Iec tr 62443 2 3 2015

SECURITY FOR INDUSTRIAL AUTOMATIONPart 2-3: Patch management in the IACS environment This p rt of IEC 6 4 3, whic is a Tec nical Re ort, des rib s req irements for as et owners an in u t

IEC TR 62443-2-3

Editio 1.0 2 15-0

Security for industrial automation and control sy stems –

Part 2-3: Patch management in the IACS environment

THIS PUBLICATION IS COPYRIGHT PROT CTED

Copyright © 2 15 IEC, Ge e a, Switzerla d

Al rig ts reserv d Unles oth rwise sp cifie , n p rt of this p blc tio ma b re ro u e or uti ze in a y form

or b a y me ns,ele tro ic or me h nic l in lu in p oto o yin a d microfim, with ut p rmis io in writin from

eith r IEC or IEC's memb r Natio al Commite in th c u try of th re u ster If y u h v a y q estio s a o t IEC

c p rig t or h v a e q iry a o t o tainin a ditio al rig tsto this p blc tio , ple se c nta t th a dres b low or

y ur lo al IEC memb r Natio al Commite for furth r informatio

Th Intern tio al Ele trote h ic l Commis io (IEC) is th le din glo al org nizatio th t pre ares a d p blsh s

Intern tio al Sta d rds for al ele tric l ele tro ic a d relate te h olo ies

Ab ut IEC publ c tio s

Th te h ic l c nte t of IEC p blc tio s is k pt u d r c nsta t re iew b th IEC Ple se ma e sure th t y u h v th

latest e itio , a c rig n a or a ame dme t mig t h v b e p blsh d

IEC Catalog e - webstore.ie c / catalog e

Th sta d-alo e a plc tio for c nsultin th e tire

biblo ra hic l infor matio o IEC Inter natio al Sta d rds,

Te h ic l Sp cific tio s, Te h ic l Re orts a d oth r

d c me ts Av ia le for PC, Ma OS, An r oid Ta lets a d

iPa

IEC publc tio s s arc - w w.ie c /se rc pub

Th a v n e se rc e a les to fin IEC p blc tio s b a

v riety of crite a (r efer en e n mb r , te t, te h ic l

c mmite ,…) It also giv s informatio o pr oje ts, re la e

a d w ith r awn p blc tio s

IEC J st Publs ed - webstore.ie c / j stpubls ed

Sta u to d te o al n w IEC p blc tio s Just Pu lsh d

d tais al n w p blc tio s rele se Av ia le o ln a d

also o c a mo th b emai

Ele to edia - ww w.ele to edia.org

Th w or l 's le din o ln dictio ary of ele tro ic a d

ele tr i al ter ms c ntainin more th n 3 0 0 ter ms a d

d finitio s in En lsh a d Fre c , w ith e uiv le t ter ms in 15

a ditio al la g a es A lso known as th Inter natio al

Ele tr ote h ic l Vo a ulary (IEV) o ln

IEC Glos ary - std.ie c / glos ary

Mor e th n 6 0 0 ele trote h ic l termin lo y e tries in

En lsh a d Fr en h e tr acte fr om th Terms a d Definitio s

cla se of IEC p blc tio s is u d sin e 2 0 Some e tr i s

h v b e c le te fr om e r lier p blc tio s of IEC TC 3 ,

7 ,8 a d CIS R

IEC Cu tomer Serv ic Cente - webstore.ie c / cs

If y u w ish to giv us y our fe d a k o this p blc tio or

n e furth r as ista c ,ple se c nta t th Customer Ser vic

Ce tr e: csc@ie c

IEC TR 62443-2-3

Editio 1.0 2 15-0

Security for industrial automation and control sy stems –

Part 2-3: Patch management in the IACS environment

CONTENTS

FOREWORD 5

INTRODUCTION 7

1 Sco e 8

2 Normative referen es 8

3 Terms, definition , a breviated terms an acron ms 8

3.1 Terms an definition 8

3.2 Ab reviated terms an acron ms

9 4 In u trial automation an control s stem p tc in 1

4.1 Patc in pro lems faced in in u trial automation an control s stems 1

4.2 Imp cts of p or p tc management 1

4.3 Obsolete IACS p tc management mitigation 1

2 4.4 Patc l fec cle state 12 5 Recommen ed req irements for as et owner 13 6 Recommen ed req irements for IACS prod ct s p l er 14 7 Ex han in p tc information 14 7.1 General 14 7.2 Patc information ex han e format 15 7.3 Patc comp tibi ty information fi ename con ention 15 7.4 VPC fi e s hema 15 7.5 VPC fi e element definition 17 An ex A (informative) VPC XSD fi e format 21

