SlideShare a Scribd company logo

What to Do When You Don’t Know What to Do: Control System Patching Problems and Their Solutions

Download as PPT, PDF
EnergySec, profile picture
EnergySec

The document outlines various strategies and tools for managing control system patching, including identifying and installing security patches, verifying successful installations, and troubleshooting patch failures. It emphasizes the importance of having adequate disk space and provides specific recommendations for managing updates in air-gapped environments. Additionally, it offers guidance on validation checklists and processes for maintaining antivirus signature updates.

Technology
Related topics:
Industrial Control Systems
1 of 26
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
FoxGuard Solutions 1 Monta Elkins Security Architect -- FoxGuard Solutions www.FoxGuardSolutions.com What to do when you don’t know what to do: Control system patching problems and their solutions
Installed Software FoxGuard Solutions 2 Windows Control Panel – Programs and Features
Installed Software FoxGuard Solutions 3 This powershell command shows the installed software: Get-WmiObject win32_product | Select-Object Name,Vendor,Version
Finding Patches Patch Tuesday FoxGuard Solutions 4
Identifying Patches FoxGuard Solutions 5
Air-gapped FoxGuard Solutions 6 update the wsusscn2.cab manually it usually resides in C:UsersusernameAppDataLocalMicrosoftMBSACachewsu sscn2.cab download the cab file from here and “carry it” http://download.windowsupdate.com/microsoftupdate/v6/wsus scan/wsusscn2.cab Now use MBSA to identify patches
Identifying Patches FoxGuard Solutions 7 CLI options: From the mbsa program folder (c:Program FilesMicrosoft Baseline Security Analyzer) Execute Mbsacli >results.txt
Which are Security Patches FoxGuard Solutions 8
Security Patches FoxGuard Solutions 9
A Patch List FoxGuard Solutions 10 Manually download and carry patches from the final list and install them
Another Approach FoxGuard Solutions 11 Discovering Patches and Downloading them Virtual Environment Approach: Setup virtual machines containing all software identified on your systems, (but not configuration information) Connect virtual machines to the Internet Scan to identify and download appropriate patches Hand carry the validated patches to air gapped machines
Installed Updates FoxGuard Solutions 12
Another Method to Verify Patch Installation FoxGuard Solutions 13 Powershell: Get-WmiObject -Class "win32_quickfixengineering"
Windows Update History FoxGuard Solutions 14
Verifying Patch Installation FoxGuard Solutions 15
Watch for Disk Space Issues Patches will not install if there is not enough disk space. Recommendation: Have at minimum 1 Gigabyte free storage space Troubleshooting FoxGuard Solutions 16
Patch Failure FoxGuard Solutions 17 Microsoft Patch fails to install System Update Readiness Tool “The System Update Readiness Tool can help fix problems that might prevent Windows updates and service packs from installing If your computer is having problems installing an update or a service pack, download and install the tool, which runs automatically. Then, try installing the update or service pack again.”
Missing Patches FoxGuard Solutions 18 Detection Issue: Update KB2645410 for Windows 7 and Windows Server 2008 R2 Historians. Update for Microsoft Visual Studio 2010 Service Pack 1. This update may be required but is not detected by Shavlik (vCenter) Protect. Corrective Action: FoxGuard Solutions recommends that you manually deploy update KB2645410 on all Windows 7 and Windows Server 2008 R2 Historians
FoxGuard Solutions Technical Information Notice Notice#:20140312-01 Notice Title: AVG Virus Warning Reason for Notice: After applying the AVG Anti-Virus 2013 updates from the M1 2014 release the virus “VBS/Downloader.Agent” was found on the system. FoxGuard Solutions has confirmed the two files referenced are automated manufacturing process artifacts used during the HMI manufacturing process that were not removed prior to the system being shipped from the factory. AV Signature Updates Can Cause Problems FoxGuard Solutions 19
The script is used to temporarily turn off User Account Control (UAC) so that manufacturing automation tools can run successfully on the system. FoxGuard Solutions has determined that these scripts are not infected files, but they do contain code that triggers AVG to flag them as a virus. Specifically, the following code is flagged by AVG: If WScript.Arguments.length = 0 Then Set objShell = CreateObject("Shell.Application") objShell.ShellExecute "wscript.exe", Chr(34) & _ WScript.ScriptFullName & Chr(34) & " uac", "", "runas", 1 Else This is effectively equivalent to right-clicking an application and choosing “Run as administrator”. This is a common practice with scripts that require UAC elevation to execute properly, earlier releases did not flag these files as malware. AV Trigger Details FoxGuard Solutions 20
Validation Checklists & Signoffs FoxGuard Solutions 21 Have a set of validation checklists to verify operations after patching. Include testing signoff for record keeping
AV & IDS Signatures FoxGuard Solutions 22 CIP 007-3 R4.2. The Responsible Entity shall document and implement a process for the update of anti-virus and malware prevention “signatures.” The process must address installing and testing the signatures. Use a “virus test file” "EICAR Standard Anti-Virus Test File“ 68 bytes And a “malicious network traffic” file
Ports and Services FoxGuard Solutions 23 Logical Network Accessible Ports – What are they? – Listening ports – Document need • What is it? • Why is it needed? • On this particular device – Or Shut it off • Host based firewall mitigation – RPC port changes – MS DNS 2501 (MS improper docs) – Every 35 days (and patching / updates 010-1) Centralized Ports and Services Auditor (CPSA) White Paper FoxGuardSolutions.com
Improper Documentation for DNS FoxGuard Solutions 24 DNS documentation from Microsoft could cause you to fail an audit We received this acknowledgement of our findings
Test Lab and Rollout FoxGuard Solutions 25 Validation lab equipment should closely mirror production equipment Where direct mirroring isn’t practical, be sure to include a superset of all installed software. Now do it “for real” Use phased rollout approach: •Test lab •Less critical machines •More critical machines •Patch •Verify •Validate •Backup
FoxGuard Patching and Validation Services FoxGuard Solutions 26 FoxGuard Solutions' DisPatch subscriptions provide validated patches and updates plus documentation on a monthly basis. To learn how FoxGuard Solutions can help you with patch and update validation, contact us at requestinfo@foxguardsolutions.com, or by calling 877-446-4732.

