Patch Management Strategy DHS and IEC62443-2-3 for ICS

Cyber security + Whitepapers admin todayJuly 24, 2024

Background
share close
One Wrong Patch Update

GLOBAL IMPACT HIGHLIGHTS THE IMPORTANCE OF PHASED PATCHES APPROACH

Using Defined IEC62443-2-3 or DHS Strategy for Critical Infrastructure

The recent π‚π«π¨π°ππ’π­π«π’π€πž patch update caused πˆπ“ 𝐬𝐲𝐬𝐭𝐞𝐦 crashes, highlighting the serious impact of software vulnerabilities. This disruptions has affected IT services, and sparked global chaos in airline and banking sector.

In πˆπ‚π’/πŽπ“ 𝐬𝐲𝐬𝐭𝐞𝐦𝐬, the consequences of poor patch management can be even more severe, including potential financial losses and risks to human safety. Ensuring effective patch management helps mitigate these risks and maintain operational availability.

WINDOWS XP CRASH CAUSED BY MCAFEE UPDATE

In 2010, a McAfee update caused a widespread malfunction of Windows XP systems, identified as a false positive virus alert. Deleted the critical files and looped the system into endless cycles.

VARIOUS WINDOWS CRASHED BY CROWDSTRIKE UDPATE

July 2022, a faulty CrowdStrike update caused the crash of over ~8.5 million Windows Endpoints worldwide bring down the multiple critical facilities


IEC62443-2-3 DEFINED PATCH MANAGEMENT STRATEGY FOR ICS


The ANSI/ISA-TR62443-2-3 standard outlines requirements for asset owners and industrial automation and control system (IACS) product suppliers who have established and are now maintaining an IACS patch management program. This Technical Report recommends:

  1. Defined Format for Information Distribution: A standardized format for distributing information about security patches from asset owners to IACS product suppliers.
  2. Activity Definitions: A clear definition of activities related to the development of patch information by IACS product suppliers, as well as the deployment and installation of patches by asset owners.

The unintended consequences of a poor patch management program can include:

  • Incompatibility between patches and control system software
  • Degradation of system performance, reliability and operability with insufficient testing.

Malicious threat actors often have an advantage over their targets due to the challenges product suppliers and asset owners face in keeping their systems up to date. When a vulnerability is disclosed, whether with good or malicious intent, the responsibility primarily falls on the asset owner to apply the patch promptly.


CRITICAL INFRASTRUCTURE PATCH MANAGEMENT STRATEGY DEFINED BY DAPARTMENT OF HOMELAND SECURITY

DHS released a systematic approach to patch management in critical systems. Critical Decision Tree

If an urgency determination requires immediate action and a work-around solution is either unavailable or not optimal, follow these steps:


REPLIL STRATEGY TO SECURE CRITICAL INFRASTRUCTURE USING IEC62443 β€œSL3” PRODUCTS


REPLIL INDUSTRIAL PATCH MANAGER (IPM) REPLIL OT PATCH SANDBOX (OPS)
Risk-Based Patch Prioritization

  • Criticality Assessment: Categorize patches based on the criticality and risk associated with each asset. Patches that address vulnerabilities in high-risk or high-value assets should be prioritized.
  • Impact Analysis: Evaluate the potential impact of deploying patches on operational continuity. Prioritize patches that fix critical vulnerabilities without significantly disrupting operations​​.

Scheduled Patch Deployment

  • Patch Scheduling: Develop a patching schedule that aligns with operational downtimes to minimize disruptions. Utilize maintenance windows or planned downtimes for deploying critical patches​.
  • Phased Rollouts: Implement patches in a phased manner, starting with less critical systems to observe any unforeseen impacts before deploying to critical systems.

Automated Patch Management

Continuous Monitoring:

Β·Β Β Β Β Β Β  Implement continuous monitoring to detect new vulnerabilities and assess the need for patches in real-time. Automated alerts can help promptly address critical vulnerabilities.

Testing and Validation

  • Pre-Deployment Testing: Test patches in a controlled environment that replicates the production setting to ensure compatibility and effectiveness. This step helps identify potential issues before full deployment​.
  • Post-Deployment Validation: Conduct thorough post-deployment checks to verify that patches have been successfully applied and that they do not negatively impact system functionality​.
  • Advance Test Cases: Automatically execute, test & validate (desktop / web) based critical applications expected state before & after the installation of a patch.

 

Written by: admin

Tagged as: , , , .

Rate it
Previous post