A.1 VPC XSD fi e format sp cification 21

A.2 Core comp nent typ s 2

A.2.1 Overview 2

A.2.2 CodeTyp 2

A.2.3 DateTimeTyp 2

A.2.4 IdentifierTyp 2

A.2.5 In icatorTyp 2

A.2.6 TextTyp 2

An ex B (informative) IACS as et owner g idan e on p tc in 2

B.1 An ex organization 26 B.2 Overview 2

B.3 Information gatherin 27 B.3.1 In entory of existin en ironment 2

B.3.2 To ls for man al an automatic s an in 2

B.3.3 IACS prod ct s p l er contact an relation hip bui din 3

B.3.4 Sup orta i ty an prod ct s p l er prod ct l fec cle 3

B.3.5 Evaluation an as es ment of existin en ironment 3

B.3.6 Clas ification an categorization of as ets/hardware/sofware 3

B.4 Project plan in and implementation 3

B.4.1 Overview 3

B.4.2 Develo in the bu ines case 3

B.4.3 Esta l s in an as ig in roles an resp n ibi ties 3

B.4.4 Testin en ironment an infrastru ture 4

B.4.5 Implement b ckup an restoration infrastru ture 41

B.5 Monitorin an evaluation 4

B.5.1 Overview 4

B.5.2 Monitorin an identification of sec rity related p tc es 43 B.5.3 Determinin p tc a pl ca i ty 4

B.5.4 Imp ct, critical ty an risk as es ment 4

B.5.5 Decision for in talation 4

B.6 Patc testin 4

B.6.1 Patc testin proces 4

B.6.2 As et owner q al fication of sec rity p tc es prior to in tal ation 4

B.6.3 Determinin p tc fi e authenticity 4

B.6.4 Review fu ctional an sec rity c an es from p tc es 46 B.6.5 In tal ation proced re 4

B.6.6 Patc q al fication an val dation 4

B.6.7 Patc removal, rol b ck, restoration proced res 4

B.6.8 Risk mitigation alternatives 4

B.7 Patc de loyment an in tal ation 5

B.7.1 Patc de loyment an in talation proces 5

B.7.2 Notification of af ected p rties 5

B.7.3 Pre aration 51

B.7.4 Phased s hed l n an in tal ation 51

B.7.5 Verification of p tc in tal ation 5

B.7.6 Staf trainin an dri s 5

B.8 Op ratin an IACS p tc management program 5

B.8.1 Overview 5

B.8.2 Chan e management 5

B.8.3 Vulnera i ty awarenes 5

B.8.4 Outage s hed l n 5

B.8.5 Sec rity hardenin 54 B.8.6 In entory an data maintenan e 5

B.8.7 Proc rin or ad in new devices 5

B.8.8 Patc management re ortin an KPIs 5

An ex C (informative) IACS prod ct s p l er / service provider g idan e on p tc in 5

C.1 An ex organization 56 C.2 Dis overy of v lnera i ties 56 C.2.1 General 5

C.2.2 Vulnera i ty dis overy an identification within the prod ct 5

C.2.3 Vulnera i ty dis overy an identification within external y sourced prod ct comp nents 5

C.3 Develo ment, verification an val dation of sec rity updates 5

C.4 Distribution of c b r sec rity updates 5

C.5 Commu ication an outre c 5

Bibl ogra h 6

Fig re 1 – Patc state model 13 Fig re 2 – VPC fi e s hema 16 Fig re 3 – VPC fi e s hema diagram format 17 Fig re B.1 – IACS p tc management workflow 2

Fig re B.3 – Sample resp n ibi ties c art 4

Fig re B.4 – Patc monitorin an evaluation proces 4

Fig re B.5 – A p tc testin proces 4

Fig re B.6 – A p tc de loyment an in tal ation proces 5

Ta le 1 – Patc l fec cle states 12 Ta le 2 – VPC XSD Patc Data fi e elements 17 Ta le 3 – VPC XSD Patc Ven or fi e elements 18 Ta le 4 – VPC XSD Patc fi e elements 18 Ta le 5 – VPC XSD Ven orProd ct fi e elements 2

Ta le A.1 – CodeTyp o tional at ributes 2

Ta le A.2 – DateTimeTyp o tional atributes 2

Ta le A.3 – IdentifierTyp o tional atributes 2

Ta le A.4 – In icatorTyp o tional atributes 2

Ta le A.5 – TextTyp o tional atributes 2

Ta le B.1 – Sample prod ct s p l er profi e 31

Ta le B.2 – Commu ication ca a i ties 3

Ta le B.3 – Sample sofware categorization 3

Ta le B.4 – Resp n ibi ty as ig ment definition 3

Ta le B.5 – Sample severity b sed p tc management timeframes 45

INTERNATIONAL ELECTROTECHNICAL COMMISSION

1) Th Intern tio al Ele trote h ic l Commis io (IEC) is a worldwid org nizatio for sta d rdizatio c mprisin

al n tio al ele trote h ic l c mmite s (IEC Natio al Commite s) Th o je t of IEC is to promote

intern tio al c -o eratio o al q estio s c n ernin sta d rdizatio in th ele tric l a d ele tro ic fields To

this e d a d in a ditio to oth r a tivities, IEC p blsh s Intern tio al Sta d rds, Te h ic l Sp cific tio s,