More Related Content

PPT
Open Platform for ICS Cybersecurity Research and Education
EnergySec
 
PPTX
Lessons Learned for a Behavior-Based IDS in the Energy Sector
EnergySec
 
PDF
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
PPSX
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Byres Security Inc.
 
PPTX
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
PPT
DHS ICS Security Presentation
guest85a34f
 
PPTX
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
PPTX
IEC and cyber security (June 2018)
International Electrotechnical Commission (IEC)
 
Open Platform for ICS Cybersecurity Research and Education
EnergySec
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
EnergySec
 
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Byres Security Inc.
 
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
DHS ICS Security Presentation
guest85a34f
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
IEC and cyber security (June 2018)
International Electrotechnical Commission (IEC)
 

What's hot (20)

PPTX
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
PDF
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
PPTX
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
PDF
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Honeywell
 
PPTX
Third Party Security Testing for Advanced Metering Infrastructure Program
EnergySec
 
PDF
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
PDF
Monitoring ICS Communications
Digital Bond
 
PPTX
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
PPTX
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
promediakw
 
PDF
S4xJapan Closing Keynote
Digital Bond
 
PDF
Securing Critical Iot Infrastructure, IoT Israel 2014
iotisrael
 
PPTX
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Jim Gilsinn
 
PDF
Effective Network Security Against Cyber Threats - Network Segmentation Techn...
Jiunn-Jer Sun
 
PDF
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
PPTX
Scada security presentation by Stephen Miller
AVEVA
 
PDF
Securing SCADA
Jeffrey Wang , P.Eng
 
PDF
API Training 10 Nov 2014
Digital Bond
 
PPTX
Practical Approaches to Securely Integrating Business and Production
Jim Gilsinn
 
PPTX
Using Assessment Tools on ICS (English)
Digital Bond
 
PPTX
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Honeywell
 
Third Party Security Testing for Advanced Metering Infrastructure Program
EnergySec
 
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Monitoring ICS Communications
Digital Bond
 
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
promediakw
 
S4xJapan Closing Keynote
Digital Bond
 
Securing Critical Iot Infrastructure, IoT Israel 2014
iotisrael
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Jim Gilsinn
 
Effective Network Security Against Cyber Threats - Network Segmentation Techn...
Jiunn-Jer Sun
 
