Manufacturing companies are increasingly investing in routine patching or patch management to improve their response and reduce the time and effort required if a cyberattack happens. Patch management encapsulates many things but for the scope of this paper, we are specifically looking at patch management fixes that address vulnerabilities on your software and applications that are susceptible to cyberattacks, helping your organization reduce its security risk.
Patching is difficult and disruptive in manufacturing and manufacturing support systems where the primary mission is safety and then availability. Continuity of data monitoring must be maintained to demonstrate drug manufacturing conformance and compliance and the activity of patching has the potential to impact manufacturing. This motivated BioPhorum Cyber Security members to seek out methods to help facilitate patching of OT (operation technology). The discussion started by asking, “Why is it so difficult?” and led onto “So what do you do about it? How can this be easier or how do we mitigate the risk in other ways?”
This paper is a consolidated summary of the discussion between members. It is presented through seven practices – the BioPhorum manufacturing patching practices. It provides guidance to help focus your thoughts and ideas if you are tackling the same issues within your manufacturing environment. It identifies barriers that can make patching difficult (or even impossible) and proposes mitigation practices that you should consider to overcome these barriers and associated risks and use to support a successful program of patching within the manufacturing environment. The BioPhorum manufacturing patching practices are not intended to be sequential in the way they are read or the timing by which they are addressed or implemented in a company. The concept is that to be successful, an evaluation should be done across all these practices to some degree. The ‘when and how’ would be determined by each company and its individual maturity and resource capability.