Valley Business Front Feature Article

FoxGuard Solutions is proud to be featured in the April 2017 edition of Valley Business Front.

SPECIAL NETWORK AGENT
FoxGuard specializes in utilities. It has built full-featured security and compliance programs for several of the largest energy equipment vendors in the world. Through these programs, it has deployed solutions at hundreds of sites in over 30 countries throughout the world. It also works directly with energy utilities to assist them in building their patch management programs across their infrastructures. FoxGuard has seen great demand for these solutions in the electric utility market as cyberattacks involving malware create more awareness, and as compliance standards increase the scope of assets that need to be addressed.

The importance of how private and municipal utilities will protect and defend their networks is monumental, giving FoxGuard a strong footprint in the industry. Industrial control systems (ICS) in critical infrastructure are high-risk targets for attack and exploitation. These systems are considered so vital to the United States that the interruption or disablement could have catastrophic effects on the security, economy, health, or safety of its citizens. As a result, the North American Electric Reliability Corporation (NERC) has established standards and regulations on securing systems in the ICS environment. Patches and updates are required to help resolve security vulnerabilities, address functional issues, and meet compliance requirements. Besides utilities, other critical infrastructure markets include water and health care, Muscatello says.

See the full article here.

Regulatory Growth as of April 2017

Earlier this month, Compliance & Risks published its quarterly regulatory growth charts for April 2017. The charts shows regulatory growth by subject and region. 

Overall growth by year shows an increase in regulations of over 30% from April 2016 to April 2017 (and pending), covering the areas of batteries, climate change, energy, packaging, product safety, substances, and waste.

By region, the largest growth during this time period was in the Latin America / Caribbean region.

FoxGuard tracks pending new legislation, as well as upcoming changes to existing legislation, and works closely with our supplier network to ensure continued compliance of systems and components.

SIGNING, HASHING & UPDATE SECURITY

Creating confidence and security in your product’s pipeline

PATCH VALIDATION FOR ICS

“Learn about how the GE and FoxGuard Experts handle Patch Validation.”

Regulatory Changes Requiring New Documentation

As always, the world of regulatory compliance for IT equipment evolves and expands, and changes are on our doorstep, with further changes being right around the corner.

EU Declaration of Conformity – EMC standard EN 55032:2012 mandatory as of March 5, 2017

In less than one month, EMC standard EN 55022:2010 expires, and EN 55032:2012 must be reflected on EU Declarations of Conformity. 

Two items of note regarding this change:

  • EN 55032:2012 v. EN 55032:2015

Although EN 55032:2015 has been published, it has not yet been adopted by the European Commission under EMC Directive 2014/30/EU.  Until the 2015 version is adopted under the EMC Directive, EN 55032:2012 is the standard that must be on the CE Declaration.  Recommendations have been made to have products tested to both versions, so both versions of the standard can be cited on the product CE Declaration.  For a complete list of EMC standards currently adopted under Directive 2014/30/EU, please visit https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/electromagnetic-compatibility_en.

  • EN 55032 v. EN 55011

Certain types of equipment are in scope of both EN 55022/55032 (Information Technology Equipment) and EN 55011 (Industrial, scientific and medical equipment), which is still in force.  If your equipment falls into this category, please note that EN 55011 cannot be accepted in lieu of EN 55032, since the CE Declaration must include all standards relevant to the product.

REACH – Four Additions to Substances of Very High Concern (SVHC) List

Four new chemicals have been added to the REACH Substances of Very High Concern (SVHC) list, bringing the total number of substances on the list to 173. 

Around the corner …

  • Taiwan RoHS enters into force in 2017, with mandatory enforcement dates ranging from May to November. Please check with your test lab for product-specific dates.
  • Singapore RoHS also enters into force, in June 2017. Please check with your test lab regarding specific requirements for your products.

STAYING AHEAD OF GLOBAL REGULATORY CHANGES FOR IT PRODUCTS

Global Regulatory changes for IT Products DECEMBER 2016

“Examine the challenges faced by the entire product supply chain and learn how to stay ahead of regulatory requirements and changes.”

PROVIDING AN APPLIANCE WITH YOUR CYBER SECURITY SOFTWARE SOLUTION

The cyber security marketplace is hot right now and companies that want to position themselves in this market have a tremendous opportunity. A software company or what is often referred to as an ISV (Independent Software Vendor), with a product that is focused for the cyber security market should not divert its attention to anything else except building an exceptional product for the customer. Distractions for a software company include the selecting, acquiring, and selling of a computer or computer platform to complement the software solution. FoxGuard Solutions suggests that software companies would benefit from a partnership with a reputable computing appliance provider to offer a total turnkey solution for the customer.