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
Scada security presentation by Stephen Miller
AVEVA
 
Securing SCADA
Jeffrey Wang , P.Eng
 
API Training 10 Nov 2014
Digital Bond
 
Practical Approaches to Securely Integrating Business and Production
Jim Gilsinn
 
Using Assessment Tools on ICS (English)
Digital Bond
 
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Ad

Viewers also liked (10)

PPT
1.Security Overview And Patching
phanleson
 
PPTX
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
PPT
IT Security for the Physical Security Professional
ciso_insights
 
PDF
Web Application Security Statistics Report 2016
Jeremiah Grossman
 
PPTX
Matt carroll - "Security patching system packages is fun" said no-one ever
DevSecCon
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
PDF
7 cyber security questions for boards
Paul McGillicuddy
 
PPTX
Cyber security presentation
Bijay Bhandari
 
PDF
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
PPTX
Cyber crime and security ppt
Lipsita Behera
 
1.Security Overview And Patching
phanleson
 
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
IT Security for the Physical Security Professional
ciso_insights
 
Web Application Security Statistics Report 2016
Jeremiah Grossman
 
Matt carroll - "Security patching system packages is fun" said no-one ever
DevSecCon
 
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
7 cyber security questions for boards
Paul McGillicuddy
 
Cyber security presentation
Bijay Bhandari
 
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
Cyber crime and security ppt
Lipsita Behera
 
Ad

Similar to What to Do When You Don’t Know What to Do: Control System Patching Problems and Their Solutions (20)

PDF
1.3. (In)security Software
defconmoscow
 
PDF
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld
 
PPTX
Patch Tuesday Analysis - July 2015
Ivanti
 
PPTX
Transforming your Security Products at the Endpoint
Ivanti
 
PDF
AV-Comparatives’ 2017 business software review
Jermund Ottermo
 
PDF
Abelssoft Easy Firewall 2024 v2.0.49084 PC Software – WhizzNews.pdf
Eman Nisar
 
DOCX
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
eugeniadean34240
 
PDF
CYBERSECURITY PROCESSES & TECHNOLOGIES LAB #2: MANAGING HOST BASED SECURITY
ViscolKanady
 
PDF
Qradar IBM - WinCollect_OpenMic_Sept2018.pdf
hieunn131
 
PDF
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
PPTX
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Lumension
 
PDF
White Paper - Are antivirus solutions enough to protect industrial plants?
TI Safe
 
PDF
Veracode Integration Adapter - Datasheet
Kovair
 
DOCX
Project Penetration Testing Report(20 Points)Scenario.docx
simonlbentley59018
 
PPTX
November Patch Tuesday Analysis
Ivanti
 
PDF
Power edge carbonblack-security-0322Secure your workloads running on VMs and ...
Principled Technologies
 
DOC
Oracle Audit vault
uzzal basak
 
PDF
VMworld 2013: Security Automation Workflows with NSX
VMworld
 
PPTX
Best free tools for w d a
Concentrated Technology
 
PPTX
Best free tools for win database admin
Concentrated Technology
 
1.3. (In)security Software
defconmoscow
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld
 
Patch Tuesday Analysis - July 2015
Ivanti
 
Transforming your Security Products at the Endpoint
Ivanti
 
AV-Comparatives’ 2017 business software review
Jermund Ottermo
 
Abelssoft Easy Firewall 2024 v2.0.49084 PC Software – WhizzNews.pdf
Eman Nisar
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
eugeniadean34240
 
CYBERSECURITY PROCESSES & TECHNOLOGIES LAB #2: MANAGING HOST BASED SECURITY
ViscolKanady
 
Qradar IBM - WinCollect_OpenMic_Sept2018.pdf
hieunn131
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Lumension
 
White Paper - Are antivirus solutions enough to protect industrial plants?
TI Safe
 
Veracode Integration Adapter - Datasheet
Kovair
 
Project Penetration Testing Report(20 Points)Scenario.docx
simonlbentley59018
 
November Patch Tuesday Analysis
Ivanti
 
Power edge carbonblack-security-0322Secure your workloads running on VMs and ...
Principled Technologies
 
