Re: [foxboro] Win Server Updates
- From: "Johnson, David" <David.Johnson@xxxxxxxxxxxxxxxxxx>
- To: "foxboro@xxxxxxxxxxxxx" <foxboro@xxxxxxxxxxxxx>
- Date: Tue, 18 Feb 2014 18:56:07 -0600
Mike,
I take it you are suggesting a redundant CSA. That's a good idea. And
redundant host AWs so we can configure a CP when a host AW fails. That's a good
idea too. I didn't know these were offered as a redundant solution from
Foxboro. Are they?
I think there have always been critical computer components in the I/A
architecture, and the Sun boxes proved to be capable of running with long
uptimes between reboots. I think the windows boxes require a bit more
maintenance, and I know they require a lot more maintenance reboots. They also
require the process control guys to have a maintenance strategy for deploying
patches and virus updates. Due to various plant network architectures, it's
hard to get a one size fits all solution.
While your points are valid about needing to patch, and needing to keep
anti-virus up to date, it's added a set of problems for the guys running these
systems, and they were pretty busy before moving to windows. In open source
there is a saying, "given enough eyeballs, all bugs are shallow". I offer my
corollary, "all bugs are deep, when there aren't enough eyeballs". Maybe a lot
of folks out there are whistling past the graveyard, but they haven't been
given the time or resources to solve these problems, and until something bad
happens, it's going to be difficult for them to get backing from management.
Maybe the controls folks need to get their IT dept. involved in the patching
arena. In some companies that probably works well. In others, not so much.
So without an officially blessed patch and update schedule from Invensys, most
will take the path of least resistance and plead ignorance if there is a
problem.
Regards,
David
-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On
Behalf Of Michael Toecker
Sent: Tuesday, February 18, 2014 4:00 PM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Win Server Updates
If restarting a server/workstation isn't an option, then you have a larger
problem than not being able to patch. If a single system is so critical to your
operation that you can't handle any downtime from it, I list that in security
assessment reports as a finding that needs fixing. What happens when it's power
supply dies, or hard drive falls apart, or the caked dust inside finally causes
it to overheat and melt? Considering all the varying ways a computer can die
that are not cyber security related, having good redundancy is extremely
important.
Patching systems is fixing them so that a vulnerability can no longer be
exploited. Anti-Virus is great, but it doesn't fix a vulnerability. AV puts in
place some measures to try to limit your exposure to a vulnerability, and keep
malicious software delivered through that vuln from becoming resident on the
system.
For instance, the Conficker virus used vulnerability MS08-067 to spread from
system to system, by exploiting a specific service. Conficker would then be
loaded on the victim, which would then seek to exploit more systems and spread.
If you had anti-virus, it might stop Conficker from spreading, but you were
still vulnerable to the MS08-67 exploit if another virus were to come along.
This is important for control systems, as Conficker was extremely aggressive
when scanning, to the point that it could overwhelm a network, especially
something like a certain /16 network.
Mike
On Tue, Feb 18, 2014 at 2:49 PM, Solis, Roy <roy.solis@xxxxxxxxxxxx> wrote:
> Also, patching is necessary for all windows systems. Especially for
> critical or high priority patches. These are usually a result of a
> flaw in the application or service that can result in data exposure or
> remote code execution. These kinds of patches need to be addressed
> immediately or you risk a compromise.
>
> A lot of people don't patch systems because it's too much trouble or
> because they think they are "air-gapped" only to find out they have
> been compromised for months or even years because they had that 1
> historian connection to their DCS and patching was too much trouble.
>
> Just my past experience :)
>
> Roy Solis
> Sr. Security Consultant
> IOM Consulting
> M:(972) 832-5742
>
>
> -----Original Message-----
> From: foxboro-bounce@xxxxxxxxxxxxx
> [mailto:foxboro-bounce@xxxxxxxxxxxxx]
> On Behalf Of Solis, Roy
> Sent: Tuesday, February 18, 2014 2:41 PM
> To: foxboro@xxxxxxxxxxxxx
> Subject: Re: [foxboro] Win Server Updates
>
> With GFI you can deploy the patches and set it to reboot at a later time.
> For compliance, usually patches have to be "evaluated" every 30 days.
> Most customers will patch their systems and delay the reboot until
> either the system can come down for maintenance or there is an outage.
>
> Roy Solis
> Sr. Security Consultant
> IOM Consulting
> M:(972) 832-5742
>
>
> -----Original Message-----
> From: foxboro-bounce@xxxxxxxxxxxxx
> [mailto:foxboro-bounce@xxxxxxxxxxxxx]
> On Behalf Of Brian Long
> Sent: Tuesday, February 18, 2014 2:25 PM
> To: foxboro@xxxxxxxxxxxxx
> Subject: Re: [foxboro] Win Server Updates
>
> How often are servers being "patched"? How can patching be done if
> re-start is not an option? Is "patching" really necessary if servers
> are running with no issues?
>
> Thanks,
> Brian
>
> -----Original Message-----
> From: foxboro-bounce@xxxxxxxxxxxxx
> [mailto:foxboro-bounce@xxxxxxxxxxxxx]
> On Behalf Of Coyote Technologies
> Sent: Tuesday, February 18, 2014 2:08 PM
> To: foxboro@xxxxxxxxxxxxx
> Subject: Re: [foxboro] Win Server Updates
>
> Brian,
>
> For AV, I've setup McAfee ePO server for a few sites. Depending on
> where the ePO server is, it needs either access to the internet or
> access to a repository machine on the corporate network that in turn
> has access to the source sites (preferred solution).
