Patches, here Patches! Go fetch me that security leak and tear it to shreds! Good b...!? No, Patches! No! NOT the OPC Server!! Bad, bad Patches!! Having just finished a point upgrade of our plants DCS and its Windows-based operator and engineering interface, Im bracing for the new features that well uncover in the coming weeks and months. A point upgrade is a minor release of a tested and proven suite of controls software containing mainly bug fixes and minor enhancements/upgrades. I think the point comes from the fact that you upgrade from, for example, 9.3.2 to 9.3.3. A major release upgrade would be to install 10-point-something. While those are the most fun of all, well leave that for a much longer column.
I signed up for a service from my DCS supplier to watch over my system and alert me when concerns arisea good idea, I think. But I get spammed by the service quite a bit, and about half the emails are concerning Windows security updates. Since we have firewalls on any connection to the business network (and hence, the World Wide Web), Windows updates pushed to our desktops and laptops dont make it to the DCS consoles for lots of reasons. Our corporate IT guys assess the Tuesday patches that Microsoft sends out, and choose the ones they want before inflicting them on their users. These likely include patches not completely tested by my DCS supplier, and may exclude some he wants users to have. The DCS includes Server 2003 nodes as well as XP nodes, and the systems software patches at times may be coordinated with tweaks that Microsoft is making. Its a struggle to keep up.
The service that spams me about updates and vulnerabilities is like a broken record, but woe unto him that springs a leak on account of blowing them off. My problem has been packaging them and getting them to stick. I hear my supplier is working on ways to bundle these updates to make deployment a bit easier, but presently I must individually download the patches and compose a command script to get them all smoothly installed. When I look in Add/Remove Programs, the list of patches stretches across two 20-in. dual-screen monitors and beyond. Hmmm, let me see if KB922760 is installedparallax be damnedI was just spammed about it, but it seems to be there. No, wait. Thats KB922670. Now where is that command file?
Cripes, why am I even doing this? The purpose of people like usand I mean the vast majority of us, including our counterparts at our suppliersis to improve and optimize the value of the measurement and control systems, not to diddle with security updates. Why cant Patches the Dog sit at the firewall and bite the hand off the bad guys whenever he spots one? I would feed him well and even bring around Patchette the Girl Dog every time he bit a bad guy.
I could pay my supplier to send one someone to install updates, but that is far from free, and I fear that visitors will treat my control system less gingerly (and they have)and Im not sure what I might find when the deed is done. All the money weve saved by switching to commercial-off-the-shelf (COTS) workstations and Windows OSs would pay a service tech reasonably well for a while, but that savings is in the past, and COTS is now status-quo. Is it enough to hire the dweebs whose exploits were constantly scrambling to foil? More of them will be tap-tapping away in their moms basement if the economy doesnt improve soon enough.
Some suppliers feel our pain and are working on hardware and software that will spare us some of this pain. But with tighter budgets, we may have to sacrifice some other nice-to-have or even profitable and strategic investments to fund such expenditures. Even then, management may say, I pay you to keep my business runningeven if the pedal isnt to the metal. If that involves some inglorious tasks, too badI have some like that too. So I may be laying down a few newspapers for Patches the Dog for the foreseeable future.
