Loading
Rockwell Automation Home
  • Industries
    • Industries Chevron RightChevron Right
      • Automotive & Tire
      • Cement
      • Chemical
      • Entertainment
      • Fibers & Textiles
      • Food & Beverage
      • Household & Personal Care
      • Infrastructure
      • Life Sciences
      • Marine
      • Metals
      • Mining
      • Oil & Gas
      • Power Generation
      • Print & Publishing
      • Pulp & Paper
      • Semiconductor
      • Water Wastewater
      • View All
    Industries
    Case StudyRockwell Automation's case studies Case Studies DistributorDistributor How to Buy EventEvent Events
  • Capabilities
    • Capabilities Chevron RightChevron Right
      • The Connected Enterprise®
      • Consulting & Integration Services
      • Cybersecurity
      • Digital Transformation
      • Industrial Analytics
      • Industrial Automation & Control
      • Industrial Maintenance & Support
      • Industrial Networks
      • Lifecycle Services
      • Machine & Equipment Builders
      • MES Solutions
      • Process Solutions
      • Safety Solutions
      • View All
    Capabilities
    Blogs DistributorDistributor How to Buy EventEvent Events
  • Products
    • Hardware Chevron RightChevron Right
    • Software Chevron RightChevron Right
      • Circuit & Load Protection
      • Condition Monitoring
      • Connection Devices
      • Distributed Control Systems
      • Drives & Motors
      • Energy Monitoring
      • Human Machine Interface
      • Independent Cart Technology
      • Industrial Computers & Monitors
      • Input/Output Modules
      • Industrial Control Products
      • Lighting Control
      • Motion Control
      • Motor Control
      • Networks Security & Infrastructure
      • Packaged Solutions
      • Power Supplies
      • Programmable Controllers
      • Push Buttons & Signaling Devices
      • Relays & Timers
      • Safety Instrumented Systems
      • Safety Products
      • Sensors & Switches
      • Signal Interface
      • View All Hardware Products
    • DesignSuite
      • Dynamic Digital Twin Software
      • Studio 5000 Design Software
    • OperationSuite
      • FactoryTalk Edge Gateway
      • FactoryTalk Batch
      • FactoryTalk Historian
      • FactoryTalk View - HMI Software
      • FactoryTalk Metrics
    • MaintenanceSuite
      • FactoryTalk Analytics for Devices
      • FactoryTalk AssetCentre
      • FactoryTalk Emonitor
      • FactoryTalk Network Manager
      • FactoryTalk TeamONE
      • Fiix CMMS
    • InnovationSuite
      • Augmented Reality
      • FactoryTalk Analytics
      • MES
      • ThingWorx IIoT Platform
    Products
    Find Products by Our Brands: Allen-Bradley FactoryTalk
  • Support
    • Product Support Chevron RightChevron Right
    • Documentation Chevron RightChevron Right
    • Knowledgebase Chevron RightChevron Right
    • Training Chevron RightChevron Right
    • Downloads
      • 2D & 3D Drawings
      • Activations
      • Add-on Profiles
      • Application Code Libraries
      • Compatibility & Downloads
      • Drivers & Firmware
      • Electronic Datasheets
      • EPLAN Macros
      • Sample Code Library
      • Software Patches
      • View All
    • Selection & Configuration
      • Control Systems Configuration Tools
      • Procurement Specifications
      • ProposalWorks Proposal Builder
      • Global Short-circuit Current Ratings Tool
      • Integrated Architecture Builder
      • View All
    • Compatibility & Migration
      • Migration & Modernization
      • Lifecycle Status
      • Product Replacement Lookup
      • View All
