PATCH MANAGEMENT FOR ICS COMPLIANCE AND LIFECYCLE

An essential element in protecting the nation’s critical infrastructure is the security of control systems. Industrial control system or ICS refers to the process control, supervisory control and data acquisition, distributed control, and other systems that monitor, control, and manage a nation’s critical infrastructure. These systems are deployed and leveraged across the world, spanning multiple sectors and industries. Critical Infrastructure and Key Resources consists of transmission systems, electric power generators, dams, and water systems, transmission systems, chemical and petroleum systems, communication systems, and other critical systems that can’t tolerate sudden interruption.

A control system collects information and performs operations based on established parameters and information. The patch management of industrial control systems is essential as it traditionally addresses functionality and stability issues. Patches help resolve functional issues and vulnerabilities in control systems. However, there are various challenges that can complicate patch management. If enterprises do not overcome these challenges, they can’t patch systems efficiently and effectively. There are various security standards designed to help organizations deploy patch management processes, highlight the challenges faced by organizations, and best practices to overcome them.
In this article, we will discuss some major standards for patch management of Industrial control systems, including

• IEC 62443
• NCA
• NIST
• NERC
• UAE-NESA

Image source: researchgate

Challenges faced by Industrial Control Systems (ICS)

Possible challenges an industrial control system may face include the following.

• Blocked or delayed information flow via ICS networks could disrupt ICS operations.
• Inaccurate information or data sent to system operators, either to cause operators to take inappropriate actions or to disguise authorized changes pose various negative impacts.
• Unauthorized changes to commands, instructions, or alarm thresholds can damage, shut down, or disable equipment, endanger human life, or create environmental impacts.
• Interference with the safety systems operations could endanger human life.
• Modified ICS software or configuration settings or systems infected with malware could have various negative effects.

Best practices for ICS security implementation

• Restrict logical access to ICS networks. It includes leveraging a demilitarized zone network architecture along with firewalls for preventing network traffic from passing between the ICS and corporate networks directly.
• Limit physical access to industrial control systems and networks. Unauthorized access to components can cause potential damage to the ICS functionality. A combination of privileged access controls should be implemented, such as card readers, locks, and safety guards.
• Maintain operations during adverse conditions. It involves ICS designing in a way each critical element has a redundant counterpart. Moreover, if a component fails, it does not generate unnecessary traffic on ICS or other networks.
• Protect individual components of ICS from exploitation. It includes expeditiously applying security patches after testing them under several conditions, such as disabling unused services and ports, restricting ICS user privileges, using security controls, and tracking and monitoring audit trails.
• Incidents are inevitable, and thus an incident response plan is essential. The important characteristic of a robust security program is how quickly a system can be recovered from an incident.

The IEC 62443 series of standards, established by the ISA99 committee and approved by the International Electrotechnical Commission, provides a flexible framework to mitigate current and future security flaws in industrial control systems. The committee draws on the knowledge and input of ICS security experts from the world to develop consensus standards applicable to all industry-critical infrastructure. A new standard, Security of Industrial Control Systems, provides cybersecurity technical requirements for components making up an ICS, particularly the network components, embedded devices, software applications, and host components.

The following diagram illustrates the IEC 62443 workflow for ICS Patch Management.

Image source: researchgate

Challenges faced by organizations for ICS Patch Management

Organizations may try to leverage business security strategies to address the security of ICS without understanding the consequences. Solutions applied to ICS need to be implemented in the right way to mitigate inadvertent consequences. Patch management is a part of a robust cybersecurity strategy that optimizes security via the installation of patches. However, there are many challenges industries are facing regarding ICS patch management. These include

• The relative data criticality confidentiality in facilities functions and operations.
• The increased requirements for compensating controls to safeguard legacy ICS/OT systems.
• Critical dangers to the environment, personnel, and society in the event of physical failures.
• Prospects for financial loss because of an incident-related drop in productivity.
• The difficulty is applying common IT security techniques without intense systems and modifications.
• A unique approach to ensure system integrity and reliability in industrial environments.

Steps to building an ICS Cybersecurity

• Industrial Control Systems must be patched or updated regularly to prevent vulnerabilities from being exposed. The scope must include changes to applications software and systems as well as related configuration settings.
• The standard recommends a defined format to distribute information regarding security patches from the asset owner to the ICS product supplier and installation of patches by asset owners.
• Identify and authenticate all users before allowing them to access industrial control systems.
• Respond to security violations by informing the authority and ensuring the availability of controlled systems against denial of essential services.
• Ensure the integrity, confidentiality, and availability of ICS to prevent unauthorized manipulation.
• Organizations should conduct ICS management to patch systems, manage users and accounts, harden configurations, and other protective solutions. This active management is essential in the overall security of industrial control systems.

The National Cyber Security Authority of Saudi Arabia has developed the Essential Security Controls (ECS) in 2018. This standard was developed after comprehensive research on various national and international security standards and frameworks. The NCA is Saudi Arabia’s national framework responsible for boosting the kingdom’s security and safeguarding its national security, vital interests, and critical infrastructure. The essential cybersecurity controls comprise five main domains, and Industrial Control System (ICS) cybersecurity is one of them.

ICS protection or patch management helps to ensure effective security management of industrial control systems and operational technology for protecting the availability, confidentiality, and integrity of an organization’s data and resources against cyberattacks. The NCA leverages self-assessment, on-site audits, and reports from its assessment and compliance tool to ensure that in-scope entities should be compliant with the essential cybersecurity controls.

Industrial Control Systems (ICS) Cybersecurity Controls

1. Security requirements regarding the ICS and OT should be defined, documented, and approved.
2. The cybersecurity requirements related to ICS and OT should be implemented.
3. Apart from the applications, ECC from the other domains, security requirements concerning Industrial Control Systems should include the following.

