How to implement a patch management that improves your ICS Security

Industrial control systems have undergone an evolution from being isolated systems to being part of a large interconnected network, which makes them more exposed to potential cyberattacks. The services that are exposed to the internet (by design or by misconfiguration) can easily be found by tools that are continuously scanning the internet for connected devices, like Shodan. This makes it no longer feasible to rely on ‘security by obscurity’: the thought that your ICS devices are safe because nobody knows their IP addresses or open ports. By running older or unpatched versions of software, your devices might contain vulnerabilities that cause a significant security risk. You can improve the security of these devices by implementing a patch management system.

How to patch?

Information gathering

New security vulnerabilities are discovered and published almost daily. Patches are important because they provide a way to mitigate these vulnerabilities.
Oftentimes vendors will publish security advisories on their website when a new vulnerability is discovered or patched. Most vendors also give you the option to subscribe to this advisory page so that you get a notification when an update is posted. This helps with keeping track of how vulnerable your assets are.

Evaluate

Patching is also a risk management issue, there are risks involved by choosing to apply or not apply a certain patch. Patches are changes and may impact safety, reliability, certification, or performance. By applying a patch, you risk that other applications in the system are no longer compatible and are causing issues or that vendors no longer provide support. Some vendors offer compatibility lists on their website, where they list the versions that are compatible or of which they suspect that they will break your application. It is a good practice to check this with your supplier before applying a patch.

Test

It is recommended to test a patch before applying it to a production system.
This can be done in multiple ways:

• Set up a separate test environment with the same hardware/software and apply the patch
• Simulate your environment with virtual machines and apply the patch
• Test the patch on one part of a redundant system so that you have a backup system in case it fails

Also, make sure you have back-ups that can be restored to the pre-patched state in case of problems!

Deploy

Most industrial control systems run 24/7 and need high availability. Applying a patch will most likely cause downtime because the component will need to reboot. This makes it hard to apply efficient patch management in an ICS environment and makes these devices highly vulnerable. A good practice is to plan security updates on a regular schedule, this can, for example, be combined with planned maintenances. The IEC62443 series document on patch management suggests using a severity-based patch management timeframe, this means that a target patch installation timeframe is defined based on the priority level (and associated risk) of the vulnerability.

Verify & Report

After installation of the patch, verify that the patch was applied successfully. If something went wrong during the patching process your system might still be vulnerable, and you can resolve this before restarting operations. Documenting your patching process shows that you actively tried to mitigate known risks in case of a cyber incident.

At Toreon, we have extensive experience working in both ICS and ICT environments and can bridge the gap between your IT and your OT . Want to know more? Get in touch with our experts.