      • Technical Documentation Center
      • Technical Specifications
      • Product Certifications
      • Product Drawings
      • Release Notes
      • Literature Library
    • Support Center
      • Support Options
      • Search for Answers
      • Chat Online
      • Call Us
      • View All
    • Online Forum
      • My Inbox
      • My Favorites
      • My Subscriptions
      • View All
    • My TechConnect
      • Chat History
      • Service Ticket History
      • Manage Your Favorite Answers
      • Field Service Request
      • View All
      • E-Learning Courses
      • Instructor-led Courses
      • Training Workstations
      • View All
    Support
    Contact Us HelpHelp Get Support LaunchpadTools and applications View All Tools
  • Company
    • Events Chevron RightChevron Right
    • News Chevron RightChevron Right
    • Careers Chevron RightChevron Right
    • PartnerNetwork Chevron RightChevron Right
    • About Us Chevron RightChevron Right
    • Featured Events
      • Automation Fair
      • Process Solutions User Group
      • Rockwell Automation On The Move
      • Rockwell Automation TechEd
      • PACK EXPO CONNECTS
      • View All
    • Webinars
      • Live
      • On-Demand
      • View All
      • Blogs
      • Case Studies
      • Automation Today
      • Podcasts
      • Press Releases
      • View All
      • View Jobs
      • Teams & People
      • Hackathon
      • Employee Video Spotlight
      • Authorized Distributors
      • Encompass Product Partners
      • Licensed Developers
      • OEM Partners
      • Strategic Alliance Partners
      • System Integrator Partners
      • PartnerNetwork Portal
      • View All
      • Our Brands
      • Our Community
      • Our History
      • Integrity & Sustainability
      • Investor Relations
      • View All
    Company
    ProductivityProductivity Investor Relations
  • Sales
  • Sales
  • View All Industries
  • View All
  • View All
  • View All
  • View All
  • Automotive & Tire
  • Cement
  • Chemical
  • Entertainment
  • Fibers & Textiles
  • Food & Beverage
  • Household & Personal Care
  • Infrastructure
  • Life Sciences
  • Marine
  • Metals
  • Mining
  • Oil & Gas
  • Power Generation
  • Print & Publishing
  • Pulp & Paper
  • Semiconductor
  • Water Wastewater
  • View All
  • The Connected Enterprise®
  • Consulting & Integration Services
  • Cybersecurity
  • Digital Transformation
  • Industrial Analytics
  • Industrial Automation & Control
  • Industrial Maintenance & Support
  • Industrial Networks
  • Lifecycle Services
  • Machine & Equipment Builders
  • MES Solutions
  • Process Solutions
  • Safety Solutions
  • View All
  • Circuit & Load Protection
  • Condition Monitoring
  • Connection Devices
  • Distributed Control Systems
  • Drives & Motors
  • Energy Monitoring
  • Human Machine Interface
  • Industrial Computers & Monitors
  • Input/Output Modules
  • Industrial Control Products
  • Lighting Control
  • Motion Control
  • Motor Control
  • Networks Security & Infrastructure
  • Packaged Solutions
  • Power Supplies
  • Programmable Controllers
  • Push Buttons & Signaling Devices
  • Relays & Timers
  • Safety Instrumented Systems
  • Safety Products
  • Sensors & Switches
  • Signal Interface
  • View All Hardware Products
  • View All
  • View All
  • Technical Documentation Center
  • Technical Specifications
  • Product Certifications
  • Product Drawings
  • Release Notes
  • Literature Library
  • View All
  • Instructor-led Courses
  • Training Workstations
  • View All
  • View All
  • Blogs
  • Case Studies
  • Automation Today