Te h ic l Re orts, Pu lcly Av ia le Sp cific tio s (PAS) a d Guid s (h re fer refere to as “IEC

Pu lc tio (s)”) Th ir pre aratio is e truste to te h ic l c mmite s; a y IEC Natio al Commite intereste

in th su je t d alt with ma p rticip te in this pre aratory work Intern tio al g v rnme tal a d n

n-g v rnme tal org nizatio s laisin with th IEC also p rticip te in this pre aratio IEC c la orates closely

with th Intern tio al Org nizatio for Sta d rdizatio (ISO) in a c rd n e with c n itio s d termin d b

a re me t b twe n th two org nizatio s

2) Th formal d cisio s or a re me ts of IEC o te h ic l maters e pres , as n arly as p s ible, a intern tio al

c nse sus of o inio o th rele a t su je ts sin e e c te h ic l c mmite h s re rese tatio from al

intereste IEC Natio al Commite s

3) IEC Pu lc tio s h v th form of re omme d tio s for intern tio al use a d are a c pte b IEC Natio al

Commite s in th t se se Whie al re so a le eforts are ma e to e sure th t th te h ic l c nte t of IEC

Pu lc tio s is a c rate, IEC c n ot b h ld resp nsible for th wa in whic th y are use or for a y

misinterpretatio b a y e d user

4) In ord r to promote intern tio al u iformity, IEC Natio al Commite s u d rta e to a ply IEC Pu lc tio s

tra sp re tly to th ma imum e te t p s ible in th ir n tio al a d re io al p blc tio s An div rg n e

b twe n a y IEC Pu lc tio a d th c r esp n in n tio al or re io al p blc tio sh l b cle rly in ic te in

th later

5) IEC itself d es n t pro id a y atestatio of c nformity In e e d nt c rtific tio b dies pro id c nformity

as es me t servic s a d, in some are s, a c s to IEC marks of c nformity IEC is n t resp nsible for a y

servic s c rie o t b in e e d nt c rtific tio b dies

6) Al users sh uld e sure th t th y h v th latest e itio of this p blc tio

7) No la i ty sh l ata h to IEC or its dire tors, emplo e s, serv nts or a e ts in lu in in ivid al e p rts a d

memb rs of its te h ic l c mmite s a d IEC Natio al Commite s for a y p rso al injury, pro erty d ma e or

oth r d ma e of a y n ture wh tso v r, wh th r dire t or in ire t, or for c sts (in lu in le al fe s) a d

e p nses arisin o t of th p blc tio , use of, or rela c u o , this IEC Pu lc tio or a y oth r IEC

Pu lc tio s

8) Ate tio is drawn to th Normativ refere c s cite in this p blc tio Use of th refere c d p blc tio s is

in isp nsa le for th c re t a plc tio of this p blc tio

9) Ate tio is drawn to th p s ibi ty th t some of th eleme ts of this IEC Pu lc tio ma b th su je t of

p te t rig ts IEC sh l n t b h ld resp nsible for id ntifyin a y or al su h p te t rig ts

The main task of IEC tec nical commit e s is to pre are International Stan ard However, a

tec nical commite may pro ose the publ cation of a tec nical re ort when it has col ected

data of a diferent kin from that whic is normal y publ s ed as an International Stan ard, for

example "state of the art"

Tec nical Re ort IEC 6 4 3-2-3 has b en pre ared by ISA Tec nical Commite 9 in

p rtners ip with IEC tec nical commite 6 : In u trial-proces me s rement, control an

This publcation has b en drafed in ac ordan e with the ISO/IEC Directives, Part 2.

A lst of al p rts in the IEC 6 4 3 series, publ s ed u der the general title Secu riy for

industrial automato a d co trol systems, can b fou d on the IEC we site

The commit e has decided that the contents of this publ cation wi remain u c an ed u ti

the sta i ty date in icated on the IEC we site u der "htp:/we store.iec.c " in the data

related to the sp cific publ cation At this date, the publ cation wi b

Cyb r sec rity is an in re sin ly imp rtant to ic in modern organization Man organization

in olved in information tec nolog (IT) an bu ines have b en con erned with c b r sec rity

for man ye rs an have wel -esta l s ed information sec rity management s stems (ISMS)

in place as defined by the International Organization for Stan ardization (ISO) an the

International Electrotec nical Commis ion (IEC), in ISO/IEC 2 0 1 an ISO/IEC 2 0 2

These management s stems provide an organization with a wel -esta l s ed method for

protectin its as ets from c b r-atacks

In u trial Automation an Control Sy tems (IACS) s p l ers an owners are u in

commercial-of - he-s elf (COT ) tec nolog develo ed for bu ines s stems in their every ay

proces es This provides an in re sed o p rtu ity for c b r-at ack again t the IACS

eq ipment, sin e COTS s stems are more widely known an u ed There has also b en new

interest in ICS sec rity rese rc that has u covered n merou device v lnera i ties as wel

