Digital Bond has recently posted an informative podcast that discusses control system security with a couple of industry experts.  One of the topics is the MS08-008 vulnerability, vendor reactions and discussions on how these things should be handled.   As it turned out the MS08-008 vulnerability wasn’t that big a concern since it required user intervention to exploit, was easily fixed and didn’t directly affect that many products.  However there are some good questions raised on if and when a serious control specific vulnerability appears, how vendors should deal with it in terms of disclosure, testing and patching.  Of course the biggest challenge control system vendors face is patch management, either validating fixes from Microsoft or implementing and testing fixes of their own.  It’s a good listen.

On the topic of reactions and vendor response, let me put on my MatrikonOPC hat for a minute:  “Our developers reviewed the security bulletin and determined that none of the MatrikonOPC products made use of the affected components.   The Microsoft patches were applied to systems running several MatrikonOPC products to ensure patching did not adversely affect their operation.  These tests where run on against the various Microsoft operating systems MatrikonOPC supports.   The patch did not adversely affect our products.  A notice to that effect was posted on our Support Knowledge Base.”   I’ve seen a comment or two out in the websphere that didn’t think that point was made clearly enough.

OK, back into the OPC Exchange blogger hat.  My aim with this blog is to provide information on a wide range of OPC topics to all OPC users.   I hoped most OPC vendors would have validated the patches against their particular products and posted their findings or comments.   In case there were those that didn’t, my post was aimed at providing users with some guidance on how to deal with this particular vulnerability.  Was it “OMG-the-sky-is-falling”, “Don’t-Worry-Be-Happy” or somewhere in between?  In this case it was somewhere in between: it shouldn’t have affected many systems, but the possibility was still there.  My advice was “We tested our stuff and things were OK, but be prudent and patch.”  

At the end of the day, if you are using a product from a vendor, that vendor needs to tell you what is right for you.   After all, patching systems is sometimes easier said than done, and only they know what their products do under the hood.