Microsoft patch management a top-level plant-floor concern

At the security forum held at the recent ISA Expo 2004, one attendee asked, "DCS and SCADA vendors [using Microsoft technology] issue patches only several weeks after Microsoft has done so. Is there anything that can be done to speed up this process?"

In an interview at ISA that same day, Don Richardson, director, Manufacturing Industry Unit, Microsoft, responded as follows:

"This is a real concern that Microsoft, its ISV partners, and users have to work on together. Manufacturers have to wait until the vendor announces support for the patch or they lose vendor system support. Manufacturers also must know with certainty that their applications and the interfaces with other systems still work after the patch is installed. That can take anywhere from a couple of weeks to a couple of months."

This lag is a real problem because during the intervening time period, it's possible to reverse-engineer the issued patch to discover what vulnerability it's meant to fix and then move to exploit that vulnerability before the patch is actually installed.

"Notwithstanding any legal issues, we believe that the fair practice is to release patches to the developer, customer, and user communities simultaneously," continues Richardson. "This unfortunately means that hackers have equal access to this information, so the race is on to install the patches before any vulnerability can be exploited. Users need to urge the ISVs to take the initiative to respond more quickly. Windows XP Service Pack 2 was announced more than a year ago, the beta was available, and guidance was issued. But when released, some ISVs advised against installing it because they said it would 'break applications.' This needn't have been the case."