Security Patch Management and MSMUG. Bill Cotter 3M

(1)

S

i

h

S

i

h

Security Patch Management

and MSMUG

Th

d

M

i

F b 7th

Security Patch Management

and MSMUG

Th

d

M

i

F b 7th

Thursday Morning, Feb 7th

Bill Cotter 3M

MsMUG MsMUG

(2)

Today’s Structure

Consumer and Office Business Display Graphics Business Electro and Communications B i Health Care Business Business Industrial and Transportation Business Safety, Security and

Protective Services

Business _Business

(3)

3M Facts

Year End 2006

3M Facts

Year End 2006 Sales Employees Worldwide …...……… $22.9 billion International (61% of total) ..……….. …. $14.1 billion Worldwide …...……….. 75,333 United States ..………..… 34,533 Earnings

Net income – reported …. $3.85 billion

Products

Sales Offices 169 Locations

p

R&D Expenditures

For 2006 $1 5 billion

Sales Offices ….. 169 Locations

Plant Loctions ….. 145 Locations

Number of Products ….. 55,000 +

For 2006 …...……….. $1.5 billion

(4)

Security Patch Management

Bill Cotter, 3M

Security Patch Management

Bill Cotter, 3M

What is it we are talking about?

Wh 3M i i t t d i P t h M t Why 3M is interested in Patch Management What is MsMUG

SP99 or who is running this show? Wh t V d d i

What Vendors are doing Plans and goals

What is MsMUG/ISA99 doing

H ti i t

(5)

What are we talking about?

MicroSoft Security Bulletins

• Mostly Monthly releases

• Patch Tuesday

• Key word is - Security

How do we expect our vendors to respond?

How do we users respond? How do we users respond?

(6)

Cost Estimate

How much is this costing you ?

• You tell me

• Security : Good patch management and

other best practices can significantly reduce shutdowns due to virus/Worms reduce shutdowns due to virus/Worms

•• $5M to $20M/year for large $5M to $20M/year for large

Corporations

Corporationspp

•• $1M to $5M/year for smaller $1M to $5M/year for smaller

companies companies

F SANS/S i 1/9/2008

•• From SANS/Secunia 1/9/2008From SANS/Secunia 1/9/2008

•• 5% of 20,000 machines fully patched5% of 20,000 machines fully patched

40% of machines had 11 or more 40% of machines had 11 or more

•• 40% of machines had 11 or more 40% of machines had 11 or more

unsecured applications unsecured applications

(7)

Why does 3M Care?

We are one of the large companies • so we are talking $$$

• so we are talking $$$

We have many different systems in service

Re ie ing each patch ith each takes time

• Reviewing each patch with each takes time

IT management want Critical patches applied

i kl quickly

(8)

Quick History of MsMUG

Microsoft Manufacturing User Group • User group devoted to addressing

• User group devoted to addressing

opportunities when applying Microsoft technology to industrial applications

• Formed in February 1999 • 300 members U • Users • Software suppliers • Microsoft • Microsoft

(9)

How do you Benefit – It is all about YOU

Leverage user community, key suppliers & Microsoft

to address:

• Reliable system: Better ROI

• Security: Supporting & e-Productivity efforts

• Longevity of OS: Deferred capital spending

• Best Practices: Easy to support systems

(10)

Who is in charge?

ISA

ISA – Instrumentation Systems and Automation

S99 -Manufacturing and Control Systems

Security

S99 Working Group 6

(11)

Patch Accreditation

Starting position 2002

• “You can’t apply security patches to control pp y y p systems”

2004

• “Please raise a support case and we will test the patch for you”

• “The patch should be tested in around 9 months • The patch should be tested in around 9 months

(around the time of Blaster and Nachi worms)

Current Situation – The Good News Current Situation The Good News

• Most main vendors now automatically assess and Microsoft patches

• Some vendors have very good patch turn around times (Some in 1-3 days)

(12)

Vendor Response to Patch Tuesday

Siemens

• Sends newsletter

• No time limits set – looking at 2 day

• Web site

Wonderware

• Web site with test results

• RSS feed

(13)

Vendor Response to Patch Tuesday

GE

• Setting up two day

• DOC file

Rockwell

W b it ith t t lt

• Need to get e-mail for link C id i t d

(14)

(15)

(16)

(17)

Need to Discuss…

Standard response

• 2 day statement

• 14 day effort to fix

Need agreement

• How to find on support page or main pagepp p g p g

• How should the data be presented

• How should users get?g

• RSS

(18)

Need to Discuss…

Common Terms

f

• Qualified ?=? Supported ?=? No Problems

How soon for a fix

What configurations

How many versions back

Hold harmless

(19)

What MsMUG Patch is working on

Vocabulary

f

• Words for Testing Status

• Words for Test Results

How to get vendors to start using

Future

• Work on what vendors should send to users Wh t t l d t th d t

(20)

What you can do

Do I really need to tell you?

Figure out if you are spending on patches

Carry the message to management

Find someone to work on the solution

Join MsMUG Patch team

(21)

MsMUG – How to get involved

MS MUG Communication Lists

• [email protected]

join omacmsmugopc@isa online org

• omacmsmugpatch@isa-online org

(22)

Thank You for Your Interest

For more information

For more information,

contact Bill Cotter at

[email protected]