49d546d6-742f-4b37-9cc4-47357fce1efb
49d546d6-742f-4b37-9cc4-47357fce1efb
49d546d6-742f-4b37-9cc4-47357fce1efb
49d546d6-742f-4b37-9cc4-47357fce1efb
49d546d6-742f-4b37-9cc4-47357fce1efb

Proactive patching for your network

March 22, 2018
In this installment of Automation Zone, learn how to develop a patch management program to help mitigate cybersecurity threats.

Industrial operations and plants today face an expanding threat landscape. The dangers range from cyber criminals to recently discovered security flaws within nearly all of the world’s computers. And with increased connectivity, these vulnerabilities can open the door to unprecedented and wide-reaching harms.

Fallout from a network security breach could affect everything from machine performance and output to worker safety and environmental protections. Critical infrastructures and vital supplies also could be endangered. Any approach to staving off these threats should include proactive patch management at the infrastructure level.

Patching is notoriously complex, and organizations may shy away from it because of fears around downtime and potential operational impacts. But when a security vulnerability is revealed – as with the recent Meltdown and Spectre flaws – organizations should respond quickly to protect their assets and operations.

When automation vendors release patches, manufacturers and industrial organizations should have patch management processes and policies in place. However, developing and maintaining a patch management program includes many facets and variables. Consider these best practices when developing your program.

About the author: Umair Masud

Umair Masud is a consulting services product manager for Rockwell Automation.

Determine frequency. When developing a patch-management schedule, frequency should be dictated by the risk level associated with each vulnerability. Weigh the amount of risk and the severity of consequences if it were exploited. The higher the risk, the sooner a vulnerability should be patched. Also consider the likelihood of something being exploited, along with the ease of exploitation. Again, the higher the probability, the sooner it should be patched.

When determining the patching schedule, it’s important to keep automation and infrastructure assets separate from the enterprise assets to avoid overlap. Create a separate grouping that is specifically and explicitly tied to the control system and apply a patch cadence that fits the industrial control requirements. Typically, that means utilizing a separate Microsoft Windows domain or group within the enterprise domain, but the key is to manage them separately.

Lastly, patches should always be scheduled during a downtime or maintenance event so as not to disrupt production schedules. For operations that run 24/7, start by applying patches on a backup system.

Test the patch. Even if a patch has been approved by an automation vendor, manufacturers and industrial organizations should test it before applying it in production. Nuances among applications, customizations, and other dependencies may interfere with patches.

Creating a test bed that mimics the environment can be done within a virtual environment. Then Microsoft WSUS or SCCM can be utilized to issue patches to the test environments first. Once the test environment is set up and the patch is installed, run through typical usage scenarios to validate proper functionality and performance of your application. This will help prevent any issues arise when the patch is deployed in the production environment.

Automation Zone

This article is part of our monthly Automation Zone column. Read more from our monthly Automation Zone series.

If a test environment doesn’t exist, consider choosing a noncritical asset for the analysis. That way, if issues do occur with the patches, the consequences won’t have a major impact on operations.

Once the patches have been tested and are ready to be rolled out systemwide, backup all running applications before applying the patches in a live environment. Despite best efforts for testing and preparations, issues do occur, and it’s a good idea to have a copy of the last known functioning operations of the automation servers.

Maintain policies. Patch management is only as good as the policies and procedures that support it. While each manufacturer and industrial organization will have its own unique needs, it’s important to document the processes and best practices for patching. This can help establish a disciplined governance process that outlines the risks and consequences associated with failing to maintain patches. In addition to supplying the patching updates, many automation vendors can help by developing procedures, enacting the program, and supplying remote support services.

Sponsored Recommendations

Limitations of MERV Ratings for Dust Collector Filters

Feb. 23, 2024
It can be complicated and confusing to select the safest and most efficient dust collector filters for your facility. For the HVAC industry, MERV ratings are king. But MERV ratings...

The Importance of Air-To-Cloth Ratio when Selecting Dust Collector Filters

Feb. 23, 2024
Selecting the right filter cartridges for your application can be complicated. There are a lot of things to evaluate and consider...like air-to-cloth ratio. When your filters ...

ASHRAE Standard 199 for Evaluating Dust Collection Systems

Feb. 23, 2024
This standard ensures dust collection systems are tested under real-world conditions, measuring a dust collector's emissions, pressure drop, and compressed air usage. Learn why...

Dust Collector Explosion Protection

Feb. 23, 2024
Combustible dust explosions are a serious risk, and an unprotected dust collection system can be a main cause. Learn what NFPA-compliant explosion protection you need to keep ...