Unpacking the Patch Management Process for Operations

PB 25 Rockwell newlogo 400

March 5, 2020

By Mark Cristiano, Network and Security Services Business Development Manager, Rockwell Automation

The food and beverage industry has seen great momentum when it comes to addressing cyber hygiene – the starting point for industrial control system (ICS) cybersecurity. Where we used to have a lot of conversations about network infrastructure, cybersecurity techniques and strategy are now taking center stage. But how did we get here?

The problem dates back 20-30 years, when the food and beverage industry was rapidly adopting advanced, proprietary technology on the factory floor. Due to the closed and isolated nature of these systems, cybersecurity was not a true concern.

Fast forward to the past 10 years, and the proliferation of ICS and Ethernet-connected equipment has revolutionized productivity, quality, compliance and speed to market. It has also simplified connection of these legacy systems to each other and to new systems. This open, unmodified Ethernet communication brought increased cyber risk and a new concern: legacy system patch management.

A recent Food Protection and Defense Institute report details how this outdated legacy equipment can expose your operation to malicious attacks. Ones that can disrupt business, destroy equipment and compromise worker and product safety. A holistic cybersecurity program has become a business imperative, and the patch management process plays an important role.

You can’t patch what you can’t see

The idea of an asset inventory isn’t new, and you may have already tried this exercise internally, or even enlisted outside help. But to capture everything is no easy task, and many are still working to get it right.

There are two ways to take inventory, and to set the right foundation for your ICS cybersecurity program, you need both.

  • –   Electronic interrogation tools can scan your network and automatically identify assets, getting you most of the way there.
  • –   Manual identification will catch the rest, but requires someone to literally walk around, open panels and do a physical survey of what’s out there.

A watch out here is to take both approaches at all of your locations. If only complete at nine of your 10 sites, I can just about guarantee the breach is coming through the one that was overlooked.

Setting a comprehensive patching strategy

Following the inventory, you may be left with a list of thousands of assets to wrap your head around. Luckily, not all assets are created equal. The next step is performing a risk analysis to identify the high priority assets to patch based on their criticality, exposure, age, anticipated risk, etc. Some assets aren’t even on the network, so are they really a risk?

There are two types of patches you’ll need to address:

  1. 1. Operating system (OS) patching is commonplace for IT, so much so that Microsoft Patch Tuesday has been around for more than 15 years. You’ll have to time plant floor OS patching with scheduled downtime for minimal disruption. Some proactive IT/OT collaboration can take care of this in many instances.
  2. 2. Application-level patching is a different story. There could be literally hundreds of applications from different vendors with different patches. So it’s incumbent upon you to go find patches on vendor websites, understand the vulnerabilities they protect against and if they are needed or not.

Because each application is configured differently, patching the application layer warrants a very deliberate, consistent testing standard. One conducted in a lab environment prior to implementation on the plant floor where you could run the risk of unintentionally shutting down production.

A systematic approach to patch management

The “fingers crossed” approach is common throughout the food and beverage industry. Not for lack of trying, but for lack of the right resources and specialized expertise. Generally what I see in the field today is reactive. Responding to a high-priority patch notification and accomplished by shutting down production on a weekend as needed.

And the common progression looks like this:

  • Operations enlists IT to help manage OT patching.
  • IT fills in, but doesn’t have the ICS expertise or resources to manage the unique requirements and constraints.
  • So they hire a hybrid IT/OT resource, or more often, outsource to a company like Rockwell Automation or others.

If going the third-party route, seek a partner grounded in operations. One telltale sign is their service level agreement (SLA) response time. Traditional IT providers measure response in hours. But that kind of downtime in consumer goods production can mean millions of dollars lost. SLAs measured in minutes represent an operations-friendly approach.

The ICS cybersecurity end game

Patch management is one step on your way to getting a security operations center (SOC) up and running. An SOC can provide a holistic dashboard view of your security posture, include a disaster recovery strategy and ensure optimal operation of your connected factory.

Additionally, there are solutions available today that are designed for end point protection or “whitelisting.”  While these solutions do not entirely eliminate the need for patching, they are an effective solution to protect and buy you time while formulating a patching strategy.