Why should a software company outsource?

The implementation of the cyber security software will need to be completed by either the software company, the end customer, or the outsourced computer appliance supplier who partners with the software company. FoxGuard Solutions can provide an accountable point of contact to ensure the delivery and implementation of the software.   

ISV employee

  1. Who will design and optimize the computing platform (to the software)?
  2. Will it be easier for the end customer to buy a turnkey solution or multiple products? Issue one or multiple purchase orders?
  3. Will a software company or the end customer know how to effectively move from design, to prototyping, to production systems?
  4. Who will manage the product parts setup and lifecycle?
  5. Who will manage the logistics, warehousing, inventory, and installation?
  6. What if the end customer wants the computing platform or appliance integrated with other equipment, such as a computer rack?
  7. What if the target market and customers need multiple form factors in their selection of computer appliances?
  8. What about warranty, failure rates, and support?
  9. How does the software company promote their brand?
  10. Would it be helpful if the computer was branded for the software company?

production rack integration

As this list implies, there is a lot to worry about from the software company’s perspective when they need to be devoting their time and energy to having the best software and support possible. Sure, the software company could simply tell the end customer that they (the end customer) can provide the computer, but the risk there is that the software may not perform optimally because the customer did not select the recommended and optimal hardware solution. This could cause startup problems and put a bad taste in the end customer’s mouth of the software company.

hardware production floor

The cyber security market is estimated to grow to $170 billion (USD) annually by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent from 2015 to 2020, according to a report from Markets and Markets. The aerospace, defense, and intelligence vertical continues to be the largest contributor to cyber security solutions. If you are a software company or ISV and you are trying to take advantage of this great growth opportunity, take a good look at partnering with a computing appliance supplier. The FoxGuard Solutions team would be happy to consult with you and help you assess whether this would be a good direction for your firm. These are very competitive times and also times where markets are moving to a heavy focus on software. The software companies who can put their focus and attention on their software and not on other distractions could be the ones who will win with the customer in the end.

UPCOMING CHANGES TO MICROSOFT’S UPDATE POLICY

081015-WP_coverOn August 15th, 2016, Microsoft announced some new changes for how they will offer updates for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

PATCH MANAGEMENT FOR ICS

081015-WP_coverLearn the common problems most organizations face when establishing a patch management program and the best practices for handling these issues.

UPCOMING CHANGES TO MICROSOFT’S UPDATE DELIVERY POLICY

WHAT IS CHANGING?

2016 Microsoft Update Delivery ChangesOn August 15th, 2016, Microsoft announced some new changes for how they will offer updates for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Starting in October 2016, Microsoft will offer a single Monthly Rollup on the second Tuesday of each month that addresses all security and nonsecurity issues released for each operating system. This Monthly Rollup only addresses core operating system components, and does not cover other Microsoft software. This is the same update model that Microsoft currently uses for Windows 10. For customers that normally only install security updates, Microsoft will release a security-only rollup update on the same day.

At first, these Monthly Rollup updates will only contain fixes for the operating system released since October 2016, but over time Microsoft plans to add older updates to this rollup. Eventually, this will become a fully cumulative update, meaning that a completely unpatched system could apply a single rollup update (plus any prerequisites that rollup requires) and be fully up to date with everything the Monthly Rollup covers. In addition to these two rollups, per a comment from Nathan Mercer from Microsoft (in the discussion section of the article referenced above), there are plans to release an update rollup containing only new non-security fixes on the third Tuesday of each month.

In addition to the Monthly Rollup for the operating system itself, Microsoft plans to use the same model for .NET Framework updates. The .NET Framework Monthly Rollup will be offered as a full rollup with both security and non-security fixes, as well as a security-only version. This rollup will only install updates for the version of the .NET Framework installed on a system. It will not upgrade a system to higher versions of the .NET Framework.

Regardless of which type of rollup update is chosen, Microsoft no longer plans to offer individual security or non-security updates for Windows itself or the .NET Framework. This is further confirmed in another blog entry posted on August 30th. In this new blog entry, they address the question: “With the new Windows as a Service: Service Model, can we back out a single patch (KB) if it causes issues since they are all rolled up?” To summarize Microsoft’s answer, you can’t control which KB’s are applied, so you will need to back out the entire rollup. They justify this decision by stating that the rollups are designed to correct the fragmentation caused when users selectively install updates. They also state this new rollup model makes it easier to migrate to new versions of Windows without wiping and reloading an entire system.

