Effective patch management is an important element of a comprehensive security program for industrial control systems (ICS). The complexity and criticality of this environment present specific challenges for asset owners. They need practical guidance that acknowledges and addresses these challenges. Such guidance is available from several sources, including the ISA-TR62443-2-3 technical report that was released in 2015. While useful, guidance alone may not be sufficient. The guidance can take many forms, requiring interpretation and assessment to determine how to best apply it to a given situation. This may not be possible without consulting security experts.
The ISA99 committee (responsible for the 62443 series) has revised and reformatted the 62443-2-3 report as a normative standard that will soon be submitted to both ISA and IEC for review, comment, and eventual approval. What were previously recommendations will become requirements stated in a more suitable form for use in product assessments, requests for proposal, and procurement specifications. These requirements are also stated in terms of the accountability and responsibilities of each of the principal roles that form part of the foundation of the 62443 series. Finally, the patch life cycle and state model and characterization schema can be used in formal conformance and compliance specifications.
Copies of the draft standard are available for review from the ISA committee. The committee members will consider all comments received as they finalize the standard.
The State of Patch Management for Industrial Systems
Virtually all current industrial control systems are hosted on commercial off the shelf (COTS) operating systems (e.g., Microsoft Windows). While this has increased the utility and capability of these systems it has also increased their exposure to the same cybersecurity risks as business and consumer systems.
Several mitigating measures are available to reduce this risk, including system segmentation and configuration for specific security levels. However, all these measures depend on a comprehensive management of change program that includes selecting, evaluating, and applying software updates or patches. The scope of such a program must include systems and applications software, as well as any related configuration settings.
While operations and support personnel understand the importance of effective change management, the design and consistent execution of the necessary processes and procedures involve significant challenges due to the nature of the environment.
Control Systems Context
Industrial systems typically include a variety of hardware and software components, each with its own set of vulnerabilities and subject to different threats. In a large facility such as a refinery or integrated chemical complex there are often many separate systems that may or may not be integrated or managed by a single support group. The effort required to coordinate updates and patches to such systems can be significant. These characteristics and the associated challenges are similar to those of large data centers.
However, several characteristics of industrial systems set them apart from a management of change perspective. The most fundamental of these is the nature of potential consequence of attack, compromise, or failure that could include impact on process or personal safety or equipment integrity.
Fortunately, guidance on what is required for effective industrial systems patch management is available from several sources, including national laboratories (e.g., NIST), government agencies, and sector- and industry-specific groups. Some of this information was developed originally for use with general-purpose information systems and adapted for use in the ICS environment while other references were developed specifically for the industrial environment. Regardless of the specific sources used, it is essential to interpret and implement guidance in a manner that is consistent with the constraints of this environment.
The amount and variety of guidance information presents a challenge, leading to confusion as to which source provides the “best” starting point. Moreover, some content may not be entirely suitable for use with industrial systems, and the terminology and concepts used may not be familiar to a typical operations or plant engineer. The result is that operations staff may select and use practices that are ineffective or labor intensive.
More Than Guidance Required
While guidance is certainly valuable, the reality is that it is often not sufficient or effective. Guidance documents commonly only provide recommendations, leaving the reader to decide how to turn these into an effective response. This may not be possible without consulting security experts. Also, guidance documents are usually assumed to be directed primarily to asset owners. Suppliers and system integrators may not be aware of them or feel that they need to follow the direction provided. It is common for those filling these roles to respond more to standards as they are described in terms of normative requirements, such as those often cited in procurement specifications.
In creating the ISA/IEC 62443 standards the authors attempted to address some of these challenges. The technical report ISA-TR62443-2-3 (Patch Management in the IACS Environment) provides informative guidance with respect to patch management in an ICS environment. It was approved by committees in both ISA and IEC and published in 2015. Copies may be purchased from either ISA or IEC.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Management of Change, Patch, Risk, Threat, Update, Upgrade, Vulnerability, ARC Advisory Group.