Across the ICS (industrial control system) realm, ensuring security and operational integrity is crucial for organizations in various sectors, amidst the increasing number of cybersecurity threats and attacks. In line with this, the strategies deployed for carrying out patch management across ICS environments should be very carefully planned and performed to ensure minimal operational disruption and risk.
Unlike the typical IT environment, ICS systems are normally continuously in operation and sensitive to any kind of downtime; traditional methods of patch management thus become less practical. First and foremost, a successful patching strategy concerning an ICS is actually an inventory of assets and vulnerability assessment. First of all, it’s important to consider system criticality and system interaction when prioritizing patches. The patching process needs to be focused on systems that are categorized by risk exposure and operational importance, which means applying the patches first to the ones that represent the biggest risk and largest operational impact.
Another good strategy would be to have a test environment established, paralleling the production system. In this way, patches can be deployed and tested without affecting the operational stability of the actual ICS environment. This is an important step to ensure that patches do not introduce any new vulnerabilities or disturb the functioning of ICS specialized equipment. Vendors also need to be coordinated since most ICS components are integrated with proprietary software and hardware. A good relationship with vendors would enable access to timely patches and other support.
Lastly, planning for progressive rollout may be appropriate. Operators can also ensure that only one network segment is updated at any time, thus monitoring the effects of the patch for any disruptions. With this segmented approach, it is possible to roll out patches in case of problems rather quickly, not affecting all functionality. In summary, patching ICS environments needs a balanced approach: enhancement of security measures against the operational requirements that industrial systems have. Doing the proper testing, coordination, and integration with vendors, followed by the staggered deployment, can ensure that the ICS assets of organizations are well protected while their operation remains uninterrupted.
Addressing patching frequency, challenges, best practices
Industrial Cyber reached out to cybersecurity experts to ascertain the frequency of patching in ICS environments and the factors affecting this schedule. They also explored the common tools and technologies employed for patch management in these settings, as well as the significance of automation and orchestration tools in streamlining this process.
Rick Kaun, vice president for solutions at Verve Industrial, told Industrial Cyber that patching varies widely based on industry, company, site, time of year, etc. “Some have not patched in years. Others only patch during small windows of downtime. Still, others patch only under specific conditions such as vendor approval, whether it’s been tested, or if there is a workaround. Free tools like WSUS and SCCM don’t scale well. Some may buy third-party patching tools, and yet others manually patch using network file shares, pull down, and executions.”
He added that automation and orchestration are the biggest pieces of the puzzle many haven’t yet discovered or leveraged fully. “I advocate a ‘Think Global, Act Local’ approach to OT risk reduction: A global view of all assets at all sites with contextual data of that asset (relative to available patches, vulns, exploits attached to vulns, filters to highlight specific vendors, asset criticality to operations, current status of fallback or restoration options). A list of patches (or vulnerabilities) without context is not very helpful. Using the data to create a prioritized path forward based on contextual risk allows for a consistent and measured approach to what to do, where, and how urgently.”
Kaun noted that the activity can also be facilitated with certain patch (or other compensating action) types of tools. “The ability to schedule patch file deployment (maybe just loading locally but not installing), or to enumerate and remove common exploit factors like the guest account or remote desktop services allows for the automation of consistent but also staged actions (i.e., load the patch, notify the user, but do nothing until the user accepts the action). This combination has been measured to reduce effort by up to 70% when compared to manual efforts and stand-alone tools,” he added.
Read More: Adopting strategic patch management tactics across ICS environments amid