  • Podcasts
  • Press Releases
  • View All
  • View Jobs
  • View All
  • Authorized Distributors
  • Encompass Product Partners
  • Licensed Developers
  • OEM Partners
  • System Integrator Partners
  • PartnerNetwork Portal
  • View All
  • Our Brands
  • Our History
  • Investor Relations
  • View All
  • iTRAK Intelligent Track Systems
  • MagneMover Lite Intelligent Conveyor System
  • QuickStick Intelligent Conveyor System
  • View All
  • Dynamic Digital Twin Software
  • Studio 5000 Design Software
  • FactoryTalk Edge Gateway
  • FactoryTalk Batch
  • FactoryTalk Historian
  • FactoryTalk View - HMI Software
  • FactoryTalk Metrics
  • FactoryTalk Analytics for Devices
  • FactoryTalk AssetCentre
  • FactoryTalk Emonitor
  • FactoryTalk Network Manager
  • FactoryTalk TeamONE
  • Fiix CMMS
  • Augmented Reality
  • FactoryTalk Analytics
  • MES
  • ThingWorx IIoT Platform
  • 2D & 3D Drawings
  • Activations
  • Add-on Profiles
  • Application Code Libraries
  • Compatibility & Downloads
  • Drivers & Firmware
  • Electronic Datasheets
  • EPLAN Macros
  • Sample Code Library
  • Software Patches
  • View All
  • Control Systems Configuration Tools
  • Procurement Specifications
  • ProposalWorks Proposal Builder
  • Global Short-circuit Current Ratings Tool
  • Integrated Architecture Builder
  • View All
  • Migration & Modernization
  • Lifecycle Status
  • Product Replacement Lookup
  • View All
  • Support Options
  • Search for Answers
  • Chat Online
  • Call Us
  • View All
  • My Inbox
  • My Favorites
  • My Subscriptions
  • View All
  • Chat History
  • Service Ticket History
  • Manage Your Favorite Answers
  • Field Service Request
  • View All
  • My Training
  • View All
  • Automation Fair
  • Process Solutions User Group
  • Rockwell Automation On The Move
  • Rockwell Automation TechEd
  • PACK EXPO CONNECTS
  • View All
  • Live
  • On-Demand
  • View All
  • Students & New Grads
  • View All
  • Hackathon Use Case for Manufacturing Optimization
  • Hackathon Use Case for Sustainability
  • Hackathon Use Case for Visual System Modernization
  • Hackathon Use Case for Dynamic Filtering
  • View All
  • 24toCode Event Recap - Winter 2019
  • 24toCode Event Recap // IT Internal Hackathon
  • Meet the 2019 IT Summer Interns
  • 24toCode Promo Video
  • Harbor View Plaza Ribbon Cutting
  • Check Your Blind Spots Mobile Tour at Rockwell Automation
  • Mechanic & Tool Apprenticeship at Rockwell Automation
  • Working at Rockwell Automation in Karlsruhe
  • Summer Internships at Rockwell Automation
  • The Intrapreneurial Skills Accelerator at Rockwell Automation
  • Makers Wanted
  • #LifeatROK w Katowicach
  • IT Summer Internship Program
  • #LifeatROK with Diogo
  • View All
  • Cisco
  • Endress+Hauser
  • FANUC
  • Microsoft
  • Panduit
  • View All
  • Our Focused Giving
  • STEM Education
  • Lifelong Learning
  • View All
  • Sustainability Report
  • Our Commitment to Diversity, Equity and Inclusion
  • Environmental, Health, & Safety
  • Ethics & Compliance
  • Global Supply Chain & Sourcing
  • Product Environmental Compliance
  • Quality Management Systems
  • Trust & Security
  • Workforce of Tomorrow
  • View All
Case StudyRockwell Automation's case studies Case Studies DistributorDistributor How to Buy EventEvent Events
Blogs DistributorDistributor How to Buy EventEvent Events
Find Products by Our Brands:
Allen-Bradley FactoryTalk
Contact Us HelpHelp Get Support LaunchpadTools and applications View All Tools
ProductivityProductivity Investor Relations
  • Literature LibraryLiterature Library
    Literature Library

