Patch management for industrial systems

IT/OT convergence in industrial control systems

Many IT components (software and equipment) in an industrial control system are similar to those used for a corporate system. These IT components complement and support OT components (software and equipment) for industrial control systems, where these two technologies converge. Businesses that manage patches for industrial systems the same way they would for corporate systems risk costly and preventable production shutdowns.

The key difference between the two systems is the period when patches can be applied and the extent of their impact. In fact, industrial control systems have fewer low-impact periods available, apart from planned production shutdowns.

For corporate systems, the patch management process is generally well defined. It is usually performed at night to lower any impact on users and follows a predetermined schedule. For example, minor patches can be applied every Tuesday evening, and major patches can be applied quarterly.

Ideally, for industrial control systems, patches must first be tested on independent test systems and applied during planned shutdowns. Plants that never shut down must absolutely validate patches on a test system before applying them to production systems. As a result, industrial companies cannot use automatic patch applications. We also recommend applying patches during the day, when there are workers on site who can offset any communication or production losses.

Varying consequences

When corporate systems experience an IT system service loss, it typically results in lower productivity by those who cannot use their computers for either a long or short period of time. For industrial control systems, an IT system service loss can lead to production losses, major mechanical breakdowns, worker injuries, hazardous spills into the environment and, in general, significant financial losses that could easily add up to hundreds of thousands of dollars.

So, it is important to develop patch application policies and procedures that are specific to industrial control systems that take the aforementioned into account and to ensure the company’s executive management supports this exercise.

Real risks

When systems run well, there is no need to change anything. However, right now, cyberattacks pose a threat that is at unprecedented levels, and the situation will not get any better. So, we must apply manufacturer patches to reduce industrial system vulnerabilities, especially when it comes to security.

Here are some essential elements of a patch application plan:

• Take an inventory of the IT and OT components of an industrial control system, including patchable programs and firmware.
• Document the way the patches were obtained and applied for each component.
• Establish patch application policies and procedures.
• Identify components that present any vulnerabilities.
• Prioritize vulnerabilities based on their criticality.
• Where possible, mitigate risks while waiting for patches (network segregation and others).
• Prioritize efforts based on the severity and criticality of vulnerabilities and the type of equipment.
• Test the patches before applying them.
• Plan patch application by designing a backtracking plan (for virtual machines, e.g., applying the patches to a clone).
• Coordinate patch application with production

Remember that even if industrial systems often use the same IT technology as those used by corporate systems, they cannot be handled the same way. Given the current context and in order to ensure maximum system security, it is imperative not to neglect patch management and application. All company stakeholders must work together to achieve a successful patch management strategy.

To learn more, contact us.

Other resources

https://www.us-cert.gov/sites/...

https://www.sans.org/reading-r...

https://www.nerc.com/files/CIP...