Su ces ful atacks again t in u trial s stems may le d to he lth, safety an en ironmental

(HSE) con eq en es

Organization may try to u e the bu ines c b r sec rity strateg to ad res sec rity for

IACS without u derstan in the con eq en es Whie man of these solution can b a pl ed

to IACS, they ne d to b a pl ed in the cor ect way to el minate inad ertent con eq en es

This tec nical re ort ad res es the p tc management asp ct of IACS c b r sec rity Patc

management is p rt of a comprehen ive c b r sec rity strateg that in re ses c b r sec rity

throu h the in tal ation of p tc es, also cal ed sof ware updates, sof ware upgrades, firmware

upgrades, service p cks, hotixes, b sic input output s stem (BIOS) updates an other digital

electronic program updates that resolve bu s, o era i ty, rela i ty an c b r sec rity

v lnera i ties This tec nical re ort introd ces to the re der man of the pro lems an

in u try con ern as ociated with IACS p tc management for as et owners an IACS

prod ct s p l ers It also des rib s the imp cts p or p tc management can have on the

rel a i ty an /or o era i ty of the IACS

SECURITY FOR INDUSTRIAL AUTOMATION

Part 2-3: Patch management in the IACS environment

This p rt of IEC 6 4 3, whic is a Tec nical Re ort, des rib s req irements for as et owners

an in u trial automation an control s stem (IACS) prod ct s p l ers that have esta l s ed

an are now maintainin an IACS p tc management program

This Tec nical Re ort recommen s a defined format for the distribution of information a out

sec rity p tc es from as et owners to IACS prod ct s p lers, a definition of some of the

activities as ociated with the develo ment of the p tc information by IACS prod ct s p l ers

an de loyment an in talation of the p tc es by as et owners The ex han e format an

activities are defined for u e in sec rity related p tc es; however, it may also b a pl ca le

for non-sec rity related p tc es or updates

The Tec nical Re ort do s not dif erentiate b twe n p tc es made avaia le for the o eratin

s stems (OSs), a pl cation or devices It do s not dif erentiate b twe n the prod ct

s p l ers that s p ly the infrastru ture comp nents or the IACS a pl cation ; it provides

g idan e for al p tc es a plca le to the IACS Ad itional y, the typ of p tc can b for the

resolution of bu s, rela i ty is ues, o era i ty is ues or sec rity v lnera i ties

NOT 1 This Te h ic l Re ort d es n t pro id g id n e o th ethics a d a pro c es for th disc v ry a d

disclosure of se urity v ln ra i ties afe tin IA S This is a g n ral is u o tsid th sc p of this re ort

NOT 2 This Te h ic l Re ort d es n t pro id g id n e o th mitig tio of v ln ra i ties in th p rio

b twe n wh n th v ln ra i ty is disc v re a d th d te th t th p tc resolvin th v ln ra i ty is cre te For

g id n e o multiple c u terme sures to mitig te se urity risks as p rt of a IA S se urity ma a eme t system

(IA S-SMS), refer to, An e es B.4.5, B.4.6 a d B.8.5 in this Te h ic l Re ort a d oth r d c me ts in th IEC

6 4 3 series

2 Normativ referenc s

The folowin doc ments, in whole or in p rt, are normatively referen ed in this doc ment an

are in isp n a le for its a pl cation For dated referen es, only the edition cited a pl es For

u dated referen es, the latest edition of the referen ed doc ment (in lu in an

amen ments) a pl es

IEC TS 6 4 3-1-1, Industrial commu nicato n tworks – Network a d system se curiy –

Part 1-1: Te rmin logy, co ce pts a d models

IEC 6 4 3-2-1, Industrial communicato n tworks – Network a d system securiy – Part 2-1:

Estab lishin a industrial au tomato a d co trol system securiy p rogram

3 Terms, definitions, abbreviated terms and acronyms

3.1 Terms and definitions

For the purp ses of this doc ment, the terms an definition given in the normative

referen es sp cified in Clau e 2, as wel as the fol owin , a ply:

bug

flaw in the original develo ment of sof ware (s c as a sec rity v lnera i ty), whic cau es it

to p rform or b have in an u inten ed man er (s c as cau e rel a i ty or o era i ty is ues)

3.1.2

patc

in remental sofware c an e in order to ad res a sec rity v lnera i ty, a bu , rel a i ty or

o era i ty is ue (update) or ad a new fe ture (upgrade)

Note 1 to e try: Patc es ma also b c le sofware u d tes, sofware u gra es, firmware u gra es, servic

p c s, h tix s, b sic in ut o tp t system (BIOS) u d tes, se urity a visories a d oth r digital ele tro ic pro ram

u d tes

3.1.3

patc l fec cle

p riod in time that a p tc is recommen ed or cre ted u ti the p tc is in tal ed

Note 1 to e try: In th c nte t of this te h ic l re ort, this lfe y le b gins wh n th p tc is cre te a d ma e

a aia le

Note 2 to e try: Some fe l th t th p tc in lfe y le b gins wh n th v ln ra i ty h s b e disclose Howe er,

it is n t p s ible for this te h ic l re ort to pro id al p s ible g id n e for th mitig tio of v ln ra i ties for th

p rio b twe n disclosure of a v ln ra i ty, th d cisio to cre te a p tc a d th a aia i ty of a p tc It is also

to th discretio of th sofware d v lo er or pro u t su pler to d termin if th y d v lo a p tc

3.1.4

patc management

set of proces es u ed to monitor p tc rele ses, decide whic p tc es s ould b in taled to

whic s stem u der con ideration (SuC), if the p tc s ould b tested prior to in tal ation on

a prod ction SuC, at whic sp cified time the p tc s ould b in taled an of trackin the

BIOS Basic input output s stem

CCTS Core Comp nents Tec nical Sp cification

CERT Cyb r Emergen y Resp n e Te m, Computer Emergen y Re dines Te m

or other regional/in u try variant

IACS In u trial automation an control s stem(s)

IACS-SMS IACS sec rity management s stem

IEC International Electro- ec nical Commis ion

ISA International Society of Automation

ISMS Information sec rity management s stem

ISO International Organization for Stan ardization

MESA Man facturin Enterprise Solution As ociation International

NERC North American Electric Rela i ty Corp ration

NISCC [US] National Infrastru ture Sec rity Co-ordination Centre

OAGIS Op n Ap lcation Group Integration Sp cification

OEM Original eq ipment man facturer

PLC Programma le logic control er

RACI Resp n ible, ac ou ta le, con ulted, informed

SMTP Simple Mai Tran fer Protocol

UN/CEFACT United Nation Centre for Trade Faci tation an Electronic Bu ines

URI Uniform resource identifier

US-CERT United States Computer Emergen y Re dines Te m

4 Industrial automation and control system patching

4.1 Patc in problems faced in indu trial automation and control s stems

There are man c alen es that as et owners face when atemptin to implement a p tc

management program for their IACS Patc in an IACS me n c an in the IACS an

c an es can negatively afect its safety, o era i ty or rel a i ty if not p rformed cor ectly

Pre arin an IACS to b p tc ed can req ire a tremen ou amou t of work an as et owners

may stru gle for the neces ary resources to ad res the ad ed worklo d For e c p tc an

for e c prod ct they own, an as et owner wi have to gather an analy e p tc information

for e c device, in tal an verify on a test s stem, en ure b ckups are cre ted b fore an

af er, en ure testin again b fore turnin the s stem b ck over to o eration an final y track

al the neces ary doc mentation of the c an es

Due to the resources an ef orts recommen ed to p tc an IACS most organization s hed le

p tc in talation d rin other normal routine maintenan e outages Sometimes these outage

win ows are q arterly, ye rly or even les freq ently Some extremely critical s stems may

not have outage win ows avai a le an can therefore not b p tc ed if a s stem outage is

req ired to do so

Ap lyin p tc es is a risk management decision If the cost of a plyin p tc es is gre ter

than the risk evaluated cost, then the p tc may b delayed, esp cial y if there are other

sec rity controls in place that mitigate the risk (s c as disa le or remove fe tures)

The u inten ed con eq en es of a p or p tc management program can in lu e:

• in omp tibi ty b twe n p tc es an control s stem sofware;

• false p sitives d e to antiviru an anti-malware; an

• degradation of s stem p rforman e, rela i ty an o era i ty with in uficient testin

For ad itional information, se B.4.2

4.2 Impacts of po r patc management

Ad ersaries ( or example, malciou thre t actors) wi alway have an ad antage over their

targets given the c al en es prod ct s p l ers an as et owners face in k e in their s stems

up to date to minimize sec rity risk cau ed by v lnera i ties The moment a v lnera i ty is

dis losed, whether by wel -intentioned or mal ciou intent, the pro lem is then tran fer ed

primari y to the as et owner to a ply the p tc as q ickly as p s ible The as et owner may

or may not b a le to a ply the p tc an it b comes a risk-b sed decision on how to mitigate

the v lnera i ty risk Thou h it may never b p s ible to el minate al sofware v lnera i ties,

there s ould b no ex u e for not evaluatin the risk of the v lnera i ty an determinin

when an how p tc es s ould b a pled

The primary imp ct of p or IACS p tc management is an in re sed risk of los or

compromise of an IACS s stem Unl k for example of ice or enterprise s stems, compromise

of an IACS may have con eq en es b yon the los of data or downtime of the s stem A

compromise of an IACS may imp ct s stem safety, the ph sical safety of o erational

p rson el, the q al ty of prod ced prod cts, the safety of prod ced prod cts an the u a i ty

of prod ced prod cts

For ad itional information, se B.4.2

NOT 1 If critic l d c me tatio o th pro u tio of a pro u t is lost, th pro u t ma h v to b scra p d,

e e if th re was n p ysic l d ma e d n to th pro u t (su h as p arma e tic l d v lo me t, fo d pro u tio ,

etc.)

