Patch Management as a Cybersecurity Layer of Defense

by | Sep 25, 2019 | Cybersecurity | 0 comments

Emerson's Ken SemphAnother part of cybersecurity is keeping systems and software patched and up to date. Emerson’s Ken Semph, a cybersecurity program manager presented on this topic at the 2019 Emerson Exchange conference.

Patch management is but one element in a defense in depth cybersecurity strategy. A patch is a piece of code to fix or address a vulnerability in the software or firmware. These vulnerabilities can be exploited to cause harm.

Ken shared some statistics. 95% of system intrusions could have been prevented by keeping patches current, yet only 40% of the systems are fully up to date.

An advanced patch management generic architecture includes a firewall separating the control system and upstream server that manages patches also separated by a firewall to the Emerson server which serves the patches via the Guardian Support service. These patches have been tested and approved with the version of software and firmware running with the user’s control system.

The advanced patch management system under development will be an improvement to the current patch management solution and is designed for easy installation, provide reports and alerts, cybersecure to the IEC62443-2-3 standard, and be customizable to adapt to each DeltaV environment. File data encryption and TLS secure encrypted communications are used to move the approved patches to the user patch management server.

This patch management server can also be eliminated where a notification is sent to the administrator responsible for updates, where they can pull down the patches and apply them through their patching procedures.

This architecture is scalable where the systems can be segmented with firewalls between segments and level 3 network where the patch management server is located. Ken showed some wireframe user interfaces of how this solution will look when the usability improvements are finished.

Although substantial testing is performed before patches are available and released, good practice is to test the patches on a lightly used physical or virtual system and running for a day or two to verify no problems are found. Also, firmware updates for controller and I/O hardware will be sent down to the workstations but will need to be manually applied through the current update processes.

Popular Posts

Comments

Author

Follow Us

We invite you to follow us on Facebook, LinkedIn, Twitter and YouTube to stay up to date on the latest news, events and innovations that will help you face and solve your toughest challenges.

Do you want to reuse or translate content?

Just post a link to the entry and send us a quick note so we can share your work. Thank you very much.

Our Global Community

Emerson Exchange 365

The opinions expressed here are the personal opinions of the authors. Content published here is not read or approved by Emerson before it is posted and does not necessarily represent the views and opinions of Emerson.

PHP Code Snippets Powered By : XYZScripts.com