    Access technical and commercial publications for hardware and software products, applications, services and solutions.

    PCDCProduct Compatibility and Download Center
    Compatibility & Downloads

    Find downloads including firmware, release notes, associated software, drivers, tools and utilities.

    KnowledgebaseKnowledgebase Support Center
    Knowledgebase

    Browse the database of questions and answers on a variety of products and technologies.

    Product ConfiguratorProduct Configurator
    Product Configurator

    Configure and select products rapidly.

    Software SubscriptionsSoftware Subscriptions
    Software Subscriptions

    One stop shopping for software and subscription services.

    2D & 3D Drawings Bill of Materials CrossWorks Electronic Datasheets Motion Analyzer My Equipment My Training E-Learning Portal Product Lifecycle Status Product Registration Product Selection Toolbox Repairs Sample Code Library Software Activations View All
    Tools
    UserUser Sign In/Create an Account
  • User Account User
Tools
Literature LibraryLiterature Library
Literature Library
PCDCProduct Compatibility and Download Center
Compatibility & Downloads
KnowledgebaseKnowledgebase Support Center
Knowledgebase
Product ConfiguratorProduct Configurator
Product Configurator
Software SubscriptionsSoftware Subscriptions
Software Subscriptions
2D & 3D Drawings Bill of Materials CrossWorks Electronic Datasheets Motion Analyzer My Equipment My Training E-Learning Portal Product Lifecycle Status Product Registration Product Selection Toolbox Repairs Sample Code Library Software Activations View All
Blog
Recent ActivityRecent Activity

OT Patch Management Strategy: Seven Best Practices

Share This:

LinkedInLinkedIn
TwitterTwitter
FacebookFacebook
PrintPrint
EmailEmail
Main Image

Traditionally, and for many years, cyber threats have been handled almost exclusively by IT departments. As IT/OT convergence has become more prevalent, however, those threats have spread to the more-complex world of OT.

This means that manufacturers need to be prepared to deal with threat actors looking to leverage known vulnerabilities that exist in within their OT environment – and patch management should be part of the plan.

Industrial organizations have been slow to recognize the importance of developing and using comprehensive OT patch management plans. And it’s no coincidence, unfortunately, that those manufacturers have been some of the hardest hit victims of cyberattacks.

Threats like 2017’s devastating NotPetya ransomware cyberattack cost Merck more than $600 million and Mondelez $100 million. These serve as a reminder to manufacturers of the importance of getting it right when it comes to OT patching. Companies that ignore the need for more robust OT system security are putting themselves at unnecessary risk.

Helping key stakeholders understand what patching is and why it’s worthy of funding can be daunting, but it’s the only way to raise awareness and secure buy-in for this crucial practice. The good news is, it’s easy for manufacturers to adopt a proactive approach to patching as part of the overall lifecycle management process.

Your organization’s cybersecurity strategy should address the entire cyberattack continuum to provide planning and protection before, during and after an attack. Click here to learn how we can help.

Windows: The Common Gateway

The most common attack vector for any company is the Microsoft Windows operating system, on which almost all software runs. Employees who have work-issued personal computers benefit from behind-the-scenes patches scheduled by IT to update software and systems to fix bugs or introduce improvements. OT patching is slightly different in that it needs to be scheduled during maintenance-related downtime – but it’s just as important.

Patches are released weekly by Microsoft on its “Patch Tuesdays.” As recently as May 2019, the company was releasing important patches related to warnings of potentially catastrophic “zero-day” exploits attacking Windows vulnerabilities, dubbed “Bluekeep.”

Recent attacks including LockerGoga in March 2019 and NotPetya and WannaCry in 2017 were successful because they took advantage of known vulnerabilities for which Windows had already released patches.

In short, the fixes had been available, but they hadn’t been implemented. The sad truth is, had the victims of those attacks been proactively patching, they would have been in a much better place to protect their assets. There’s no good excuse to avoid patching, especially when the stakes are so high.

Developing a Patch Strategy

Here are some best practices to apply when developing a patch strategy.

