Mike, I take it you are suggesting a redundant CSA. That's a good idea. And redundant host AWs so we can configure a CP when a host AW fails. That's a good idea too. I didn't know these were offered as a redundant solution from Foxboro. Are they? I think there have always been critical computer components in the I/A architecture, and the Sun boxes proved to be capable of running with long uptimes between reboots. I think the windows boxes require a bit more maintenance, and I know they require a lot more maintenance reboots. They also require the process control guys to have a maintenance strategy for deploying patches and virus updates. Due to various plant network architectures, it's hard to get a one size fits all solution. While your points are valid about needing to patch, and needing to keep anti-virus up to date, it's added a set of problems for the guys running these systems, and they were pretty busy before moving to windows. In open source there is a saying, "given enough eyeballs, all bugs are shallow". I offer my corollary, "all bugs are deep, when there aren't enough eyeballs". Maybe a lot of folks out there are whistling past the graveyard, but they haven't been given the time or resources to solve these problems, and until something bad happens, it's going to be difficult for them to get backing from management. Maybe the controls folks need to get their IT dept. involved in the patching arena. In some companies that probably works well. In others, not so much. So without an officially blessed patch and update schedule from Invensys, most will take the path of least resistance and plead ignorance if there is a problem. Regards, David -----Original Message----- From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Toecker Sent: Tuesday, February 18, 2014 4:00 PM To: foxboro@xxxxxxxxxxxxx Subject: Re: [foxboro] Win Server Updates If restarting a server/workstation isn't an option, then you have a larger problem than not being able to patch. If a single system is so critical to your operation that you can't handle any downtime from it, I list that in security assessment reports as a finding that needs fixing. What happens when it's power supply dies, or hard drive falls apart, or the caked dust inside finally causes it to overheat and melt? Considering all the varying ways a computer can die that are not cyber security related, having good redundancy is extremely important. Patching systems is fixing them so that a vulnerability can no longer be exploited. Anti-Virus is great, but it doesn't fix a vulnerability. AV puts in place some measures to try to limit your exposure to a vulnerability, and keep malicious software delivered through that vuln from becoming resident on the system. For instance, the Conficker virus used vulnerability MS08-067 to spread from system to system, by exploiting a specific service. Conficker would then be loaded on the victim, which would then seek to exploit more systems and spread. If you had anti-virus, it might stop Conficker from spreading, but you were still vulnerable to the MS08-67 exploit if another virus were to come along. This is important for control systems, as Conficker was extremely aggressive when scanning, to the point that it could overwhelm a network, especially something like a certain /16 network. Mike On Tue, Feb 18, 2014 at 2:49 PM, Solis, Roy <roy.solis@xxxxxxxxxxxx> wrote: > Also, patching is necessary for all windows systems. Especially for > critical or high priority patches. These are usually a result of a > flaw in the application or service that can result in data exposure or > remote code execution. These kinds of patches need to be addressed > immediately or you risk a compromise. > > A lot of people don't patch systems because it's too much trouble or > because they think they are "air-gapped" only to find out they have > been compromised for months or even years because they had that 1 > historian connection to their DCS and patching was too much trouble. > > Just my past experience :) > > Roy Solis > Sr. Security Consultant > IOM Consulting > M:(972) 832-5742 > > > -----Original Message----- > From: foxboro-bounce@xxxxxxxxxxxxx > [mailto:foxboro-bounce@xxxxxxxxxxxxx] > On Behalf Of Solis, Roy > Sent: Tuesday, February 18, 2014 2:41 PM > To: foxboro@xxxxxxxxxxxxx > Subject: Re: [foxboro] Win Server Updates > > With GFI you can deploy the patches and set it to reboot at a later time. > For compliance, usually patches have to be "evaluated" every 30 days. > Most customers will patch their systems and delay the reboot until > either the system can come down for maintenance or there is an outage. > > Roy Solis > Sr. Security Consultant > IOM Consulting > M:(972) 832-5742 > > > -----Original Message----- > From: foxboro-bounce@xxxxxxxxxxxxx > [mailto:foxboro-bounce@xxxxxxxxxxxxx] > On Behalf Of Brian Long > Sent: Tuesday, February 18, 2014 2:25 PM > To: foxboro@xxxxxxxxxxxxx > Subject: Re: [foxboro] Win Server Updates > > How often are servers being "patched"? How can patching be done if > re-start is not an option? Is "patching" really necessary if servers > are running with no issues? > > Thanks, > Brian > > -----Original Message----- > From: foxboro-bounce@xxxxxxxxxxxxx > [mailto:foxboro-bounce@xxxxxxxxxxxxx] > On Behalf Of Coyote Technologies > Sent: Tuesday, February 18, 2014 2:08 PM > To: foxboro@xxxxxxxxxxxxx > Subject: Re: [foxboro] Win Server Updates > > Brian, > > For AV, I've setup McAfee ePO server for a few sites. Depending on > where the ePO server is, it needs either access to the internet or > access to a repository machine on the corporate network that in turn > has access to the source sites (preferred solution). > > The patch solution I've used is GFI Languard (recommended by Invensys). > That will pick up patches for Windows and most 3rd party applications e.g. > Adobe. Same architecture as the AV solution. The patches can be > approved > before installation. > > > Rick Mol > Coyote Technologies LLC > 231.750.6348 > > > > -----Original Message----- > From: foxboro-bounce@xxxxxxxxxxxxx > [mailto:foxboro-bounce@xxxxxxxxxxxxx] > On Behalf Of Brian Long > Sent: Monday, February 17, 2014 4:37 PM > To: foxboro@xxxxxxxxxxxxx > Subject: [foxboro] Win Server Updates > > We are really struggling with how to properly administer Win security > and virus protection updates. Anyone care to share how to manage this? > > > Thanks, > > Brian Long > > > > > ______________________________________________________________________ > _ This mailing list is neither sponsored nor endorsed by Invensys > Process Systems (formerly The Foxboro Company). Use the info you > obtain here at your own risks. Read > http://www.thecassandraproject.org/disclaimer.html > > foxboro mailing list: //www.freelists.org/list/foxboro > to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join > to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave > > > > > > ______________________________________________________________________ > _ This mailing list is neither sponsored nor endorsed by Invensys > Process Systems (formerly The Foxboro Company). Use the info you > obtain here at your own risks. Read > http://www.thecassandraproject.org/disclaimer.html > > foxboro mailing list: //www.freelists.org/list/foxboro > to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join > to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave > > > ______________________________________________________________________ > _ This mailing list is neither sponsored nor endorsed by Invensys > Process Systems (formerly The Foxboro Company). Use the info you > obtain here at your own risks. Read > http://www.thecassandraproject.org/disclaimer.html > > foxboro mailing list: //www.freelists.org/list/foxboro > to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join > to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave > > > > *** Confidentiality Notice: This e-mail, including any associated or > attached files, is intended solely for the individual or entity to > which it is addressed. This e-mail is confidential and may well also > be legally privileged. If you have received it in error, you are on > notice of its status. Please notify the sender immediately by reply > e-mail and then delete this message from your system. Please do not > copy it or use it for any purposes, or disclose its contents to any > other person. This email comes from a division of the Invensys Group, > owned by Invensys plc, which is a company registered in England and > Wales with its registered office at 3rd Floor, 40 Grosvenor Place, London, > SW1X 7AW (Registered number 166023). > For a list of European legal entities within the Invensys Group, > please select the Legal Entities link at invensys.com. Invensys PLC is > owned by the Schneider-Electric Group. > You may contact Invensys plc on +44 (0)20 3155 1200 or e-mail > reception@xxxxxxxxxxxx. This e-mail and any attachments thereto may be > subject to the terms of any agreements between Invensys (and/or its > subsidiaries and affiliates) and the recipient (and/or its > subsidiaries and affiliates). > > > > > ______________________________________________________________________ > _ This mailing list is neither sponsored nor endorsed by Invensys > Process Systems (formerly The Foxboro Company). Use the info you > obtain here at your own risks. Read > http://www.thecassandraproject.org/disclaimer.html > > foxboro mailing list: //www.freelists.org/list/foxboro > to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join > to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave > > > > *** Confidentiality Notice: This e-mail, including any associated or > attached files, is intended solely for the individual or entity to > which it is addressed. This e-mail is confidential and may well also > be legally privileged. If you have received it in error, you are on > notice of its status. Please notify the sender immediately by reply > e-mail and then delete this message from your system. Please do not > copy it or use it for any purposes, or disclose its contents to any > other person. This email comes from a division of the Invensys Group, > owned by Invensys plc, which is a company registered in England and > Wales with its registered office at 3rd Floor, 40 Grosvenor Place, London, > SW1X 7AW (Registered number 166023). > For a list of European legal entities within the Invensys Group, > please select the Legal Entities link at invensys.com. Invensys PLC is > owned by the Schneider-Electric Group. > You may contact Invensys plc on +44 (0)20 3155 1200 or e-mail > reception@xxxxxxxxxxxx. This e-mail and any attachments thereto may be > subject to the terms of any agreements between Invensys (and/or its > subsidiaries and affiliates) and the recipient (and/or its > subsidiaries and affiliates). > > > > > ______________________________________________________________________ > _ This mailing list is neither sponsored nor endorsed by Invensys > Process Systems (formerly The Foxboro Company). Use the info you > obtain here at your own risks. Read > http://www.thecassandraproject.org/disclaimer.html > > foxboro mailing list: //www.freelists.org/list/foxboro > to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join > to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave > > -- Michael Toecker Head Dragon Slayer _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave Confidentiality Notice: The information contained in this message is private and confidential. This information is intended only for the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any use, review, dissemination, distribution, copying or action taken based on this message or its attachments, if any, is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and delete or destroy all copies of this message and any attachments. Thank you. _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave