Patches the Bad Dog

Oct. 28, 2008
Why Can’t Patches the Dog Sit at the Firewall and Bite the Hand Off the Bad Guys Whenever He Spots One?
By John Rezabek, Contributing Editor

Patches, here Patches! Go fetch me that security leak and tear it to shreds! Good b...!? No, Patches! No! NOT the OPC Server!! Bad, bad Patches!! Having just finished a “point” upgrade of our plant’s DCS and its Windows-based operator and engineering interface, I’m bracing for the new “features” that we’ll uncover in the coming weeks and months. A “point” upgrade is a minor release of a tested and proven suite of controls software containing mainly bug fixes and minor enhancements/upgrades. I think the “point” comes from the fact that you upgrade from, for example, 9.3.2 to 9.3.3. A “major” release upgrade would be to install “10-point-something”. While those are the most fun of all, we’ll leave that for a much longer column.

I signed up for a service from my DCS supplier to watch over my system and alert me when concerns arise—a good idea, I think. But I get “spammed” by the service quite a bit, and about half the emails are concerning Windows security updates. Since we have firewalls on any connection to the business network (and hence, the World Wide Web), Windows updates pushed to our desktops and laptops don’t make it to the DCS consoles for lots of reasons. Our corporate IT guys assess the Tuesday patches that Microsoft sends out, and choose the ones they want before inflicting them on their users. These likely include patches not completely tested by my DCS supplier, and may exclude some he wants users to have. The DCS includes Server 2003 nodes as well as XP nodes, and the system’s software patches at times may be coordinated with tweaks that Microsoft is making. It’s a struggle to keep up.

The service that spams me about updates and vulnerabilities is like a broken record, but woe unto him that springs a leak on account of blowing them off. My problem has been packaging them and getting them to stick. I hear my supplier is working on ways to bundle these updates to make deployment a bit easier, but presently I must individually download the patches and compose a command script to get them all smoothly installed. When I look in “Add/Remove Programs,” the list of patches stretches across two 20-in. dual-screen monitors and beyond. Hmmm, let me see if KB922760 is installed—parallax be damned—I was just spammed about it, but it seems to be there. No, wait. That’s KB922670. Now where is that command file?

Cripes, why am I even doing this? The purpose of people like us—and I mean the vast majority of us, including our counterparts at our suppliers—is to improve and optimize the value of the measurement and control systems, not to diddle with security updates. Why can’t Patches the Dog sit at the firewall and bite the hand off the bad guys whenever he spots one? I would feed him well and even bring around Patchette the Girl Dog every time he bit a bad guy.

I could pay my supplier to send one someone to install updates, but that is far from free, and I fear that “visitors” will treat my control system less gingerly (and they have)—and I’m not sure what I might find when the deed is done. All the money we’ve saved by switching to commercial-off-the-shelf (COTS) workstations and Windows OSs would pay a service tech reasonably well for a while, but that savings is in the past, and COTS is now status-quo. Is it enough to hire the dweebs whose exploits we’re constantly scrambling to foil? More of them will be tap-tapping away in their mom’s basement if the economy doesn’t improve soon enough.

Some suppliers feel our pain and are working on hardware and software that will spare us some of this pain. But with tighter budgets, we may have to sacrifice some other nice-to-have or even profitable and strategic investments to fund such expenditures. Even then, management may say, “I pay you to keep my business running—even if the pedal isn’t to the metal. If that involves some inglorious tasks, too bad—I have some like that too.” So I may be laying down a few newspapers for Patches the Dog for the foreseeable future.