Other Microsoft-provided updates, such as Adobe Flash Player updates for newer versions of Windows and Microsoft Office updates will still be delivered as individual updates and will not be included in the rollup. Another critical update type that will not be included in the rollups are Servicing Stack updates. These are updates to the way the operating system detects and installs updates. When a new Servicing Stack update comes out, it will be likely required before any future updates can be installed.

HOW DID UPDATES WORK BEFORE?

For Windows 7 and Windows 8.1, as well as their corresponding Windows Server variants, Microsoft releases multiple security bulletins each month on the second Tuesday of the month (commonly known as “Patch Tuesday”). Each security bulletin would address a single vulnerability (or multiple related vulnerabilities) in a Microsoft product, and would reference one or more patches for each affected product. In order to fully patch a system, users need to install each of the applicable updates released in a given month. If necessary, users can choose not to install one or more updates. According to Microsoft, this ability to pick and choose leads to multiple potential problems. Some examples they give are increased scan times, increased testing complexity, and various combinations of updates causing other errors, lowering update quality.

HOW WILL IT AFFECT CRITICAL INFRASTRUCTURE?

Updates for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Moving to a rollup model does have some major benefits for those in critical infrastructure. A reduced number of updates each month greatly reduces the patch management burden, especially considering the June 2016 round of updates included 17 different security bulletins. This reduced update count also means less compliance documentation to deal with each month.

However, the loss of granular update selection means that when a critical application breaks due to a Windows rollup update, end users are left with difficult decisions. For example, what is the best way to get back up and running? Ideally, the offending update can be uninstalled. This would leave systems vulnerable, but operations would return back to normal. In some cases, there have been Windows updates that could not be uninstalled. One recent example is MS16-088. Certain updates within this security bulletin cannot be removed. The updates that can’t be removed here mainly deal with online Office products such as SharePoint and Microsoft Office Web Apps. However, MS14-024 was a security update released for Microsoft Office as a whole that cannot be uninstalled. While no recent examples of OS updates that could not be uninstalled could be found, if any future rollup updates behave that way, then it would be necessary to restore from a backup after applying an incompatible update.

In a situation where a rollup update is incompatible with a critical application, there are two options available: wait for Microsoft to release a new update that does not break the application, or wait for the application’s vendor to release an update that is compatible with the Microsoft rollup update. Microsoft has stated in their more recent blog entry on August 30th that “if there is a problem the partner will need to open up a case and provide business justification to drive the discussion with Microsoft.” Expecting a large entity like Microsoft to re-release an update to address issues that affect a very small number of applications, no matter how critical they are, is unlikely (but not improbable). In an industry where hardware and software is designed to run for decades, waiting for a vendor to update an application is not feasible in many cases. Until either the Microsoft rollup update no longer breaks the application, or the application is changed so that it won’t break, systems in critical infrastructure and other industries may have to remain unpatched for quite some time.

In situations where updates can’t be applied without breaking a critical application, Microsoft does provide documentation on mitigating factors and workarounds for some of their published security vulnerabilities. If this documentation exists for a given update, it can be found in the Microsoft Security Bulletin for that update. For updates with no mitigation documentation, other mitigation technologies would need to be utilized in order to protect systems where the underlying vulnerability can’t be patched without breaking other critical functionality.

FINAL THOUGHTS

While this new update model is great for many large enterprises with huge numbers of endpoints to manage, it fails to address the reason why businesses selectively installed updates in the first place: updates sometimes break critical applications. Unless Microsoft brings back some way of installing individual security updates, many systems may have to remain vulnerable until system owners can convince Microsoft to provide a workaround, or until vendors are forced to update applications across the entire deployed fleet. In some situations, a vendor for a critical application may no longer exist or is unwilling to change. In that case, entities may need to find a new vendor in order to remain secure against all of the latest vulnerabilities in Windows. Changing vendors in critical infrastructure is not to be taken lightly, as it often requires long, expensive upgrades that introduce unwanted downtime. In the meantime, systems in critical infrastructure that were staying up to date may start to fall behind and become vulnerable, with little recourse available.

FoxGuard Solutions will continue to watch for new developments regarding Microsoft’s servicing changes. Additionally, FoxGuard is working with other industry experts to analyze these changes and work with Microsoft on ways to mitigate risks for energy delivery industrial control systems. Expect more communications from us as new information is made available.

FOR A PDF VERSION OF THIS ARTICLE – CLICK HERE

To view this an other white papers, visit our Resources page.

References:

[1] www.blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying servicing-model-for-windows-7-and-windows-8-1/

[2] www.blogs.msdn.microsoft.com/dotnet/2016/08/15/introducing-the-net framework-monthly-rollup/

[3] www.blogs.technet.microsoft.com/askpfeplat/2016/08/30/a-bit-about-the windows-servicing-model/