The truth is, there is no silver bullet to effective cybersecurity. That is what defense-in-depth is all about. But with more than the bottom line at risk (think food and employee safety), reaction and a little luck is no longer a viable approach. If you’re looking for a little help kicking off your program, or bringing it to the next level, we’re here to help.

Source

Related Articles


Changing Scene


Sponsored Content
The Easy Way to the Industrial IoT

The way to the Industrial IoT does not have to be complicated. Whether access to valuable data is required or new, data-driven services are to be generated, Weidmuller enables its customers to go from data to value the easy way. Weidmuller’s comprehensive and cutting-edge IIoT portfolio applies to greenfield and brownfield applications. Weidmuller offers components and solutions from data acquisition, data pre-processing, data communication and data analysis.

Visit Weidmuller’s Industrial IoT Portfolio.


ADVANCED Motion Controls Takes Servo Drives to New Heights (and Depths) with FlexPro Extended Environment Product Line

Advanced Motion Controls is proud to announce the addition of six new CANopen servo drives with Extended Environment capabilities to their FlexPro line. These new drives join AMC’s existing EtherCAT Extended Environment FlexPro drives, making the FlexPro line the go-to solution for motion control applications in harsh environments.

Many motion control applications take place in conditions that are less than ideal, such as extreme temperatures, high and low pressures, shocks and vibrations, and contamination. Electronics, including servo drives, can malfunction or sustain permanent damage in these conditions.

Read More


Service Wire Co. Announces New Titles for Key Executives

Bruce Kesler and Mark Gatewood have been given new titles and responsibilities for Service Wire Co.

Bruce Kesler has assumed the role of Senior Director – Business Development. Bruce will be responsible for Service Wire’s largest strategic accounts and our growing Strategic Accounts Team.

Mark Gatewood has been promoted to the role of Vice President – Sales & Marketing. In this role, Gatewood will lead the efforts of Service Wire Company’s entire sales and marketing organization in all market verticals.

Read More


Tri-Mach Announces the Purchase of an Additional 45,000 sq ft. Facility

Tri-Mach Elmira Facility

Recently, Tri-Mach Inc. was thrilled to announce the addition of a new 45,000 sq ft. facility. Located at 285 Union St., Elmira, ON, this facility expands Tri-Mach’s capabilities, allowing them to better serve the growing needs of their customers.

Positioning for growth, this additional facility will allow Tri-Mach to continue taking on large-scale projects, enhance product performance testing, and provide equipment storage for their customers. The building will also be the new home to their Skilled Trades Centre of Excellence.

Read More


JMP Parent Company, CONVERGIX Acquires AGR Automation, Expanding Global Reach

Convergix Automation Solutions has completed the acquisition of AGR Automation (“AGR”), a UK-based provider of custom, high-performance automation design and systems integration primarily to the life sciences industry.

Following Convergix’s acquisitions of JMP Solutions in August 2021 and Classic Design in February 2022, AGR marks the third investment in Crestview’s strategy to build Convergix into a diversified automation solutions provider targeting the global $500+ billion market, with a particular focus on the $70 billion global systems integration and connectivity segments. Financial terms of the transaction were not disclosed.

Read More


Latest Articles

  • Implementing Functional Safety Requirements

    Implementing Functional Safety Requirements

    The Safety Functional Requirements Specification (SFRS; sometimes referred to as SRS or Safety Requirements Specification) is the plan for the safety controls on a machine and is the second step of the safety lifecycle. The SFRS document serves as a framework for the safety control system design, is informed by prior work done in the… Read More…

  • From Endress+Hauser, 24/7 Digital, Plant-Wide Health Monitoring for Rockwell Systems Optimizes Workflows and Processes

    From Endress+Hauser, 24/7 Digital, Plant-Wide Health Monitoring for Rockwell Systems Optimizes Workflows and Processes

    Endress+Hauser’s Asset Health Monitoring Solution–Rockwell Edition, now available for installation, provides operators with a centralized, digital overview of plant-wide device health to avoid unscheduled shutdowns and accelerate troubleshooting. It not only presents early visibility of problematic devices but distinguishes itself by adding likely causes and remedies to such a report so problems can be fixed… Read More…