These days it seems as if we are hearing about new cybersecurity threats to industrial operations nearly every month. Whether it is a ransomware attack, an outage due to malware, or an attack via a new, unanticipated vector, the risks associated with a cyberattack can be immense.
As I’ve written about in the past, there are steps you can take to better secure your control systems to prevent intrusion. One key step is increasing focus on ensuring systems are fully updated with the latest patches and hotfixes to prevent cybersecurity loopholes. However, maintaining control system technologies with the latest cybersecurity updates has, until recently, been more complicated than updating other systems.
The rigors of maintaining control system security
Patch management solutions for control systems have existed for a long time and have been a critical element of keeping the distributed control system (DCS) up to date. Most of these solutions, however, provide limited information to users about the patching process.
While traditional patch management systems do provide verification that patches have been tested to comply with IEC 62443—helping ensure they do not conflict with existing control system configurations—they often do not offer guidance about the current patch status of the control system, nor do they typically identify the need for reboot when applying patches. As a result, teams find it difficult to predict which patches will cause outages, making it difficult to properly schedule patches and updates. Integrated Patch Management seeks to change that dynamic.
A new solution seeks to take the guesswork out of patching critical systems. Integrated Patch Management gives administrators visibility into the patch status of all machines on their DCS and safety instrumented systems (SIS), helping them quickly identify which systems have pending updates. The tool also clearly identifies which patches will require system reboots. Using this information, security teams can improve incremental security by immediately applying patches that will not impact system operation, and scheduling patches requiring reboot during planned outages.
Ken Semph, cybersecurity program manager at Emerson, explains,
“In today’s environment of continual cyber threats, organizations are more focused than ever on ensuring that critical software is kept up to date. Integrated Patch Management enables plants to apply more patches, more easily and securely, and more often, to increase confidence in their overall cybersecurity posture.”
Improved management with stronger cybersecurity
Emerson’s Integrated Patch Management for the DeltaV™ DCS and SIS further improve cybersecurity by using automatic hash checks on all new patches to ensure only original, official updates can be installed. Security teams can even set schedules for operating system updates and antivirus signature files to be installed in the background or choose to perform installations locally when convenient for the plant schedule.
To learn more about Integrated Patch Management for the DeltaV DCS and SIS, you can visit the patch management product page.