Oracle Audit vault
uzzal basak
 
VMworld 2013: Security Automation Workflows with NSX
VMworld
 
Best free tools for w d a
Concentrated Technology
 
Best free tools for win database admin
Concentrated Technology
 

More from EnergySec (20)

PDF
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
EnergySec
 
PDF
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
PDF
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
EnergySec
 
PPTX
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
PPTX
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
EnergySec
 
PDF
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
EnergySec
 
PPTX
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
EnergySec
 
PPTX
Explore the Implicit Requirements of the NERC CIP RSAWs
EnergySec
 
PDF
Wireless Sensor Networks: Nothing is Out of Reach
EnergySec
 
PDF
Please, Come and Hack my SCADA System!
EnergySec
 
PDF
Unidirectional Network Architectures
EnergySec
 
PPTX
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
PDF
Industrial Technology Trajectory: Running With Scissors
EnergySec
 
PPT
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
EnergySec
 
PPTX
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
EnergySec
 
PDF
Where Cyber Security Meets Operational Value
EnergySec
 
PPTX
Where Are All The ICS Attacks?
EnergySec
 
PPT
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
EnergySec
 
PPT
Industry Reliability and Security Standards Working Together
EnergySec
 
PPT
What the Department of Defense and Energy Sector Can Learn from Each Other
EnergySec
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
EnergySec
 
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
EnergySec
 
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
EnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
EnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
EnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
EnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
EnergySec
 
Please, Come and Hack my SCADA System!
EnergySec
 
Unidirectional Network Architectures
EnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
Industrial Technology Trajectory: Running With Scissors
EnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
EnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
EnergySec
 
Where Cyber Security Meets Operational Value
EnergySec
 
Where Are All The ICS Attacks?
EnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
EnergySec
 
Industry Reliability and Security Standards Working Together
EnergySec
 
What the Department of Defense and Energy Sector Can Learn from Each Other
EnergySec
 

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Sensors and Actuators in IoT Systems using pdf
jeffinmathew654
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PDF
Transforming Manufacturing operations through Intelligent Integrations
TGH Software Solutions Pvt. Ltd.
 
PDF
CIFDAQ's Market Wrap: Ethereum Leads, Bitcoin Lags, Institutions Shift
CIFDAQ
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
madgavkar20181017ppt McKinsey Presentation.pdf
georgschmitzdoerner
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Sensors and Actuators in IoT Systems using pdf
jeffinmathew654
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Transforming Manufacturing operations through Intelligent Integrations
TGH Software Solutions Pvt. Ltd.
 
CIFDAQ's Market Wrap: Ethereum Leads, Bitcoin Lags, Institutions Shift
CIFDAQ
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
madgavkar20181017ppt McKinsey Presentation.pdf
georgschmitzdoerner
 
Teaching material agriculture food technology
LiaRayya
 
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Advanced IT Governance
University of Hertfordshire
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Cloud computing and distributed systems.
kkkkkhan
 

What to Do When You Don’t Know What to Do: Control System Patching Problems and Their Solutions

