“WHITE PAPER” Patch Management in OT Environments
FREE Whitepaper Available

Introduction

Industrial Control Systems (ICS) and underlying Operational Technology (OT) infrastructure are becoming more complex and faces increasing threats that can disrupt operations and effect people safety. Operational challenges to maintain a robust and stable infrastructure and be proactive in detecting and mitigating threats, stretches many companies’ capabilities and reaction time. One area that is particularly challenging is “how to effectively mitigate and contain Cyber Security vulnerabilities in the infrastructure”. 


The process typically involves 5 phases

  1. Ongoing Identification of Vulnerabilities in all Assets

  2. Research and Analysis of Patches Available for Mitigation

  3. Securely Obtaining the Patch Binaries from Legitimate Sources

  4. Applying Patches to Vulnerable Systems

  5. Reporting Status Before and After

Free Whitepaper Available for Download


Companies are facing increased pressures to improve current practices. Maturity of the process ranges from non-existing to a highly repeatable and secure process that are continuously adapting to deal with new vulnerabilities and speed to remediate. Often organizations are driven by internal or external compliance standards that demands a solid process to manage the risks and report status ongoingly.


Quick look at each of the 5 Phases

The section below provides a high-level insight into the overall process of Patch Management. A detailed discussion can be viewed in the Dexcent whitepaper on this challenging but very important OT operational process to maintain a robust infrastructure.

1. Ongoing Identification of Vulnerabilities in all Assets

The process starts with discovering and maintaining a comprehensive and up-to-date OT infrastructure Cyber Assets Repository. Typical scope should include all OT cyber assets in all segments of your infrastructure at all layers of the network (e.g., Purdue model layers 3.5 all the way down to layer 1). Asset categorization and criticality profiles should be in place to enable focussed risk assessments and prioritization.

You cannot assess risk or protect your environment without comprehensive view of all assets that may contain vulnerabilities that could be exploited by an adversary or threat agent. The process continues by performing regular ongoing asset Vulnerability analysis to identify the known vulnerability on all your cyber assets. If you are experiencing challenges with these capabilities in your environment, Dexcent can help you with comprehensive solutions.


2. Research and Analysis of Patches Available for Mitigation

The second phase in the process is to review and analyze all discovered vulnerabilities in your asset inventory. This includes criticality and applicability analysis to help identify risk and prioritize remediation activities. For certain control systems platforms (e.g., SCADA or DCS systems), the operating system or middleware application patches need to be validated and approved by the control systems vendor to ensure that the control systems software will not be adversely affected with the application of a particular patch to the underlying Operating System or dependant subsystems. Some industries are driven by compliance standards and requires detailed reporting and evidence of this process, which will support the follow-up activities towards remediation.

Here Dexcent can help with managed services that will address this requirement for all your identified assets with ongoing monthly researching, analysis and tracking, risk classification of vulnerabilities, evidence of applicable patches and identification of the vendor channels for securely obtaining the patch binaries, all wrapped-up in a single monthly report.


3. Securely Obtaining the Patch Binaries from Legitimate Sources

The 3rd phase of the process centres around the ability to obtain relevant security patches from trusted original vendor sources in a secure manner. This would include patches, updates, and firmware installers from original trusted vendor sources. The process needs to ensure that the download or acquisition of these patches are done in a secure manner and that patch binaries are intact or guaranteed not to have been tampered with or that the integrity of the file is not compromised during the process.

Here Dexcent can help with managed services that will address this requirement for monthly secure acquisition of all patches from all vendors for target assets and delivered to you in a secure and tamper resistant mechanism.


4. Applying Patches to Vulnerable Systems

The second last phase in the cycle is the application of the patch binaries to the targeted systems in a highly controlled process that could include a mix of automation and manual procedural effort. Some assist maybe deployable with a controlled patch distribution and implementation systems, but majority of assets to critical systems may need operator assistance and only during maintenance or turn-around cycles of the industrial processing facility. Many organizations have good practices and tools in place to do this in a controlled fashion where others are in early maturity stages and needs help.

Here Dexcent can help with consulting services to review and help develop processes and procedures that will address your requirements for monthly or scheduled secure application of the patches. These procedures must be complete per device category and ensure that validation of successful deployment can be verified or revert to know good previous state can be achieve if required. Furthermore, Dexcent can provide skilled resources to help with ongoing patch management activities on a full time or part time basis.


5. Reporting Status Before and After

The final phase in the patch management cycle is to report on status after patch cycle is completed. These reports could very from basic status to comparison against previous state and may include trending metrics. Sometimes the reports must meet specific regulatory compliance formats and periodicity requirements.
Again, Dexcent can help with recommendations, guidelines, creation and delivery of these reports based on your requirements.


Summary Conclusions

Dexcent with several years of experience in Industrial Control Systems (ICS) and having successfully delivered many industrial Cyber Security engagements, solutions, and operational services to our clients, has noted that most organizations approach Dexcent as a trusted partner which listens and respond with a value proposition that truly enhances their capabilities and help differentiate and prioritise where it matters most.


Free Whitepaper

How can an organization effectively mitigate and contain Cyber Security vulnerabilities in the infrastructure? The process involves 5 phases listed in detailed in our Dexcent FREE White Paper called “Patch Management in OT Environments”, which can be downloaded  below

The Best Practices in Cyber Security Risk Management