NOT 2 Dire te ata ks of u p tc e IA S systems ma e e result in th d stru tio of e uipme t Un ire te

ata ks of u p tc e IA S systems, wh re th IA S system is n t a primary targ t, ma sti c use th los of

c ntrol with resulta t risks to safety a d pro u t q alty On e ample of su h a ata k is Stru ture Qu ry

4.3 Obsolete IACS patc management mitigation

As et owners may exp rien e the situation where prod cts are no lon er s p orted by their

s p l ers but have re orted v lnera i ties IACS s stems are typical y in prod ction for

decades an ad ersaries know these older s stems are v lnera le As et owners ne d to

con ider other mitigation when p tc in is not an o tion

For ad itional information on cou terme s res to mitigate sec rity risks as p rt of an IACS

p tc management proces se An exes B.4.5, B.4.6 an B.5.5, an other doc ments in the

IEC 6 4 3 series

4.4 Patc l fec cle state

Patc es have a defined l fec cle state model They progres from avaia le to authorized to

ef ective an in taled Not al p tc es avai a le are relevant to the IACS an not al p tc es

are comp tible with the IACS a pl cation It is imp rtant for an efective IACS p tc

management proces to know the state of al avai a le p tc es Lifec cle states for p tc es

Not Ap ro e Th p tc h s faie th testin of th IA S su pler a d sh uld n t b

use , u les a d u ti th IA S su pler c nfirms th t th p tc h s b e

Ap ro e

Pro u t su pler

Not Ap lc ble Th p tc h sb e teste a d is n t c nsid re rele a t to IA S use Pro u t su pler

Rele se Th p tc is rele se for use b th IA S su pler or third p rty, or th

p tc ma b dire tly a plc ble b th as et own r for th ir intern ly

d v lo e systems

As et own r

Pro u t su pler

In Intern l Test Th p tc is b in teste b th as et own r testin te m As et own r

Not Auth rize Th p tc h s faie intern l testin , or ma n t b a plc ble As et own r

Auth rize Th p tc is rele se b th as et own r a d me ts c mp n sta d rds

for u d ta le d vic s, or b insp ctio did n t n e testin

As et own r

The state model for l fec cle states is s own in Fig re 1 The states maintained by the IACS

prod ct s p l er are in the dark gray are in the lef half of the fig re The states maintained

by the IACS as et owner are in the l g t grey are in the rig t half of the fig re The

tran ition b twe n states are activities of the as et owners or the prod ct s p l ers, as

defined in the other p rts of this re ort

Figure 1 – Patc state model

5 Re ommende requireme ts for ass t owner

As et owners have an impl ed o l gation to uphold the safety, rel a i ty, o era i ty, sec rity

an q al ty of their o eration Ac ievin c b r sec rity as uran e, throu h p tc in IACS

as ets, is a critical p rt of that o l gation

IACS as et owners s ould:

a) esta l s an maintain an in entory of al electronic devices as ociated with the IACS, that

may b updated by: modification of their fu ctional ty, config ration, o eration, sofware,

firmware, o eratin code, etc These devices s ould b refer ed to as ‘updata le’ devices;

b) esta l s an maintain an ac urate record of the c r ently in tal ed version for e c

device, cal ed the ‘ n tal ed’ version;

c) determine on a reg lar s hed le what upgrades an updates are avai a le for e c

device, cal ed the ‘ atest’ version;

d) determine on a reg lar s hed le the ‘rele sed version ’ of upgrades an updates whic

are identified as comp tible by the IACS prod ct s p l er an me t the as et owners

stan ard for ‘updata le’ devices;

e) test the in tal ation of IACS p tc es in a way that ac urately reflects the prod ction

en ironment, so as to en ure that the rel a i ty an o era i ty of the IACS is not

negatively af ected when p tc es are in tal ed on the IACS in the actual prod ction

en ironment Patc es whic have s c es ful y p s ed these tests are cal ed the

‘authorized p tc es’;

f s hed le authorized, efective p tc es for in tal ation at the next avai a le o p rtu ity

within the con traints of s stem desig ( or example, red n an y, fault toleran e, safety)

an o erational req irements ( or example, u plan ed outage, s hed led outage, on

-proces , etc.);

g) update record at a plan ed interval, at le st on a q arterly b sis, to in lu e for e c

update ble device: in tal ed version , authorized version , efective version an rele sed

IEC

h) identify a plan ed interval for in tal ation of p tc es, s c as: when p tc es are avai a le,

or at le st on an an ual b sis; an

i) in tal p tc es an /or implement comp n atin cou terme s res to mitigate sec rity

v lnera i ties that exist in the IACS

Ad itional g idan e that can b u ed to ac ieve these req irements is provided in An ex B

