SIMPLIFYING THE PATCH MANAGEMENT PROCESS

(1)

Cyber Security | Compliance | Industrial Computing

SIMPLIFYING THE

PATCH MANAGEMENT PROCESS

www.icsupdate.com

Monta Elkins | Security Architect | FoxGuard Solutions [email protected]

(2)

Cyber Security | Compliance | Industrial Computing ₂ www.foxguardsolutions.com

SIMPLIFYING

THE

(3)

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

Why Patch?

Because You Need To

3 www.foxguardsolutions.com

(4)

What Needs Patching?

EVERYTHING

(a lot more than you think)

(5)

How Can You Discover

All Patch Releases?

With Great Difficulty

(6)

How Hard Is It To Keep Up?

Hard

(7)

What Does The DOE Sponsored

Patch & Update Management

Program (

PUMP

) Do?

(8)

SIMPLIFYING THE

PATCH MANAGEMENT PROCESS

(9)

How (

You Might Ask

)?

With Great Care

(10)

PATCH AND UPDATE MANAGEMENT PROGRAM

In 2013, the Department of Energy (DOE) selected FoxGuard Solutions’ Patch and Update Management Program in response to a DOE request for proposals

FoxGuard Solutions was selected in part based upon our background in patch validation and automated patch

deployment for GE, Toshiba, and others

We have also partnered with Critical Intelligence for development, recently acquired by iSight Partners

(11)

FOXGUARD PATCHING AROUND THE WORLD

FOXGUARD’S PATCHING SOLUTIONS ARE USED IN 167 ICS SITES, IN 36 STATES AND 15 COUNTRIES

(12)

OBLIGATORY DEFINITION SLIDE

A patch is a software update comprised code inserted (or patched) into the code of an executable program.

Typically, a patch is installed into an existing software program.

Patches are often temporary fixes between full releases of a

software package.

-Techopedia

What does “

Patch

” Mean?

(13)

PATCH FUNCTIONS

Patches may do any of the following: Upgrade the software features

Fix a software problem

Address software stability issues

Address security vulnerabilities

NERC CIP Requirements Hard for you to know

“Updates” and “Firmware” also perform these required functions, so consider them as well whenever I say “patch”

(14)

PATCH CREATOR SOURCES

Patches Come From Different Creators

Patch Creator Sources Include: OS Vendor

SCADA Vendor

Equipment Vendor

Other Software Vendor A/V IDS Vendor

(15)

PATCH APPROVAL SOURCES

The Same Patch Can Have Various Approvals

Depending On Patch Approval Source

Patch Approval Sources Include OS Vendor SCADA Vendor Equipment Vendor Integrator Company 15 www.foxguardsolutions.com

(16)

DESTINATION

The Same Patch Can Have Various Approval Statuses And Dates Depending On Both The Source And The Destination

OS VENDOR _VENDORSCADA

CORPORATE

COMPUTER COMPUTER PLANT COMPUTER PLANT COMPUTER PLANT

OS

PA

TC

H OS PATCH & APPLICATION PATCH

SC AD A PA TC H IN TE G R AT IO N PA TC H INTEGRATION VENDOR Site Approval

(17)

Cyber Security | Compliance | Industrial Computing Programmable Electronic Devices (In NERC CIP Speak)

Virtually Everything That Plugs Into Power, Or Has Batteries (Monta Speak)

– Computers (HMIs, Workstations, Laptops, Thin Clients)

– Operating system (Windows, Linux, VxWorks)

– Other software (Acrobat Reader, Excel, Flash, Java) – SCADA packages

– BIOS

– USB Controller

– Video Card Firmware – Network Cards

– Raid Controller – Printers

– USB Thumb drives

(18)

WHAT NEEDS SECURITY UPDATES/PATCHING?

ICS & Other Hardware

– PLCs – RTUs – Intelligent Sensors – Intelligent Actuators – VOIP Phones – Displays/Monitors/TV’s – Test Equipment – Scopes – Meters

– Network Gear They Attach To

– Switches

– Firewalls

– IDS (Intrusion Detection Systems)

– Security gateways

– DLP (Data Loss Prevention)

(19)

COMBINATIONS

The same patch can have various approval statuses and dates depending on both the source and the destination

(20)

HOW DOES PUMP HELP?

Collection And Monitoring Of Patch/Update Metadata Aggregated Patch Release Information

– OS Vendors, SCADA Vendors, Hardware Vendors, Integrators – Patch Applicability For Individual Devices

– Patch Approval Per Device, Per Vendor, Per Site

– With Links To Patch Source, (Actual Patch Only Available From Vendor)

Internal Approval Process And "Patch Gap” Reporting

– Track Device Status: Patched, Out Of Date, Scheduled, Mitigation

– PUMP Can Train To Develop Approval/Validation Process

Related Discussion

– Anonymous Information Sharing With Reputation

(21)

WHEN YOU ARE SERIOUS ABOUT PATCHING

 Patch Security Information

– Is This A Security Related Patch

– Are There Related CERT Notices, CVE’s

 Allow Multiple Customer Accounts With Access

Control To Support Large Organizations (e.g.)

– Compliance Manager Role – Implementation Engineer Role

 Compliance Support Documentation

– e.g. CIP Requires Documenting Patch Sources For Cyber Assets And Evaluating Available Patches Every 35 Days

 Positive Notification

– Notification For Each Device On A Regular Schedule – Notification Of “Negative Change”

(22)

PUMP - MORE PATCHES AND UPDATES

Vendors

– If You Are A Vendor And Would Like Patch And Update Information Included About Your Products, Please Contact Us.

– Vendor Involvement Available, Contact Us – Use BY Vendors – (How Do You Keep Up

With All Of Your Patch Sources?)

A Single Source To Check For All / Most Vendor Patch Information

– Links Provided

– Contracts With Your Vendor To GET Patches

May Be Required

– If You Would Like To Request Specific Devices

For Priority Implementation, Contact FoxGuard

(23)

AUTHENTICITY VERIFICATION TOOLSET

Patch And Update Authenticity Verification Toolset

– Verify File Hashes

– Verify Digital Signatures

– Tools, Training And Assistance For Vendors To Help Make

Signed Hash Files Available For Their Patches / Updates

Where Hashes / Signatures Aren’t Available – Provide Carefully Documented Community Hash

Information To Identify Exceptions

– Provide Hash Data From Various Networks To Help Identify Man-in-the-middle Attacks

(24)

FIRMWARE VERSION QUERY

Patch And Update Version Query

– Version Data Collection Engine - Per Device

– Gap Analysis And Reporting Dashboard

– Querying / “Scanning” Is Not “Network Scanning”

– Think modbus/telnet/ssh query to identify device and firmware

– Used In Combination With Patch

Data Aggregator Service For Gap Analysis

– Also Used After Updates To Verify

Firmware Installation

– Works In Conjunction With Your

(25)

PUMP DEMONSTRATION SITES

Provide Training, And Implementation, At Two Asset Owner’s Locations

Training programing includes all the necessary tools and skills to setup and implement a successful patch and

update management program

– Including creating an approval/validation program Testing a full validation cycle with

patch and update deployment End-user feedback gathered to

(26)

SIMPLIFYING THE

PATCH MANAGEMENT PROCESS

www.icsupdate.com