  • 1. FoxGuard Solutions 1 Monta Elkins Security Architect -- FoxGuard Solutions www.FoxGuardSolutions.com What to do when you don’t know what to do: Control system patching problems and their solutions
  • 2. Installed Software FoxGuard Solutions 2 Windows Control Panel – Programs and Features
  • 3. Installed Software FoxGuard Solutions 3 This powershell command shows the installed software: Get-WmiObject win32_product | Select-Object Name,Vendor,Version
  • 6. Air-gapped FoxGuard Solutions 6 update the wsusscn2.cab manually it usually resides in C:UsersusernameAppDataLocalMicrosoftMBSACachewsu sscn2.cab download the cab file from here and “carry it” http://download.windowsupdate.com/microsoftupdate/v6/wsus scan/wsusscn2.cab Now use MBSA to identify patches
  • 7. Identifying Patches FoxGuard Solutions 7 CLI options: From the mbsa program folder (c:Program FilesMicrosoft Baseline Security Analyzer) Execute Mbsacli >results.txt
  • 8. Which are Security Patches FoxGuard Solutions 8
  • 10. A Patch List FoxGuard Solutions 10 Manually download and carry patches from the final list and install them
  • 11. Another Approach FoxGuard Solutions 11 Discovering Patches and Downloading them Virtual Environment Approach: Setup virtual machines containing all software identified on your systems, (but not configuration information) Connect virtual machines to the Internet Scan to identify and download appropriate patches Hand carry the validated patches to air gapped machines
  • 13. Another Method to Verify Patch Installation FoxGuard Solutions 13 Powershell: Get-WmiObject -Class "win32_quickfixengineering"
  • 16. Watch for Disk Space Issues Patches will not install if there is not enough disk space. Recommendation: Have at minimum 1 Gigabyte free storage space Troubleshooting FoxGuard Solutions 16
  • 17. Patch Failure FoxGuard Solutions 17 Microsoft Patch fails to install System Update Readiness Tool “The System Update Readiness Tool can help fix problems that might prevent Windows updates and service packs from installing If your computer is having problems installing an update or a service pack, download and install the tool, which runs automatically. Then, try installing the update or service pack again.”
  • 18. Missing Patches FoxGuard Solutions 18 Detection Issue: Update KB2645410 for Windows 7 and Windows Server 2008 R2 Historians. Update for Microsoft Visual Studio 2010 Service Pack 1. This update may be required but is not detected by Shavlik (vCenter) Protect. Corrective Action: FoxGuard Solutions recommends that you manually deploy update KB2645410 on all Windows 7 and Windows Server 2008 R2 Historians
  • 19. FoxGuard Solutions Technical Information Notice Notice#:20140312-01 Notice Title: AVG Virus Warning Reason for Notice: After applying the AVG Anti-Virus 2013 updates from the M1 2014 release the virus “VBS/Downloader.Agent” was found on the system. FoxGuard Solutions has confirmed the two files referenced are automated manufacturing process artifacts used during the HMI manufacturing process that were not removed prior to the system being shipped from the factory. AV Signature Updates Can Cause Problems FoxGuard Solutions 19
  • 20. The script is used to temporarily turn off User Account Control (UAC) so that manufacturing automation tools can run successfully on the system. FoxGuard Solutions has determined that these scripts are not infected files, but they do contain code that triggers AVG to flag them as a virus. Specifically, the following code is flagged by AVG: If WScript.Arguments.length = 0 Then Set objShell = CreateObject("Shell.Application") objShell.ShellExecute "wscript.exe", Chr(34) & _ WScript.ScriptFullName & Chr(34) & " uac", "", "runas", 1 Else This is effectively equivalent to right-clicking an application and choosing “Run as administrator”. This is a common practice with scripts that require UAC elevation to execute properly, earlier releases did not flag these files as malware. AV Trigger Details FoxGuard Solutions 20
  • 21. Validation Checklists & Signoffs FoxGuard Solutions 21 Have a set of validation checklists to verify operations after patching. Include testing signoff for record keeping
  • 22. AV & IDS Signatures FoxGuard Solutions 22 CIP 007-3 R4.2. The Responsible Entity shall document and implement a process for the update of anti-virus and malware prevention “signatures.” The process must address installing and testing the signatures. Use a “virus test file” "EICAR Standard Anti-Virus Test File“ 68 bytes And a “malicious network traffic” file
  • 23. Ports and Services FoxGuard Solutions 23 Logical Network Accessible Ports – What are they? – Listening ports – Document need • What is it? • Why is it needed? • On this particular device – Or Shut it off • Host based firewall mitigation – RPC port changes – MS DNS 2501 (MS improper docs) – Every 35 days (and patching / updates 010-1) Centralized Ports and Services Auditor (CPSA) White Paper FoxGuardSolutions.com
  • 24. Improper Documentation for DNS FoxGuard Solutions 24 DNS documentation from Microsoft could cause you to fail an audit We received this acknowledgement of our findings
  • 25. Test Lab and Rollout FoxGuard Solutions 25 Validation lab equipment should closely mirror production equipment Where direct mirroring isn’t practical, be sure to include a superset of all installed software. Now do it “for real” Use phased rollout approach: •Test lab •Less critical machines •More critical machines •Patch •Verify •Validate •Backup
  • 26. FoxGuard Patching and Validation Services FoxGuard Solutions 26 FoxGuard Solutions' DisPatch subscriptions provide validated patches and updates plus documentation on a monthly basis. To learn how FoxGuard Solutions can help you with patch and update validation, contact us at [email protected], or by calling 877-446-4732.