>
> The patch solution I've used is GFI Languard (recommended by Invensys).
> That will pick up patches for Windows and most 3rd party applications e.g.
> Adobe. Same architecture as the AV solution. The patches can be
> approved
> before installation.
>
>
> Rick Mol
> Coyote Technologies LLC
> 231.750.6348
>
>
>
> -----Original Message-----
> From: foxboro-bounce@xxxxxxxxxxxxx
> [mailto:foxboro-bounce@xxxxxxxxxxxxx]
> On Behalf Of Brian Long
> Sent: Monday, February 17, 2014 4:37 PM
> To: foxboro@xxxxxxxxxxxxx
> Subject: [foxboro] Win Server Updates
>
> We are really struggling with how to properly administer Win security
> and virus protection updates. Anyone care to share how to manage this?
>
>
> Thanks,
>
> Brian Long
>
>
>
>
> ______________________________________________________________________
> _ This mailing list is neither sponsored nor endorsed by Invensys
> Process Systems (formerly The Foxboro Company). Use the info you
> obtain here at your own risks. Read
> http://www.thecassandraproject.org/disclaimer.html
>
> foxboro mailing list: //www.freelists.org/list/foxboro
> to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
> to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
>
>
>
>
>
> ______________________________________________________________________
> _ This mailing list is neither sponsored nor endorsed by Invensys
> Process Systems (formerly The Foxboro Company). Use the info you
> obtain here at your own risks. Read
> http://www.thecassandraproject.org/disclaimer.html
>
> foxboro mailing list: //www.freelists.org/list/foxboro
> to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
> to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
>
>
> ______________________________________________________________________
> _ This mailing list is neither sponsored nor endorsed by Invensys
> Process Systems (formerly The Foxboro Company). Use the info you
> obtain here at your own risks. Read
> http://www.thecassandraproject.org/disclaimer.html
>
> foxboro mailing list: //www.freelists.org/list/foxboro
> to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
> to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
>
>
>
> *** Confidentiality Notice: This e-mail, including any associated or
> attached files, is intended solely for the individual or entity to
> which it is addressed. This e-mail is confidential and may well also
> be legally privileged. If you have received it in error, you are on
> notice of its status. Please notify the sender immediately by reply
> e-mail and then delete this message from your system. Please do not
> copy it or use it for any purposes, or disclose its contents to any
> other person. This email comes from a division of the Invensys Group,
> owned by Invensys plc, which is a company registered in England and
> Wales with its registered office at 3rd Floor, 40 Grosvenor Place, London,
> SW1X 7AW (Registered number 166023).
> For a list of European legal entities within the Invensys Group,
> please select the Legal Entities link at invensys.com. Invensys PLC is
> owned by the Schneider-Electric Group.
> You may contact Invensys plc on +44 (0)20 3155 1200 or e-mail
> reception@xxxxxxxxxxxx. This e-mail and any attachments thereto may be
> subject to the terms of any agreements between Invensys (and/or its
> subsidiaries and affiliates) and the recipient (and/or its
> subsidiaries and affiliates).
>
>
>
>
> ______________________________________________________________________
> _ This mailing list is neither sponsored nor endorsed by Invensys
> Process Systems (formerly The Foxboro Company). Use the info you
> obtain here at your own risks. Read
> http://www.thecassandraproject.org/disclaimer.html
>
> foxboro mailing list: //www.freelists.org/list/foxboro
> to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
> to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
>
>
>
> *** Confidentiality Notice: This e-mail, including any associated or
> attached files, is intended solely for the individual or entity to
> which it is addressed. This e-mail is confidential and may well also
> be legally privileged. If you have received it in error, you are on
> notice of its status. Please notify the sender immediately by reply
> e-mail and then delete this message from your system. Please do not
> copy it or use it for any purposes, or disclose its contents to any
> other person. This email comes from a division of the Invensys Group,
> owned by Invensys plc, which is a company registered in England and
> Wales with its registered office at 3rd Floor, 40 Grosvenor Place, London,
> SW1X 7AW (Registered number 166023).
> For a list of European legal entities within the Invensys Group,
> please select the Legal Entities link at invensys.com. Invensys PLC is
> owned by the Schneider-Electric Group.
> You may contact Invensys plc on +44 (0)20 3155 1200 or e-mail
> reception@xxxxxxxxxxxx. This e-mail and any attachments thereto may be
> subject to the terms of any agreements between Invensys (and/or its
> subsidiaries and affiliates) and the recipient (and/or its
> subsidiaries and affiliates).
>
>
>
>
> ______________________________________________________________________
> _ This mailing list is neither sponsored nor endorsed by Invensys
> Process Systems (formerly The Foxboro Company). Use the info you
> obtain here at your own risks. Read
> http://www.thecassandraproject.org/disclaimer.html
>
> foxboro mailing list: //www.freelists.org/list/foxboro
> to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
> to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
>
>
--
Michael Toecker
Head Dragon Slayer
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process Systems
(formerly The Foxboro Company). Use the info you obtain here at your own risks.
Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
Confidentiality Notice:
The information contained in this message is private and confidential. This
information is intended only for the individual or entity named above. If the
reader of this message is not the intended recipient, you are hereby notified
that any use, review, dissemination, distribution, copying or action taken
based on this message or its attachments, if any, is strictly prohibited. If
you are not the intended recipient, please contact the sender by reply email
and delete or destroy all copies of this message and any attachments. Thank
you.
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
Other related posts:
