A Patch in Time Saves Nine

The WannaCry and Petya cyber-assaults on banks, airports and other businesses in Europe in May used a vulnerability in Microsoft software to infect machines and spread around the world. Microsoft had issued a patch to close the back door months earlier, but many users never installed the update. Ironically, when Microsoft creates a software patch, it tips off bad guys to a previously unrecognized vulnerability. Cyber-criminals can create a virus to exploit that vulnerability sure in the knowledge that many corporations will fail to update the all of the thousands of computers and devices in their system.

The single-most effective thing that any IT manager can do to maintain security is to promptly install software patches. The task sounds pretty basic. But it’s easier said than done.

Christiansburg-based FoxGuard Solutions helps clients keep software up to date on critical infrastructure such as power grids, wind turbines and nuclear power plants. Founded in 1981, the company has seen its cyber-security business expand at a compounded growth rate of 42% over the past five years.

As far as FoxGuard CEO Marty Muscatello is aware, none of its customers were affected by the WannaCry and Petya attacks, reports Jacob Demmit with the Roanoke Times, after accompanying U.S. Rep. Morgan Griffith, R-Salem, on a tour of the FoxGuard facility. The company’s software is used in 40 different states and 35 countries. Reports Demmit:

FoxGuard has been using a $4.3 million cooperative agreement from the U.S. Department of Energy since 2013 to develop tools to track software updates and patches for 128 companies in the critical infrastructure industry.

It’s pretty easy to keep a single home computer up to date, but that becomes increasingly difficult when an IT department is trying to protect a power plant that could have 100,000 different machines across a power grid. A company might not even be aware of some computers on its network that could let hackers in, like an air conditioning system.

FoxGuard, it would seem, has a bright future, for its market will expand exponentially. As the Internet of Things takes off, embedding microchips and wireless in billions of devices, corporations will be hard-pressed to keep track of them all. Patching them all will be almost impossible, for Original Equipment Manufacturers typically stop updating software for devices they no longer manufacture. The challenge is particularly acute for electric utilities, which have cobbled together multiple generations of technology to operate their systems. As they move increasingly toward flexible “smart grids” to accommodate solar and wind power, they will install thousands of sensors and actuators across their systems, potentially making them even more vulnerable to cyber-attacks.

For a monthly fee, says the Roanoke Times, FoxGuard tracks all those machines and makes sure the client knows of every update on a timely basis. The company can even download and test the update in its own lab to check for compatibility issues before installing it in the field.

Bacon’s bottom line: The news brings daily remembers of how vulnerable the global Internet-connected economy is, and how anyone with a good cyber-security technology or service can tap into a global market. Governor Terry McAuliffe is right about this: Cyber-security is one of the biggest economic-development opportunities to come along in Virginia in a long time.

There are currently no comments highlighted.

One response to “A Patch in Time Saves Nine

  1. such fertile ground for comment!

    First – comparing and contrasting the competency and efficiency of government versus the private sector! Much of the government – not all of it – takes cyber security seriously – and yes – it does take money to hire and keep real professionals to maintain IT systems as opposed to many businesses practices of letting someone “on staff” look after the machines.

    and yes – you DO KNOW which IP addresses – which represent specific devices are in use… if you have those tools installed and in use and a professional actually with that responsibility to monitor, maintain and regularly patch!

    Companies – large and small – who do not deal with this issue – forthrightly are not only irresponsible – they are actually guilty of creating unfunded liabilities – substantial enough to inflict grievous financial losses not only on themselves but their clients and customers!

    So next time we want to talk about just how incompetent and inefficient government might be – think about how the private sector has dealt with this issue – to date. Too many of them have no idea of the risks involved and too ignorant to know they need employ competent professionals either on staff or as on-call consultants.

    Second – if one ever wondered.. and whined about the dearth of employment opportunities – they have not noticed this “knowledge-based” industry and that includes our schools… both K-12 and higher ed.

    Kids are woefully under-educated in 21st century knowledge these days and this is an example … how many get enough core education – language, math, technology – to actually be able to pursue studies in this field?

    Many people who manage organizations are mostly clueless about their electronic systems and rely on employees who they think are “good with computers” but often, in fact, don’t know themselves the basics on how to determine the status of a computer much less the network it is on much less configure it to not have the vulnerabilities that are common and expose things like utility grids to serious threats.

    I consider the failure for private sector companies to deal with these issues as proof – that the Govt has plenty of company when it comes to incompetence, inefficiency and unfunded liabilities in the most literal sense.

Leave a Reply