Proactive Patch Management

June 1, 2006
In order to reduce security risks, many plants are deploying proactive approaches to software security patch management. The idea is to prevent a security problem before it appears.

Plants are taking two approaches to proactive security. For one, they’re creating a wall, or demilitarized zone (DMZ) between the company’s business system and the plant system (see chart at right). The business end of the information technology (IT) world is much more vulnerable than the plant side. For example, the plant control system doesn’t have e-mail, which is one common way that viruses and other malicious programs can enter a system. Secondly, control vendors are working to identify vulnerabilities in software before those vulnerabilities are discovered by bad guys.

A secondary DMZ blocks viruses that can enter the business system through e-mail, and then migrate across the enterprise. “Major accounts are deploying a secondary DMZ between the business system and the factory,” says Mike Bush, program manager at controls vendor Rockwell Automation Inc., in Milwaukee. “You have a wall between the business and the outside world, but you also have a wall between the business and the plant. The second DMZ won’t allow a connection to the Internet.”

To further cut the business system from the plant system, some plants are putting the upgrade server inside the secondary DMZ. “We also recommend that plants put their upgrade server in a demilitarized zone between the business systems and the control system,” says Kevin Stagg, engineering fellow for cyber security at automation vendor Honeywell Process Solutions, in Phoenix.

“The frequency of patches is definitely increasing, and so is the risk of losing production,” says Rashesh Mody, chief technology officer at software supplier Wonderware, an Invensys Systems Inc. company based in Lake Forest, Calif. “People want to do the patches without interrupting production.”

One version of proactive security is the effort to detect and patch system vulnerabilities before they are detected by the outside world. “Patching is a little like closing the door after the horse got out,” explains Rockwell’s Bush. “We have network and security services and we do vulnerability tests so we can lock the barn before the horse gets out.”

See the main story that goes with this sidebar:Fixing Software On The Fly

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...