Patch Management Planning Guide For Industrial Control Systems (ICS)

Cyber security admin todayMay 13, 2022 235

Background
share close

Impacting critical environments

Every year more than 60% of businesses get compromised by cyber attacks. Cybercriminals find new ways to attack and access your system and data every day. The pressure posed by these threats is continuously increasing as criminals find potential and more sophisticated ways to attack. Information technology security has become more important than ever before. Individuals, private firms, government agencies, SMBs, and enterprises, are all equally targeted by cybercriminals.

National Institute of Standards and Technology (NIST) has defined common patch management practices and requirements for industrial control systems. An essential component in protecting a nation’s critical infrastructure is the security of control systems. The critical infrastructure consists of transmission systems, electric power generators, dams and water systems, transportation systems, communication systems, etc. Patch management has become more complex and critical when it applies to industrial control systems. 

This article will highlight patch management as an essential component of the preventive maintenance for advanced technologies used in industrial control systems. Let’s get started.

What is Patch Management?

Patch management is a process for detecting, acquiring, prioritizing, and installing software and firmware updates throughout an organization on a regular basis. Patching has become more critical than ever due to increasing dependence on technology. An effective patch management plan ensures that all information systems and components are running the latest versions. 

It’s usually the most effective method to mitigate vulnerabilities within an ICS environment. Common areas that need patching include embedded systems, operating systems, applications, routers, networks, etc. In patch management, you can check available patches, decide whether they are required, and ensure they are installed and implemented correctly. 

  • Patch management helps you fix issues within the ICS environment.
  • It ensures your applications and software are up-to-date and run efficiently, supporting system uptime.
  • Patching is essential for adhering to compliance standards.

Patch Management for Industrial Control Systems (ICS)

Patch Management Planning for ICS helps businesses improve their patch management planning to strengthen their risk management. Implementing a robust patch management process is preventive maintenance for an ICS environment. Adopting this mindset can help organizations in the following ways.

  • Information technology (IT) security management will gain a new understanding of the patch management role in risk management.
  • Organizations can communicate effectively with each other regarding patching and reach a consensus on planning.
  • Personnel from the technology side of the organization will be prepared to update their ICS patching procedure throughout the entire patch management lifecycle.

REPLIL INDUSTRIAL PATCH MANAGER (IPM) protects industrial control systems by detecting and remediating vulnerabilities by providing centralized management and compliance for approved patches of major vendors. It provides an automated process to manage all industrial patches from any IT/OT vendor and reduces the time to deploy security patches and critical updates to secure the process network.

Risk Response Methods for Software Vulnerabilities

Patch management is a common way to respond to vulnerability risks in an ICS environment. Here are four types of risk response approaches for IT infrastructure vulnerabilities.

  • Accept_  risks from vulnerable systems by relying on existing security control for preventing vulnerability exploitation. Moreover, ascertain the impact to be low enough that no additional actions are required. 
  • Mitigate_ Reduce potential risks by eliminating vulnerabilities, upgrading to the latest software version, or disabling a vulnerable feature. 
  • Transfer_ Reduce risks by sharing some of the outcomes with another party, such as replacing traditional software installations with SaaS usage or purchasing a cybersecurity insurance plan.
  • Avoid_ Reduce risks by eliminating attack surfaces, such as decommissioning software with vulnerabilities, disabling flawed ICS equipment, uninstalling the vulnerable software, or disabling additional features in devices.

Vulnerability Management Life Cycle

Here is a basic software vulnerability management lifecycle applicable to all-risk response methods.

Detect Vulnerabilities Impacting Your Organization

You should be aware of software vulnerabilities impacting your assets, such as operating systems, applications, ICS equipment, and firmware. It involves knowing what assets your company leverages and which applications, software, and software versions those resources run down to the level of libraries and packages. 