6 Re ommende requireme ts for IACS product supplier

Sec rity of the IACS on a ru nin faci ty is very imp rtant an pro ctive me s res are

ne ded to red ce the pro a i ty of the plant b in compromised, therefore determinin whic

p tc es a ply to, an s ould b tested on, a prod ct is a critical resp n ibi ty of the IACS

prod ct s p l er

IACS prod ct s p l ers s ould:

a) provide doc mentation des ribin the sof ware p tc in p l c for the prod cts an

s stems they s p ly;

b) q al fy in terms of a pl ca i ty an comp tibi ty, al p tc es, by analy in an verifyin

the p tc es, in lu in p tc es that are rele sed by the s p l er of the OS that is u ed,

an al s p l ers of third-p rty sofware, that may b u ed by the IACS prod cts;

c) provide a l st of al p tc es an their a proval statu ,4.4, in lu in the information an

data in the format des rib d in Clau e 7 an An ex A;

d) inform the as et owners, an update the l st of p tc es des rib d in: clau e 6 b) a ove,

Clau e 7, an An ex A p riodical y, an ide l y within 3 day af er a p tc is rele sed by

the s p l er of the OS or third-p rty sofware;

e) provide adeq ate warnin (at le st two ye rs in ad an e) a out the comp nents re c in

‘en of l fe,’ or for whic c b r sec rity p tc es wi no lon er b made avai a le; an

f provide information to IACS u ers regardin the p l c of s p ortin IACS prod cts,

in lu in sec rity updates

Ad itional g idan e that can b u ed to ac ieve these req irements is provided in An ex C

7 Ex hanging patch information

Patc information is req ired b cau e a complete IACS is u ual y b sed on commercial OSs,

commercial a pl cation s stems, s c as distributed control s stems (DCSs), historian an

man facturin exec tion s stems (MESs) an a pl cation sp cific sof ware programs u in

commercial IT to ls, s c as data ases an l braries Al of these sofware elements req ire

p riodic updates to cor ect newly dis overed er ors or to cor ect newly dis overed sec rity

deficien ies

Implementin a s stem to manage p tc es req ires knowled e of: what p tc es are

avai a le, if the p tc es are a pl ca le to in tal ed s stems, if the p tc es have b en tested

again t the in tal ed prod cts, an if the IACS prod ct s p l er recommen s that the p tc es

s ould b in tal ed

Determinin the comp tibi ty of p tc es can b a complex task IACS prod ct s p l ers

p rform tests of their prod cts again t OS an l brary p tc es in order to determine if the

p tc s ould b u ed with their automation prod cts Becau e faiures in automation prod cts

d e to in omp tibi ty with p tc es may res lt in the los of lfe, pro erty or prod ct, there is

of en a req irement that al related automation prod cts have b en tested with the p tc prior

IACS u ers of en have variou IACS prod ct s p l er s stems in their faci ties an managin

the p tc comp tibi ty information from multiple IACS prod ct s p l ers is dific lt b cau e

the p tc information is u ual y avai a le in e c IACS prod ct s p l er's sp cific format This

clau e defines a stan ard format for the ex han e of p tc information neces ary to identify a

prod ct, p tc an statu of the p tc The ex han ed information in lu es:

a) an identification of the IACS prod ct s p l er providin the prod ct;

b) an identification of the IACS s p l er’s prod ct an version;

c) an identification of the prod ct s p l er providin the p tc , s c as the comp n

providin the OS;

d) an identification of the p tc s p l er’s prod ct, s c as the OS version;

e) the p tc s p l er’s identification of the p tc ;

f an in ication if the p tc is a pl ca le to the IACS prod ct;

g) an in ication of statu of testin of the p tc again t the IACS prod ct; an

h) an in ication of the res lts of testin of the p tc again t the IACS prod ct

This information alows en u ers to ma e informed decision b fore they decide to in tal the

p tc The ex han e information defines if a sp cific p tc from an IACS s stem s p l er, an

OS s p l er or a third p rty sofware prod ct s p l er has b en tested again t a sp cific

version of the IACS sofware, with an in ication that the tested p tc works with that version

of the IACS sof ware

7.2 Patc information ex hange format

The format for the minimal p tc comp tibi ty information is b sed on eXten ible Markup

L n uage (XML) tec nolog an is defined u in an XML s hema definition (XSD) fi e The

p tc information fi e is identified as ven or p tc comp tibi ty (VPC)

7.3 Patc compatibi ity information fi ename con ention

The fi ename of a VPC fi e s ould b defined ac ordin to the fol owin s ntax:

< i e ame = <ve do _name “_pa c _comp t b l t _” <da e “_” < umb r “.xml

where

<ve do _name the general y recog ized s ort name of the IACS comp n

<da e the date the comp tibi ty fi e was rele sed by the IACS prod ct

The VPC format al ows for the ex han e of p tc information a out multiple p tc es an

IACS prod ct s p l er prod cts in the same VPC ex han e fi e

Fig re 2 i u trates the VPC fi e s hema definition

IEC

Fig re 3 i u trates the VPC fi e s hema diagram format.