• Strict virtual and physical segmentation while connecting industrial production networks to other networks across the organization.
• Strict virtual and physical segmentation while connecting industrial networks and systems with external networks.
• Continuous monitoring and event log activation on the industrial networks.
• Restriction on the use of external storage media.
• Isolation of SIS (Safety Instrumented Systems).
• Restriction on connecting mobile devices with industrial production networks.
• Periodic review, hardening, and secure configuration of devices and industrial control systems.
• Patch management for operational technology and industrial control systems.
• Vulnerability management for operational technology and industrial control systems.
• Cybersecurity application management regarding the protection of industrial control systems from malware and viruses.
• The cybersecurity requirements concerning ICS and OT must be reviewed periodically.

Some essential highlights and challenges of the controls are as follows.

• The security controls represent the minimum standards that must be complied with by all sectors and organizations in the kingdom, owning critical infrastructures.
• However, not all controls are implemented in all organizations. It depends on the nature of business activities.

NIST Special Publication 800-82 Rev. 2, Guide to Industrial Control Systems Security, provides information on how to protect industrial control systems, including distributed control systems, programmable logic controllers, and supervisory control and data acquisition systems, while addressing their safety, unique performance, and safety requirements. NIST helps industries mitigate vulnerabilities of controlled systems to equipment failures, malicious attacks, and other threats.

Vulnerability and patch management are essential components of major security controls and compliance standards, including NERC CIP. North American Electric Reliability Corporation (NERC) CIP-007-5 R2.1 defines Responsible Entities for High and Medium impact cyber systems required to implement a process of tracking, assessing, and installing cybersecurity patches for applicable cyber assets. According to NERC CIP-007-5 R2.2, an organization must (at least once every 35 calendar days) assess security patches for applicability that have been issued since the last evaluation from the source.

NERC-CIP patch management process is once an approved list of patches has been stated, the entity should have them installed through a change management process, meeting the compliance standards. Once the patches are approved, they should be rated based on their priority. This standard also requires that all BPS operators identify approved sources used to monitor for new patches. Apart from it, there should be a document of evidence showing the task has been performed. Lastly, a detailed assessment must be executed from the list of new patches, including the criteria used to determine the significance of these patches and how it eliminates vulnerabilities in the entire network environment.

ICS Patch Management Challenges

The following challenges present major issues that ICS organizations are facing while implementing patch management processes.

• Various software versions, whether firmware or applications, and the configuration of each device make its configuration and software baseline and roll up to an aggregate software baseline when combined with other devices.
• Update identification is a major challenge ICS organizations are facing. Each vendor has established processes to notify customers when there is a new update. However, some vendors do not notify and put the responsibility onto the customer to check websites for updates. It’s a difficult and time-consuming task to track updates.
• Updates should be validated before being deployed because not all updates need to be deployed. Patching helps mitigate security vulnerabilities, but some updates may invalidate system operations by breaking critical services and reducing system performance.

NERC Patch Management Best Practices

• Develop an up-to-date inventory of production systems, including operating system types, physical location, IP addresses, custodian, and function.
• Make a list of security controls in place (such as firewalls, routers, IDSev, etc) and their configurations.
• Make a plan for standardizing production OS to the same version of application software and operating system.
• Compare listed security vulnerabilities against your control/inventory list.
• Evaluate the flaws and likelihood of an attack in your environment. Consider vulnerability level, the severity of the threat, and the cost of mitigation.
• Apply the patch without disrupting production or uptime.

The National Electronic Security Authority (NESA) is a government entity tasked with protecting the nation’s critical IT infrastructure and optimizing national cybersecurity. NESA draws on several already established security standards, such as NIST and ISO 27001. 188 security controls are listed in a prioritized approach. There are four defined priorities, and controls are classified into these four priorities. From these 188 controls, NESA mandates 35 controls to help entities build the information security foundation in the nation’s critical infrastructure. The NESA information pack includes several documents, such as Critical Information Infrastructure Protection Policy (CIIP), and Information Assurance Standards (IAS).

NESA Best Practices for Patch Management

1. Vulnerabilities related to unpatched systems are discovered using scanning tools. Security personnel must determine and document the time elapsing between the public release of a patch and the occurrence of a vulnerability scan.
2. All patch checks must reconcile system patches with the patch list of each vendor account on the website.
3. If a patch is available, the risk associated with applying the patch must be assessed.
4. Patches must be tested and assessed before they are applied to ensure they are effective and do not have side effects. If there is no available patch, other controls must be considered, such as

• adapting or implementing access controls, such as firewalls.
• turning off capabilities or services related to the vulnerability.
• increased surveillance to detect or prevent attacks
• raising awareness of the vulnerability

1. Advanced vulnerability scanning tools should be configured with credentials to log into scanned systems and perform comprehensive scans that can be achieved without login credentials.
2. The scanning activities frequency should increase as the diversity of the entity’s system enhances to account for varying patch cycles of each vendor.

NESA’s enforcement process

NESA’s enforcement takes a four-tier approach depending on the risk level, or an organization poses to the UAE’s critical information infrastructure.

1. Reporting_ self-assessment by companies in line with voluntary and mandatory requirements.
2. Auditing_ The standard can request certain evidence for organizations to support self-assessment reports.
3. Testing_ NESA can perform tests of the information security measures when appropriate.
4. National Security Intervention_ If NESA judges that organizations’ activities are leading to inadmissible national security risks in extreme cases.

However, NESA does not mention specific penalties for non-compliance; businesses in the UAE need to be aware and consider their operations critical to the UAE’s data infrastructure; they will certainly fall under the scrutiny of NESA and industry regulators. Non-compliance brings risks of such exploration escalating and intensifying to direct intervention from NESA.