Plan the risk response

It involves selecting which type of risk response to implement and deciding how to implement it. For instance, you might choose mitigation, and the implementation could include mitigating vulnerabilities by updating the malicious software and modifying the configuration settings of industrial control systems.

Execute the risk response

It can vary based on the nature of opted risk response. However, the most common phases are as follows.

  • Preparing the risk response_ It encompasses any preliminary activities, such as acquiring, verifying, and testing patches for vulnerable systems, deploying additional security controls to protect vulnerable systems, or having a replacement for a legacy system that can not be patched. 
  • Implementing the risk response_ includes installing a patch, deploying additional security measures, purchasing cybersecurity insurance, and modifying asset configuration. 
  • Verifying the risk response_ ensures the successful implementation of a risk response plan. For patching, it confirms that the patch is fully installed and implemented. For deploying security measures, ensure that they are functioning properly. For risk avoidance, make sure to replace vulnerable devices.
  • Monitoring the risk response_ Ensure that the risk response continues to be in place. No one can uninstall a patch, deactivates security controls, allows cybersecurity insurance to lapse, and restarts the replaced devices.

Risk Response Execution

Let’s have a closer look at the common phases of risk response execution. 

Prepare Patch Deployment

Here are some common steps for preparing a patch deployment in industrial control systems. 

  • Prioritize the patch_ Some patches may have a higher priority to deploy than others because their deployment would minimize the risks. 
  • Schedule patch deployment_ Most organizations schedule a patch deployment for change management activities.
  • Get the patch_ Patches can be downloaded, built internally by system administrators or developers, or provided via removable media.
  • Verify a patch_ A patch’s integrity must be confirmed before patch testing or installation. 
  • Test the patch_ Patch testing helps reduce operational risks by detecting issues with a patch before placing it into production.  
Deploy the Patch

Patch deployment varies based on different factors. These include

  • The type of software being updated (operating system, firmware, and application).
  • The resource platform types (IT, OT, cloud, virtual machines, etc).
  • Platform traits, such as managed or unmanaged assets, virtualized or not, on-premises or cloud. 
  • Environmental limitations (bandwidth and network connectivity).

Most aspects of patch deployment are based on patch management technologies. Some common steps for patch deployment are as follows.

  • Distribute the patch
  • Validate the patch
  • Install the patch
  • Change software state and configuration
  • Resolve issues
Verify Deployment

The deployment of a patch can be verified to ensure its successful installation. The robustness of verification can vary widely and largely depends on a company’s requirements.

Monitor the Deployed Patches

Monitor the patch deployment to confirm that the patch is still installed. For instance, the patch has not been uninstalled by an attacker or a user, and the older version has not been restored due to a backup. 

Recommendations for ICS Patch Management

Patch management has been an issue for decades with personnel from an organization’s businesses and security aspects. For instance, many organizations struggle to back the trade-offs between deployment and testing in industrial control systems. Deploying patches more often minimizes the opportunity window for hackers but increases the operation disruption risks due to lack of testing. However, testing patches before deployment can reduce the chances of operational disruption. 

Here, we will discuss some recommendations for patch deployment and management in an ICS environment. These recommendations support the following principles, which industrial control systems should strive to adopt for patch management practices. 

  • Problems are unavoidable. Always get ready for them
  • Simplify decision-making process
  • Rely on automated processes
  • Start improvements now

Let’s have some recommendations for ICS patch management planning. 

Reduce Patching Disruptions

Organizations should strive to reduce vulnerabilities detected in their ICS environment. It shrinks the attack surface and lowers the patching needs of an organization. Common methods to reduce the number of vulnerabilities are as follows.

  • Harden software, such as imposing the principles of least functionality and least privilege. 
  • Get software that has fewer vulnerabilities over time compared to others.
  • Use managed services rather than software when feasible.
  • Select platforms or stacks that are likely to have fewer vulnerabilities over time than other media or stacks. 

Organizations must consider application deployment in a way that does not disrupt operations.

