Patching Beyond Microsoft
Oracle released 41 security patches this week for a variety of their products. Ten of the patches were for the Oracle database – - that by the way is used in many SCADA and DCS servers.
We have seen great progress with vendors testing and certifying Microsoft patches on a timely basis. We have some progress with asset owners deploying Microsoft patches. However, we have seen very little progress from vendors or asset owners in similarly dealing with non-Microsoft patches. Databases are a prime example, but this also includes web and ftp servers, components like JRE, applications like Acrobat, client side vulnerabilities, router/switch OS and more.
Database patching is tough. The patches are more likely to break something in the control system application than a Microsoft patch in our experience. Testing tends to take more time. That said, an unpatched database vuln with an exploit is just as big of a problem as a missing Microsoft patch.
It’s time for control system patching to move beyond Microsoft. Would be very interested in hearing some success stories and vendor commitments to test and certify patches beyond Microsoft.
Author: Dale Peterson
Posted: January 15th, 2009 under SCADA Architecture.
Comments: 2
Comments
Comment from cnioperator
Time: January 16, 2009, 5:20 am
Dale, You’re spot on.
We’ve pushed and pushed on MS patching and we’re now in a very good place. We can patch our control systems AHEAD of the corporate systems.(who’d have thought that would have been possible)
Now database patching isn’t trivial, its something we struggle with in the corporate network. Its on my radar to improve but I fear it may take longer to resolve than MS patching.
Watch this space.
Comment from Rob Lewis
Time: January 17, 2009, 3:23 pm
Good post. You are right, except it is time to move beyond control system patching, period.
We are a vendor, but probably not in the sense that your request meant.
Trustifier offers an alternative form of control that protects systems regardless of whether they are patched. Perhaps this could be handy in the situations you list above, as well as with protecting legacy systems.
Since I attempt not to sell on anyone’s board, I will not say too much. I should probably explain/justify my position, especially since my occasional comments here probably raise a few eyebrows/question marks.
Trustifier is a security sub-system that is added to stock commercial operating systems. It’s effect is to create a separation kernel with augmentations, to create a paradigm change to the trusted computing base that facilitates intuitive and easy to administer multilevel security, integrity and domain separation in existing IT systems and networks.
In short, we have added internal controls that have been historically been missing from OSs. While we were at it, we added many more interesting things that make it much more than mere OS security. I will head any commenters off at the pass now, by saying that it is the implementation that is innovative, so Trustifier does not break things the way older attempts might have.
Cheers.
Write a comment