Mind the Air Gap: How Emerson and OPSWAT Solve Critical Infrastructure Patching

TL;DR

• OPSWAT and Emerson have partnered to provide a patch management solution for air-gapped critical infrastructure environments, focusing on power and water sectors.
• The solution replaces a deprecated WSUS-based system, offering centralized management, enhanced control, compliance reporting, and air-gap compatibility.
• Key features include the MetaDefender Endpoint for patch deployment and MyOpsLock Central Manager for centralized orchestration, with specialized functionalities like cache nodes to reduce bandwidth.
• Human error and misconceptions about air gaps are major security concerns; the solution incorporates rigorous validation, digital signatures, and compliance tools to mitigate risks.
• Partnership between Emerson and OPSWAT enabled co-development of features tailored to OT environments and regulatory requirements globally.

Talk Context

• Topic: Cybersecurity patch management for air-gapped OT environments in critical infrastructure (power & water).
• Relevance for SDK Energy Domain: High
• Relevance for fast implementation with public data: Low

Core Thesis

Critical infrastructure operators face significant challenges managing patching in air-gapped operational technology environments. Due to the deprecation of traditional WSUS-based methods and emerging cyber threats, Emerson partnered with OPSWAT to develop a robust, centralized, and compliant patch management solution that securely handles third-party patch deployment while maintaining air gap integrity.

Main Points

• Legacy WSUS patching is deprecated and insufficient for OT needs.
• Air-gapped networks are not inherently secure due to human error and policy non-adherence.
• Centralized management console provides full asset visibility and control over patch deployment.
• Solution supports scheduling, multiple patch sets, reporting, and vulnerability dashboards.
• Patches undergo rigorous testing before deployment to ensure system reliability.
• Cache nodes reduce network bandwidth usage for geographically distributed sites.
• Partnership emphasized collaborative co-development, responsiveness to user feedback, and adaptability to multiple global regulations.
• Removable media remain a key infection vector; technology plus policy enforcement is crucial.
• Integrity validation includes hashing, sandboxing, antivirus multi-engine scanning, and digital signature verification.
• The solution supports complex multi-vendor OT environments and adapts to customer-specific compliance requirements.

Architecture Insights

• Centralized management (MyOpsLock Central Manager) orchestrates patching across devices.
• MetaDefender Endpoint agents identify, download, and apply patches on endpoints.
• Cache node concept deploys patches to single points then redistributes within local networks to minimize WAN traffic.
• Air gap preserved by controlled file transfer through Guardian digital platform with strong file validation.
• Integration with Emerson Ovation control platform highlights tailored automation industry design.
• Endpoints and patch packages are validated via hashing and signatures for chain of custody.
• System supports granular policies for various device groups across possibly distributed sites.

Data & Integration Signals

• Patch and vulnerability data includes operating system updates and third-party applications (e.g., Microsoft Windows, Edge, Office, SQL).
• Endpoint telemetry includes patch compliance status and vulnerability view dashboards.
• Integration interfaces include Guardian digital platform for patch distribution and MyOpsLock for endpoint management.
• Chain of custody managed via hash validation and patch packaging includes roadmap/fingerprint files.
• Latency and bandwidth considerations handled via cache nodes.
• Security scans include multi-engine antivirus and sandbox analysis for patch content.

Operational Challenges / Trade-offs

• Need to balance patch deployment with system uptime and operational constraints (e.g., controlled reboot timing).
• Managing heterogeneous OT environments with multiple vendors and patch requirements.
• Maintaining air gap integrity while enabling centralized patch management.
• Ensuring rigorous testing to avoid system failures caused by patches.
• Addressing human factors, enforcing policies, and mitigating risks from removable media.

Key Facts / Concrete Claims

• OPSWAT supports over 80 countries with 2,000+ customers and over 1,000 employees.
• 90% of US nuclear facilities use OPSWAT cybersecurity solutions.
• Emerson has operated for 135 years, serving 150+ countries with 73,000+ employees.
• Emerson Power and Water group has 800+ cybersecurity installs globally.
• Previous patching solution was WSUS-based and lacked features; Microsoft’s deprecation of WSUS triggered replacement.
• Patches are validated in Emerson labs before release.
• Guardian digital platform provides web interface for customers to access patches monthly.
• Cache nodes reduce network strain for distributed sites with large patches.
• The solution provides CVE dashboards and endpoint statistics.
• More than 45 requirements influenced solution design to ensure compliance and security.
• Partnership involved co-development with real-time customer feedback sessions.

SDK Opportunities (Inferred)

• Develop SDK modules enabling centralized patch management across diverse OT protocols and devices.
• Build integration SDKs for secure file transfer with metadata and chain of custody guarantees.
• Provide APIs to automate compliance reporting and audit trails suitable for regulatory requirements.
• Offer SDK for endpoint posture assessment and vulnerability scanning with multi-engine AV support.
• Enable extensible frameworks for patch scheduling, conditional deployment, and segmented device group policies.

Public-Data Use Cases (Inferred)

• Use case: Patch compliance dashboard for public OT testbeds or simulators.

• Motivated by desire to show patching status and vulnerability assessment as discussed.

• Public data on vulnerabilities (CVE databases) and simulated patch status.

• Feasibility: Medium.

• Use case: Demonstrating air-gap breach examples via simulated human error scenarios.

• Motivated by discussion of misconceptions around air gap security.

• Public incident or security advisory data on OT breaches.

• Feasibility: Medium.

• Use case: Public resource on removable media policy effectiveness in OT environments.

• Motivated by emphasis on removable media risks and policy.

• Public policy documents, audit reports, and incident data.

• Feasibility: High.

Open Questions

• Specific technical details of integration between Guardian digital platform and MyOpsLock Central Manager.
• Details about licensing models or pricing of OPSWAT patch management solution.
• Clarification of how sandboxing is implemented in patch validation (e.g., in-house or third-party tools).
• How the solution handles patch rollback in case issues are detected.
• Actual scale of deployment (number of endpoints per site) typically managed with this solution.

Actionable Follow-ups

• Validate interoperability of OPSWAT SDK with other industrial control systems beyond Emerson Ovation.
• Assess bandwidth impacts and performance metrics from field deployments of cache nodes.
• Research compliance reporting templates and automation APIs for energy sector regulatory bodies.
• Investigate user experience feedback from multiple global customers regarding patch scheduling controls.
• Explore advanced security measures like certificate signing enhancements currently under discussion.

Notable Details

• The partnership included candid communication about deficiencies and joint feature development.
• Multiple polls during the session helped benchmark audience asset sizes and security concerns.
• The solution specifically addresses new Microsoft Server 2025 checkpoint patch methodology.
• The air gap solution is relevant globally, with mandates in Middle East, Asia, and North America.
• Reporting capabilities allow customers to demonstrate compliance to regulators effectively.