Oracle released 41 security patches this week for a variety of their products. Ten of the patches were for the Oracle database – – that by the way is used in many SCADA and DCS servers.

We have seen great progress with vendors testing and certifying Microsoft patches on a timely basis. We have some progress with asset owners deploying Microsoft patches. However, we have seen very little progress from vendors or asset owners in similarly dealing with non-Microsoft patches. Databases are a prime example, but this also includes web and ftp servers, components like JRE, applications like Acrobat, client side vulnerabilities, router/switch OS and more.

Database patching is tough. The patches are more likely to break something in the control system application than a Microsoft patch in our experience. Testing tends to take more time. That said, an unpatched database vuln with an exploit is just as big of a problem as a missing Microsoft patch.

It’s time for control system patching to move beyond Microsoft. Would be very interested in hearing some success stories and vendor commitments to test and certify patches beyond Microsoft.