Inventory Your Assets and Software

Organizations need to establish and maintain up-to-date software inventories for physical and virtual assets, including IT, OT, IoT, ICS equipment, network, and container assets. Moreover, they should implement patching from a per-asset perspective. Software inventories should contain information on all computing assets’ business and technical characteristics.

The characteristics an organization should inventory may vary, but here are some possible traits to track.

The type of asset platform. It can be IT, OT, IoT, cloud, mobile, VM, etc.

The services, applications, or other approaches used to manage the asset.

  • The party that administers the assets.
  • The network connectivity of assets in terms of frequency, protocols, bandwidth, and frequency.
  • The primary user or interconnected services of assets and their privileges.
  • The existing technical security controls for protecting assets.

Tracking business and technical characteristics for assets allow better decision-making for risk responses and priorities. 

Define Risk Response Scenarios

Organizations need to define vulnerability risk response scenarios they should be prepared to handle. Here are some examples of such scenarios.

  • Routing Patching_ It’s the standard approach for patching that needs to be done on a regular release cycle.
  • Emergency Patching_ It’s the process to address patching emergencies in critical situations, such as severe vulnerability actively exploited.
  • Emergency workaround_ It’s an emergency process in critical situations. However, the workaround can vary and may or may not require to be rolled back afterward.
  • Unpatchable assets_ It’s the implementation of isolated methods to reduce the risk of systems or software that can not be patched easily.
Assign All Assets to a Maintenance Group

Organizations must use software inventories, business, and technical characteristics, and the risk response scenario to assign all assets to a maintenance group.

Here are some examples of possible maintenance groups.

  • Mobile workforce devices for standard end-users
  • On-premises data centers, such as networks, servers, storage, equipment, etc.
  • Legacy OT devices in an ICS environment
  • Smartphones for a remote workforce
  • On-premises servers for automated testing
  • Containers with custom-facing apps in the public cloud

Maintenance groups can be defined depending on other traits, such as personnel roles or device importance.

Effective patch management is a vital component of a robust security program for industrial control systems (ICS). However, the complexity of the ICS environment presents certain challenges to asset owners. ICS should be updated or patched periodically to prevent security vulnerabilities from being exploited. It is required to make and follow a robust patch management policy and process to achieve a higher maturity. In this article, we have discussed ICS patch management in detail and learned best practices and ways to implement it.

REPLIL Industrial Patch Management (IPM) is a centralized patch management solution for major ICS vendors and provides a 360-degree view of entire industrial assets and network devices’ patch status.

Define Maintenance Plans for Maintenance Groups

Organizations need to define a maintenance plan with applicable risk response scenarios for all maintenance groups. Here are some subsections that each scenario might involve for a maintenance plan, and organizations need to consider them.

  • They should consider adopting incremental deployments for routine patching.
  • They should provide flexibility with how soon a routine patch is installed while enforcing the installation after the grace period.
  • They should consider leveraging the same approach for emergency patching, except with a highly expedited schedule.
  • They must plan for a quick implementation of emergency workarounds to safeguard vulnerable assets.
  • They should implement long-term risk mitigation approaches besides patching to safeguard vulnerable assets.

Final Words

Patch management has become more important than ever due to increasing reliance on technology. With the advancement in technology, cybercriminals leverage sophisticated ways to attack. This article has discussed patching as an essential component of preventive maintenance for the ICS environment. 

It also discussed some common factors that impact the ICS patch management and suggested some important strategies to simplify and operationalize the patch process and reduce potential risks for industrial control system security. Preventive maintenance for patch management helps organizations prevent data breaches, compromises, and operational disruptions in an ICS environment.

REPLIL Industrial Patch Management (IPM) is a powerful tool to support all major OEM vendor patches. Manage and deploy patches on multiple Microsoft servers with a single click.

References:

  • NIST 800-40 Special Publication

Written by: admin

Tagged as: , , .

Rate it
Previous post

Post comments (0)

Leave a reply