system is not patched, so there is an increased risk of a successful exploit—an infection by a network worm in the majority of the cases.

Virtual patching techniques

Virtual patching, unlike traditional patching, protects the system without touching the application, its libraries, or operating system. Additionally, virtual patches are available much sooner than actual software patches. Within days after disclosure of a vulnerability, a virtual patch can become active, where an application manufacturer might take weeks to months to modify and test the software.

Under most circumstances, industrial network traffic is predictable both in volume and in the nature of what communicates with what. Changes in that traffic may indicate an intrusion. Courtesy: Honeywell

Using a virtual patching technique, maintenance organizations can reduce the change frequency in a DCS, typically driven by the monthly distribution of the Microsoft security patches, and remain protected against network-based attacks.

The process is designed to place a shield around the control network that checks for the activity of known vulnerabilities and offers good protection against so-called “zero-day attacks” not indentified by protection mechanisms such as anti-virus software. A vulnerability filter is not impacted by this situation directly, since it filters the exploit of a specific vulnerability without being sensitive to changes in a particular signature.

The benefits of shielding are two-fold. Not only does it offer protection against network-based attacks or denial-of-service attacks, but it also stops the propagation of malware over the network. Malware—both viruses and network worms—often attempts to propagate to another node, frequently using the network. Virtual patching can stop this propagation effectively without having to physically disconnect a network segment, which would have a much greater impact.

Virtual patching in practice

Virtual patching filters the traffic between two points, using vulnerability filters which are designed to detect and block traffic that violates application protocols. These vulnerability filters behave like a network-based virtual software patch to protect downstream hosts from network-based attacks on unpatched vulnerabilities. The vulnerability filters are created as soon as new vulnerabilities are discovered to preempt any attacks. Specifically, this approach is used to shield the control network from traffic coming from Level 3 or above, or traffic flowing between communities. Various filters help redirect traffic to ensure smooth movement through the network while also ensuring security. Other filters monitor traffic levels to detect unusual spikes that may indicate a threat.

Of particular importance is the technique’s ability to rate-shape traffic flows based on application types, protocols, or IP addresses. Protocol anomaly filters run simultaneously via the threat suppression engine to detect out-of-spec network traffic. The filters detect conditions that are both necessary for an attack’s success and guaranteed never to occur in normal traffic. They can detect multiple attacks without false negatives or false positives.

The vulnerability filters are reinforced by threshold filters, which establish a baseline of normal traffic levels by monitoring network traffic for a specified number of hours or days. These filters are configured to take specified actions when the traffic rises above or drops below a threshold.

Vulnerability filters can shield the control network from traffic coming from Level 3 or above, or traffic flowing between communities. Courtesy: Honeywell

The Nachi worm, for example, has the potential to cripple network performance by flooding the network with ICMP traffic, which could create excessive load on a router or host. Virtual patching would limit the traffic on the Level 3 network toward the Level 2 control network and force CPU utilization to normal stable levels to prevent system downtime. Thresholding filters enable security policy implementation based on the number of bytes in a particular stream, as well as connections and packets from particular hosts with user-defined time frames, from per minute to per month.

Moving forward

Plants today are faced with novel threats that must be met with dwindling resources, and protecting themselves from outside attacks is a priority that requires significant investment in terms of time and attention. Determining when and how to patch is a critical decision that should not be taken lightly.

However, by deploying virtual patching, industrial operations can ensure increased protection against the risks of zero-day attacks and can significantly reduce the impact of a malware infection. By reducing the rate of change induced by security patches for the shielded control networks, plants can provide increased reliability while improving security posture. Furthermore, facilities can improve the patch management process by having more control over the moment of security patch installation and, consequently, achieve significant cost savings.

Mike Spear is global operations manager, industrial IT solutions for Honeywell.

Key concepts:

  • Patching your industrial networks is necessary, but keeping current can be a challenge.
  • Virtual patching can provide the same protection as a real patch, but can be implemented more quickly and without some of the risks involved with regular patches.