Enhancing Cybersecurity via Patch Management

The last decade has seen a widening gap between how traditional, IT-oriented patch management works and how it needs to be approached in manufacturing environments.

Marty Van Der Sloot, Interstates Control Systems Inc.
Marty Van Der Sloot, Interstates Control Systems Inc.

If you’re still on the fence about the importance of cybersecurity in manufacturing, consider these recent statistics: In 2015, 46 percent of cybersecurity victims were in the manufacturing industry, with the technology industry being hit second hardest at 19 percent. The average dwell time from infection to detection in manufacturing is 314 days. Response time from detection to eviction is, on average, 28 days.

Given this reality, end users should not underestimate their vulnerability when it comes to patch management and system and information integrity. Keeping up with patches can be overwhelming, but implementing a successful patch management solution can prevent attacks and help maintain normal operations.

A common challenge at industrial network sites is not being able to test patches before deploying them to the production environment. Too often, production environments do not have downtime windows to reboot a server or workstation to apply a patch. Many of these environments are also managed by non-technical service technicians focused on the electrical and mechanical needs of the facility. These technicians often lack the knowledge and expertise of what issues a patch might create as well as how to back out of an installation. The benefits to end users from using the services of personnel trained in industrial IT to properly test and apply vendor-approved patches include: fewer issues with compatibility and access to expertise in the software and communication needs of the systems to properly test, deploy, and validate the patch service.

In corporate IT, most systems are similar and/or cloned to be the same. This makes it easy and predictable to deploy basic patches through normal IT services. As a result, there is usually no testing done and all systems get all patches. In the industrial IT space, however, sites may have many different software packages as well as numerous versions of the same package. This can require a patch solution to not only recognize the vendor brand but also the version it is running. Look for a patch management solution that covers both of these scenarios. An effective solution should check the vendor and version to reference an approved patch baseline from the system to present and apply when the operator has a downtime opportunity. This also allows integrators to look at compliance of applied patches based off the approved patches from these vendors.

A smart move is to find an integrator offering a managed solution and taking into account the specific needs of the plant floor in managing the release of patches in a controlled way.

As you review your patch management options, consider these points:

* Actively patch every system on your plant network from a single application;
* Ensure your HMI applications stay supported by installing only approved updates and patches;
* Generate reports to prove compliance and record keeping;
* Deploy vendor updates with customized patches;
* Secure your plant systems uniformly by applying baseline settings;
* Automate shutdowns for scheduled maintenance and power work;
* Quickly inventory installed software across your entire network; and
* Allow for on-demand installation of applications.

In our experience, the last decade has seen a widening in the gap between how traditional patching works versus how it needs to be approached in manufacturing. The challenges this gap has created apply not only to how systems are patched, but also in providing solutions for using outdated operating systems like Windows XP and NT. For the best protection, seek out an integrator that can provide industrial IT services for managing Windows servers and workstations, network firewalls and switches, virtualization hardware and software, and cybersecurity assessments in compliance with ISA and NIST.

To learn more about Interstates’ Enhanced Vulnerability Protection, contact mit@interstates.com.

Marty Van Der Sloot is MIT division manager at Interstates Control Systems Inc., a Certified member of the Control System Integrators Association. See Interstates’ profile on the Industrial Automation Exchange.

More in Home