Another part of cybersecurity is keeping systems and software patched and up to date. Emerson’s Ken Semph, a cybersecurity program manager presented on this topic at the 2019 Emerson Exchange conference.
Patch management is but one element in a defense in depth cybersecurity strategy. A patch is a piece of code to fix or address a vulnerability in the software or firmware. These vulnerabilities can be exploited to cause harm.
Ken shared some statistics. 95% of system intrusions could have been prevented by keeping patches current, yet only 40% of the systems are fully up to date.
An advanced patch management generic architecture includes a firewall separating the control system and upstream server that manages patches also separated by a firewall to the Emerson server which serves the patches via the Guardian Support service. These patches have been tested and approved with the version of software and firmware running with the user’s control system.
The advanced patch management system under development will be an improvement to the current patch management solution and is designed for easy installation, provide reports and alerts, cybersecure to the IEC62443-2-3 standard, and be customizable to adapt to each DeltaV environment. File data encryption and TLS secure encrypted communications are used to move the approved patches to the user patch management server.
This patch management server can also be eliminated where a notification is sent to the administrator responsible for updates, where they can pull down the patches and apply them through their patching procedures.
This architecture is scalable where the systems can be segmented with firewalls between segments and level 3 network where the patch management server is located. Ken showed some wireframe user interfaces of how this solution will look when the usability improvements are finished.
Although substantial testing is performed before patches are available and released, good practice is to test the patches on a lightly used physical or virtual system and running for a day or two to verify no problems are found. Also, firmware updates for controller and I/O hardware will be sent down to the workstations but will need to be manually applied through the current update processes.