  1. Start with identifying your vulnerabilities. This includes a thorough inventory of your devices – not just their identities but also their attack surfaces, and not just at a single site but at scale across a regional or global supply chain. Take advantage of tools that will help you understand what the known attack surface looks like.
  2. For collecting this inventory, determine if a passive or active approach is best. An active approach can carry some risk – scanning the entire environment introduces traffic onto an OT network that might cause older or legacy devices to go down. So in most cases, it’s best to initially take a more passive approach to identifying what devices are out there and what their attack surface is. You may find both virtualized and physical compute devices running Windows operating systems; consider leveraging technologies such as virtualization that allow you to consolidate compute and operating system surfaces into a single more manageable environment, in turn allowing you to speed up the patching process.
  3. Investigate with your vendors to determine if their software has been tested and validated. When Microsoft releases patches, it is your responsibility to determine if those patches have been approved or validated for the software installed on your systems. For example, Rockwell Automation validates Microsoft’s weekly patches on its software and releases notifications that classify them as fully qualified, partially qualified or not qualified.
  4. Stage patches and group devices. The qualified patches must now be staged in the industrial control environment where they are needed. But your environment may be running different versions or different vendors’ automation software, so group the devices according to how you would be deploying these qualified patches. Tools like WSUS (Windows Server Update Services) and SCCM (Microsoft System Center Configuration Manager) can be utilized to define separate groupings for windows devices dedicated to the operations environment. This allows you not only to apply specific qualified patches only to the devices that are approved for them, but also gives you the ability to set specific schedules that meet your downtime requirements.
  5. Test before you apply. Consider funding a test environment that mimics and runs the production applications. If that is not fiscally feasible, consider creating groups of devices based on type of criticality. If there are low-priority lines or systems that aren’t running continuously, consider patching those first as a test case. Also, note any customizations on applications, as they can have potential impacts of patching on the environment.
  6. Schedule your patch deployments. In the OT world, patching isn’t as simple as applying it whenever it’s needed. It has to be coordinated with downtime schedules. Many patches require a reboot on systems that may not have been rebooted in years. So plan ahead to determine how much time you might need and where that window of time will fit in the overall downtime schedule.
  7. Apply and perform “hyper-care.” Once the patches have been applied and the device successfully reboots, define test scenarios that should be run during a “hyper-care” period. You should be looking at everything that factors in to the machine being fully available – confirming it is running as normal and applications are functioning properly. Failure to adequately test could result in unplanned downtime.
There’s no good excuse to avoid patching, especially when the stakes are so high.

Of course, without support from plant management, operations management and senior-level management, a patch management strategy can’t be successfully implemented. Help leadership to understand patching is just as important as other preventative maintenance and safety activities that often get prioritized during scheduled downtime. Also important is your organization’s larger cybersecurity strategy, which should address the entire cyberattack continuum to provide planning and protection before, during and after an attack.

A patch management strategy that is relevant, efficient and well-structured will help manufacturers overcome the complexity of OT patch management. By identifying your vulnerabilities, staying up to date on patches released by Windows, and creating a plan to test and deploy patches, you can help protect your company from potential calamity at the hands of hackers and cyberattackers.

Published August 14, 2019


Subscribe

Subscribe to Rockwell Automation and receive the latest news, thought leadership and information directly to your inbox.

Subscribe

Recommended For You

Loading
  • Technical Question
  • Chat Technical Support
  • Phone Support
  • Contact Sales
  • General Questions
  1. Chevron LeftChevron Left Indonesia Chevron RightChevron Right
  2. Chevron LeftChevron Left Company Chevron RightChevron Right
  3. Chevron LeftChevron Left News Chevron RightChevron Right
  4. Chevron LeftChevron Left Blogs Chevron RightChevron Right
Discover
  • The Connected Enterprise®
  • Create Your Account
  • Case Studies
  • Events
Information for...
  • Distributors
  • OEM
  • System Integrators
  • Encompass Partners
  • Investors
  • Career Seekers
Contact Us
  • General Questions
  • Technical Questions
  • Local Sales & Service
  • Pricing & Availability
  • Report Ethical Concerns
  • Customer Experience Survey
Site Information
  • Legal
  • Privacy Policy
  • Cookie Preferences
  • Terms of Use
  • Trademarks
Change Country Site SelectionChange RockwellAutomation.com site selection to a different country, region or language Change Country
Indonesia/English

Keep Updated With Us

Sign up to receive our latest headlines for free.

Stay Informed Now
Follow Us
BlogRockwell Automation's Blog
Copyright ©2021 Rockwell Automation, Inc.
Indonesia