Risks of Unpatched Software in CPG Operations | Rockwell Automation

By Ahmik Hindman, Senior Network & Solution Consultant at Rockwell Automation

In the digital world, the consumer packaged goods (CPG) industry faces increasing cyberattacks targeting operational technology (OT) systems. A recent report from Food Processing finds that 47% of respondents experienced an increase in cyberattack exposure in the previous 12 months.

These systems, often comprising legacy equipment, play a crucial role in managing and controlling various stages of the production process, from ingredient handling and mixing to packaging and distribution. However, unpatched vulnerabilities within these systems create significant entry points for malicious actors, exposing critical infrastructure to manipulation, disruption and data breaches.

In the first half of 2023, the rate of unfixed industrial control system (ICS) flaws rose from 13% to about 34%, according to data compiled by SynSaber. Every day, unpatched security software exposes assets to constant cyberthreats, with devastating consequences for data, finances and reputation should the attackers succeed. Ransomware attacks are on the rise.

The time to act is now, not after an attack has occurred.

While patching outdated software is a crucial step, CPG companies face two significant hurdles:

Legacy systems lacking vendor support.
The inherent complexity of integrating patches into intricate production environments.

Beyond creating a cybersecurity headache, the burden of unpatched software and other technical debt has ballooned to an estimated cost of $1.52 trillion to fix, according to the Consortium for Information & Software Quality™ (CISQ™).

This article offers a roadmap for CPG manufacturers to help secure operations in a smart manufacturing environment. Firms can deploy robust cybersecurity strategies such as effective risk assessments, well-defined patching schedules and layered security measures to address the threat outdated software has on their operations.

To Patch or Not to Patch?

Although patching vulnerabilities seems like a straightforward solution to improve OT network security, the reality in OT environments is far more nuanced. Patching every single flaw can be a complex and resource-intensive undertaking. Legacy systems, often unsupported by vendors, might lack readily available patches.

Further complicating the issue is the complexity of updating intricate production environments, which can be time-consuming and disruptive, often requiring rigorous testing and potentially leading to downtime. Applying unnecessary patches may introduce unforeseen complications. And disruptions from unsuccessful patch applications can cause unwanted downtime and potentially jeopardize critical operations.

In addition, not all vulnerabilities require immediate patching. A cost-benefit analysis should be conducted to evaluate the potential impact of a specific vulnerability against the complexity and potential disruptions associated with patching.

If the existing security controls, such as network segmentation and access controls, effectively mitigate the risk posed by the vulnerability, a delayed patch application, alongside close monitoring, might be a more practical approach. This measured approach helps verify that OT security is maintained while minimizing the risk of operational disruptions.

Keys to an Effective Patch Management Strategy

Developing well-defined policies and procedures is the cornerstone of an effective, repeatable patch-management strategy for industrial automation control systems (IACSs). They establish a clear roadmap for managing vulnerabilities and maintain consistency in the patching process. Key elements for manufacturers to incorporate into their cybersecurity strategies include the following:

Automated IACS Asset Inventory and Vulnerability Correlation. An automated IACS asset inventory forms the foundation of a robust patch-management system, and pairing this inventory with vulnerability databases and manufacturer patch lists provides a complete and up-to-date picture of all IACS assets.
Prioritization. Not all vulnerabilities pose the same level of risk, which is why it’s crucial to determine your patch-management strategy based on the potential impact vulnerabilities might have on your organization. To help determine vulnerability priorities, consider how critical the affected equipment is to overall operations, if there are any known exploits targeting the specific vulnerability, and what potential disruptions a successful attack could cause.

Man with a tablet, virtual assistant using artificial intelligence to communicate with the cloud.

Listen to the Podcast

How Edge Computing Simplifies & Enhances AI-Based Cybersecurity in IT & OT

** Named Best Podcast 3 Consecutive Years! 2022 - 2024 Apex Awards of Publication Excellence.

In this episode of our “Automation Chat” podcast from The Journal From Rockwell Automation and Our PartnerNetwork magazine, Executive Editor Theresa Houck is joined by Valerie Schneider, Business Development Manager and Mike Wurster, Director of Strategic Alliances with Stratus Technologies to discuss how edge computing can enhance cybersecurity.

You’ll learn about the biggest cyberthreats facing manufacturers and how to deal with them; how artificial intelligence can be used to enhance cybersecurity in OT environments; how edge computing & virtualization let users consolidate multiple applications on a single platform, allowing cybersecurity protocols to integrate with applications like HMI, SCADA, MES and batching; how to improve OT cybersecurity without significant investment or disruption to operations; and more.

Listen on any podcast app or on the web, or watch their conversation on YouTube.

Listen Now Watch Now

Change Review Board and Patch Validation. A Change Review Board, comprised of members from maintenance, engineering and operations, is crucial for assessing the comprehensive impact of proposed patch prioritization.The board is instrumental in verifying that patches for OT systems, applications and firmware updates comply with the manufacturer's approved standards. This verifies that only authorized updates are implemented, that overall risk is evaluated and considered, and that this aligns with business objectives and IACS asset criticality.
Testing, Deployment and Documentation. Thorough testing of patches in a controlled environment like a sandbox is essential before deploying them to production systems. This helps identify and mitigate potential conflicts with local applications and configurations. After testing, patches should be deployed based on the established criticality assessment. Documenting the entire deployment process through a change/configuration management solution provides a clear audit trail and facilitates maintaining the newly established baseline for IACS assets.
Change Management and Patch Frequency. Documenting all patching activities via a change-management solution achieves transparency and facilitates future audits. Establishing a baseline for IACS assets after successful patching allows for continuous monitoring of compliance and identification of any deviations. And maintaining a consistent patching frequency is crucial, because it strikes a balance between addressing vulnerabilities and minimizing operational disruptions.

By implementing these comprehensive policies and procedures, CPG manufacturers can build a robust patch management strategy that effectively safeguards their critical IACS infrastructure from evolving cyberthreats.

Defusing the Ticking Time Bomb

Navigating the complexities of smart manufacturing while maintaining robust cybersecurity requires a proactive and multifaceted approach. By prioritizing effective risk assessments, implementing well-defined patching schedules, and adopting layered security measures, CPG manufacturers can proactively mitigate threats posed by outdated software and build a foundation for secure and resilient operations in the digital age.

Embracing this proactive approach is not just an option, but a necessity to achieve continued success and consumer trust in the ever-evolving CPG industry.

Like this article? Sign up for the digital magazine (4X/year) and e-newsletter from The Journal From Rockwell Automation and Our PartnerNetwork.

^{The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Endeavor Business Media.}