Security Patch Management and MSMUG. Bill Cotter 3M

Security Patch Management and MSMUG Thursday Morning, Feb 7th Bill Cotter 3M MsMUG

Today s Structure Consumer and Office Business Display Graphics Business Electro and Communications Business Health Care Business Safety, Security and Protective Services Business 3M 2004 All Rights Reserved Industrial and Transportation Business 2

3M Facts Year End 2006 Sales Worldwide... $22.9 billion International (61% of total)..... $14.1 billion Earnings Net income reported. $3.85 billion R&D Expenditures For 2006..... $1.5 billion Employees Worldwide..... 75,333 United States.... 34,533 Products Sales Offices.. 169 Locations Plant Loctions.. 145 Locations Number of Products.. 55,000 + Total last 5 years.... $6.3 billion 3M 2008 All Rights Reserved 3

Security Patch Management Bill Cotter, 3M What is it we are talking about? Why 3M is interested t in Patch Management What is MsMUG SP99 or who is running this show? What Vendors are doing Plans and goals What is MsMUG/ISA99 doing How you can participate i t How to contact MsMUG 4

What are we talking about? MicroSoft Security Bulletins Mostly Monthly releases Patch Tuesday Key word is - Security How do we expect our vendors to respond? How do we users respond? 5

Cost Estimate How much is this costing you? You tell me Security : Good patch management and other best practices can significantly reduce shutdowns due to virus/worms $5M to $20M/year for large Corporations $1M to $5M/year for smaller companies From SANS/Secunia 1/9/2008 5% of 20,000 machines fully patched 40% of machines had 11 or more unsecured applications 6

Why does 3M Care? We are one of the large companies so we are talking $$$ We have many different systems in service Reviewing ing each patch with each takes time IT management want Critical patches applied quickly Do we apply or wait for Vendor? 7

Quick History of MsMUG Microsoft Manufacturing User Group User group devoted to addressing opportunities when applying Microsoft technology to industrial applications Formed in February 1999 300 members Users Software suppliers Microsoft 8

How do you Benefit It is all about YOU Leverage user community, key suppliers & Microsoft to address: Reliable system: Better ROI Security: Supporting & e-productivity efforts Longevity of OS: Deferred capital spending Best Practices: Easy to support systems Training: Better leverage of current staff 9

Who is in charge? ISA ISA Instrumentation Systems and Automation S99 -Manufacturing and Control Systems Security S99 Working Group 6 =MsMUG Patch Team report 10

Patch Accreditation Starting position 2002 You can t apply security patches to control systems 2004 Please raise a support case and we will test the patch for you The patch should be tested in around 9 months (around the time of Blaster and Nachi worms) Current Situation The Good News Most main vendors now automatically assess and Microsoft patches Some vendors have very good patch turn around times (Some in 1-3 days) 11

Vendor Response to Patch Tuesday Siemens Sends newsletter No time limits set looking at 2 day Web site Wonderware Web site with test results RSS feed Has fast response beats 2 day 12

Vendor Response to Patch Tuesday GE Web site with test results Setting up two day DOC file Rockwell Web site with test t results Need to get e-mail for link Considering i two day 13

14

15

16

Need to Discuss Standard response 2 day statement 14 day effort to fix Need agreement How to find on support page or main page How should the data be presented How should users get? RSS Go get XML 17

Need to Discuss Common Terms Qualified?=? Supported?=? No Problems How soon for a fix What configurations How many versions back Hold harmless What patches need testing 18

What MsMUG Patch is working on Vocabulary Words for Testing Status Words for Test Results How to get vendors to start using Future Work on what vendors should send to users What tools users need to use the data 19

What you can do Do I really need to tell you? Figure out if you are spending on patches Carry the message to management Find someone to work on the solution Join MsMUG Patch team WORK on team efforts 20

MsMUG How to get involved MS MUG Communication Lists omacmsmugall@isa-online.org join-omacmsmugall@isa-online.org omacmsmugsecuure@isa-online.org join-omacmsmugsecure@isa-online.org omacmsmugoopc@isa-online.org join-omacmsmugopc@isa-online.orgomacmsmugopc@isa online org omacmsmugpatch@isa-online.orgorg join-omacmsmugpatch@isa-online.org 21

Thank You for Your Interest For more information, contact Bill Cotter at WJCotter@mmm.com Go To www.isa.org 22