Patch management has been an issue for decades with personnel from an organization’s businesses and security aspects. For instance, many organizations struggle to back the trade-offs between deployment and testing in industrial control systems. Deploying patches more often minimizes the opportunity window for hackers but increases the operation disruption risks due to lack of testing. However, testing patches before deployment can reduce the chances of operational disruption.
Here, we will discuss some recommendations for patch deployment and management in an ICS environment. These recommendations support the following principles, which industrial control systems should strive to adopt for patch management practices.
- Problems are unavoidable. Always get ready for them
- Simplify decision-making process
- Rely on automated processes
- Start improvements now
Let’s have some recommendations for ICS patch management planning.
Reduce Patching Disruptions
Organizations should strive to reduce vulnerabilities detected in their ICS environment. It shrinks the attack surface and lowers the patching needs of an organization. Common methods to reduce the number of vulnerabilities are as follows.
- Harden software, such as imposing the principles of least functionality and least privilege.
- Get software that has fewer vulnerabilities over time compared to others.
- Use managed services rather than software when feasible.
- Select platforms or stacks that are likely to have fewer vulnerabilities over time than other media or stacks.
Organizations must consider application deployment in a way that does not disrupt operations.
Inventory Your Assets and Software
Organizations need to establish and maintain up-to-date software inventories for physical and virtual assets, including IT, OT, IoT, ICS equipment, network, and container assets. Moreover, they should implement patching from a per-asset perspective. Software inventories should contain information on all computing assets’ business and technical characteristics.
The characteristics an organization should inventory may vary, but here are some possible traits to track.
The type of asset platform. It can be IT, OT, IoT, cloud, mobile, VM, etc.
The services, applications, or other approaches used to manage the asset.
- The party that administers the assets.
- The network connectivity of assets in terms of frequency, protocols, bandwidth, and frequency.
- The primary user or interconnected services of assets and their privileges.
- The existing technical security controls for protecting assets.
Tracking business and technical characteristics for assets allow better decision-making for risk responses and priorities.
Define Risk Response Scenarios
Organizations need to define vulnerability risk response scenarios they should be prepared to handle. Here are some examples of such scenarios.
- Routing Patching_ It’s the standard approach for patching that needs to be done on a regular release cycle.
- Emergency Patching_ It’s the process to address patching emergencies in critical situations, such as severe vulnerability actively exploited.
- Emergency workaround_ It’s an emergency process in critical situations. However, the workaround can vary and may or may not require to be rolled back afterward.
- Unpatchable assets_ It’s the implementation of isolated methods to reduce the risk of systems or software that can not be patched easily.
Assign All Assets to a Maintenance Group
Organizations must use software inventories, business, and technical characteristics, and the risk response scenario to assign all assets to a maintenance group.
Here are some examples of possible maintenance groups.
- Mobile workforce devices for standard end-users
- On-premises data centers, such as networks, servers, storage, equipment, etc.
- Legacy OT devices in an ICS environment
- Smartphones for a remote workforce
- On-premises servers for automated testing
- Containers with custom-facing apps in the public cloud
Maintenance groups can be defined depending on other traits, such as personnel roles or device importance.
Post comments (0)