A new way to manage updates and patches

As an operator of production facilities or critical infrastructure, your highest priority is to keep your equipment up and running. However, this can be put at risk when new components, updates or patches are added. This article looks at how you can automate and easily integrate these components with the ondeso platform.

    

It is recommended that you use basic systems according to the component manufacturer‘s specifications, in order to ensure your equipment has stable operating conditions. But it is also important to keep systems up to date during operation, for example, when security updates have to be distributed. Classic IT tools such as the Windows Server Update Service (WSUS) usually do not sufficiently cover OT components and they are not necessarily known for their ease of use. In line with our motto, “there has to be an easier way”, COPA-DATA and our partner ondeso are providing new options in this area.

Take stock of the situation
What’s the best way to approach an OT infrastructure maintenance project? First, assess the current situation and carry out an infrastructure analysis (see the “Brownfield” article in IU37). The goal is to get a complete overview of all the OT components, including their condition, their purpose and locations. This step often turns out to be very time-consuming because brownfield applications are often not so well documented. At this point, the ondeso platform can come into play and help you. With its integrated functionality for network scans, the platform is designed products & services 41 to analyze micro-segmented production networks.

You can also control the active and passive detection tools to ensure the scans are compatible with the components of the OT network. You should repeat these scans regularly to ensure inventory data is updated and maintained. You have to be able to detect changes promptly so that you can react to new risks – for example, a new device being connected to a system.

Automatic compatibility check
Now that you have a better understanding of your infrastructure, how can you exploit the full potential of the ondeso distribution platform using zenon tools? In principle, there are several scenarios. Some present you with major challenges but they can be optimized in practice. We‘ll now share some ideas on how you can simplify this complex process.

Software component manufacturers typically provide information with their products about certain minimum requirements. Support and service are often guaranteed only if the existing systems meet these requirements.

As an equipment operator, particularly for brownfield applications, you are automatically faced with the following question: can my environments run smoothly with the new components? The ease with which you can now answer this reveals the potential of a zenon-ondeso solution. By sharing information between the two platforms, system operators can, for the first time, carry out an automated compatibility check for existing components at the push of a button.

Next up – the distribution step
Having confirmed compatibility, it‘s likely you want to distribute one or more zenon components to all the relevant end devices using tools prepared centrally. You can plan the activities centrally and they can be carried out either centrally or locally, for example, by the user. That might sound easy, but the devil is in the detail.

Different components have different requirements. There may be multiple components from third-party manufacturers that are required on the target systems. These components can, but do not have to, come from COPA-DATA. In the case of a web-based dashboard, for example, a web server is required. You can manage and configure these complex distribution processes using the ondeso platform, provided they are in the correct order. In addition, you can back up the status quo automatically so that you can return to a defined initial state at any time – useful if an error occurs.

The idea of COPA-DATA and ondeso
After initial system startup, operators face the next major challenge: maintenance and patch management for existing systems. This topic is increasingly becoming the focus of process owners, since almost every week we read about attacks on industrial systems.

Patching complex OT systems in an uncoordinated manner involves a high risk of causing unplanned downtime. COPA-DATA and ondeso have, therefore, independently taken up an idea from IEC 62443, the international series of standards for IT security. Both companies, as manufacturers of components, will in the future actively provide information about patches in a standardized format, particularly patch releases for components from third-party manufacturers. This is intended to make patching processes easier and more reliable.

There must be an easier way
In fact, IEC 62443 makes it possible to package this type of information in a standardized XML format such as, for example, the release of a Windows patch for a specific zenon product in a specific version. On the other side stands the ondeso distribution environment. It is able to automatically import this information. Necessary, approved patches – whether from COPA-DATA or a third-party manufacturer – are detected automatically and, if necessary, retrieved automatically, distributed and installed, taking into account maintenance windows.

If you look at the entire process chain required – which covers the professional maintenance of sometimes complex industrial facilities – the potential of integration between the two worlds becomes apparent. The standardized exchange of information allows you to significantly simplify and accelerate these processes. This is in the spirit of IEC 62443 – and is, above all, in line with the COPA-DATA motto “there must be an easier way”.