JohnRezabek
JohnRezabek
JohnRezabek
JohnRezabek
JohnRezabek

Upgrading operating systems hasn’t reduced the frequency of unwelcome patching

Dec. 5, 2019
We don’t want to make a bet we can’t afford to lose, but at the end of the day, we really don’t want to be Windows systems administrators.

Do you have friends or relations who insist on bringing their dog to your house around the holidays? Even if you’re an animal lover, the disruption, distraction and special accommodation for an unfamiliar, undisciplined, and potentially destructive critter—while you’re trying to enjoy your human guests—can be an especially unwelcome burden. That’s about how I feel when “patch Tuesday” rolls around for the Windows operating systems that are used in control systems and supporting infrastructure. Put down some newspaper. “Patches” is an unwelcome visitor that we are obliged to accommodate, to the detriment of our other duties. And with the obsolescence of Windows 7 and Server 2008, and the increased lock-down of Windows systems in pursuit of ISA Secure System Assurance (SSA), you may find that “Patches” sheds, stinks and has become a more burdensome and annoying guest than ever.

Even though our DCS and the programs and services running on it are from the same supplier, the programs themselves are in many ways separate and independent. The operator interface and configuration tools are their own thing, the engineering interface for configuring, compiling and downloading controller and field device configurations is another. There’s the asset management system and assorted other applications for valve diagnostics, OPC applications, alarm analysis, advanced control…the menu of programs and services is substantial.

All are running on Windows. We rely on our systems supplier to vet the myriad and routine Microsoft patches and ensure all of their numerous software products—some from third parties like Acronis or OSIsoft—continue to function reliably. And still sometimes we have to roll back a Microsoft security update to get a valued function like OPC or alarm management to function post-Patches.

By subscribing to our DCS supplier’s ongoing support offering, we are entitled to a listing of vetted (tested) patches that might be needed for our system. Sometimes it’s not obvious whether one needs a specific patch—how many boxes are running SQL 2014? If you take the time to read the actual KBA (Microsoft’s discussion of the vulnerability being addressed) you may wonder what attack vector you’re really closing. We are frustratingly denied one of an engineer’s most valued tools, the ability to assess whether a risk is real and severe enough to endure the trouble. We don’t want to make a bet we can’t afford to lose, but at the end of the day, we really don’t want to be Windows systems administrators.

Not all suppliers are as proactive as our DCS system supplier, and the number of other utilities and activities that require a Windows PC—think analyzer system maintenance, ladder logic for assorted PLCs (including safety systems), continuous emissions monitoring systems (CEMS), turbomachinery, mobile worker—is not getting smaller. Typically, none of these are connected to a business network or the broader Internet where they might get patches pushed to them automatically. That’s probably not all bad, since disrupting the mission of supporting safe and efficient production of saleable product is our core duty (not sending emails or invoices).  But if you’re religiously patching the DCS to fulfill cybersecurity duties, how many of these numerous ancillary machines are languishing out there? We were shocked a few months ago when we watched our industrial gas supplier’s PLC interface boot up on Windows 2000. Egad.

[javascriptSnippet]

Now we’ve migrated the DCS to Windows 10 and Server 2016, and the experience, as you might guess, is not entirely joyous. We are still wincing at the prospects of moving other PCs to the not-obsolete OS, ensuring applications and engineering tools are compatible (and backwards-compatible to the controls appliances they service), whether new hardware is needed, and how or whether licenses will transfer to the new platform. On the DCS, SSA group policies and lockdown measures mean more complexity for previously routine tasks like mapping a shared drive. It’s only been six weeks, and already we’ve learned that six new patches are available (mandated?)—three for various versions of SQL alone. Nonetheless, we’re admonished by our corporation and our supplier to keep everything in our purview up to date.

While we’re laying down newspaper for the unwelcome Patches, let’s hope there’s still time to pursue the enhancement and advancement of our process control and monitoring system. Unfortunately, there’s no extra help to look after Patches, and as usual, the lousy mutt can’t be left in his kennel.

About the author: John Rezabek
About the Author

John Rezabek | Contributing Editor

John Rezabek is a contributing editor to Control