Figure 3 – VPC fi e s hema diagram format

7.5 VPC fi e element definition

Ta le 2 throu h Ta le 5 define e c element in the VPC XSD fie Only the en meration ,

defined in the “Definition” column, for the a pl ca i ty, test res lt an test statu s ould b

u ed in the ex han e fie

Ta le 2 – VPC XSD Patc Data fi e elements

Ve d rName Id ntifierTy e A re uire strin c ntainin th n meof th v n or th t

is pro idin th p tc informatio

EX MPLE : “D S v n or, “ME v n or

informatio

IEC

Patc e Pro u t Id ntifierTy e A re uire strin c ntainin th p tc pro u t su pler's

n me of th pro u t th t th p tc is targ tin

EX MPLE : "SQL Serv r , “Microsof Win ows”

Patc e Pro u tVersio Id ntifierTy e A re uire strin c ntainin th v rsio of th pro u t

th p tc isfor

EX MPLE : "Servic Pa k 2", "7.15", "A", "R2 9"

Patc Id ntifier Id ntifierTy e A re uire strin c ntainin th p tc pro u t su pler

d fin dprimary id ntific tio of th p tc

NOT Format this strin a c rdin to ISO 8 01

Th v lu sh uld b o e of th items in th folowin

e umeratio :

• Critic l – Th p tc sh uld b instale It c re ts

a v ln ra i ty wh se e ploitatio c uld alowc d

e e utio with ut user intera tio Th se sc n rios

in lu e for e ample: self pro a atin malware

c uld result in c mpromise of th c nfid ntialty,

inte rity or a aia i ty of d ta, or of th inte rity or

a aia i ty of pro es in reso rc s, b t whic

re uires a user a tio

• Optio al – Th p tc ma b instale Th p tc

c re ts av ln ra i ty th t re uires u iq e or

u c mmo user a tio s

Eleme t Ty e Definitio

v lu sh uld b o e of th items in th folowin

e umeratio :

• No _ e urity – This u d te isrelate to a n

n-se urity relate is u a d u d tes a k own is u

th t is n t relate tose urity

• Se urity – Thisu d te is relate to a se urity is u

a d re airsa k own se urity pro lem

th u d te a d/or p tc

v lu sh uld b o e of th items in th folowin

e umeratio :

• De re ate – Thisp tc is n lo g r a re uire

u d te for th system

• Cure t – This p tc is u to d te a d sh uldb

instale o a y pro u ts id ntifie as

“Pas e Pro u t” for this p tc

Re la esPa tc Te tTy e A n o tio al str i g v lu th t c ntains a d sc ptio of th

p tc b in re la e

EX MPLE: “KB12 4 6 Win ows 2 0 6 bit”

v lu sh uld b o e of th items in th folowin

Refere c Info Te tTy e An o tio al strin v lu th t c ntains a U L to th

u d te for furth r d tais

Pas e Pro u t Id ntifierTy e An o tio al strin v lu c ntainin th

<Ve d rPro u t> Pro u tID> for refere cin th

v n or sp cific pro u t This is a item in th lst of

pro u ts th t PAS ED testin with this p tc

Faie Pro u t Id ntifierTy e An o tio al strin v lu c ntainin th

<Ve d rPro u t> Pro u tID> for refere cin th

v n or sp cific pro u t This is a item in th lst of

pro u ts th t FAILED testin with this p tc

<Ve d rPro u t> Pro u tID> for refere cin th

v n or sp cific pro u t This is a item in th lst of

pro u ts th t are o HOLD for testin with this p tc

NotTeste Pro u t Id ntifierTy e An o tio al strin v lu c ntainin th

<Ve d rPro u t> Pro u tID> for refere cin th

v n or sp cific pro u t This is a item in th lst of

pro u ts NOT T S ED for thisp tc

p tc

Ta le 5 – VPC XSD VendorProduct fi e elements

Pro u tID Id ntifierTy e A re uire strin id ntifier th t wi b use to ma th

n me a d v rsio of a pro u t to a test result relate to

a p tc

d scriptio for th pro u t

Rele seDate DateTimeTy e A re uire strin c ntainin th rele se d te of th

pro u t v rsio

pro u t a d v rsio informatio

< s:e eme t n me "S ve i y" t p ="C de y e" mi O c r ="0" /

< s:e eme t n me "Upda e y e" t p ="C de y e" mi O c r ="0" /

L s o P odu t I s r f r n i g Ve do Q a i i dP odu t e a l f r t e P s edP odu t i t - >

The b se typ s for most elements are derived from core comp nent typ s that are comp tible

with the United Nation Centre for Trade Faci tation an Electronic Bu ines (UN/CEFACT)

core comp nent typ s The UN/CEFACT core comp nent typ s are a common set of typ s

that define sp cific terms with semantic me nin ( or example, the me nin of a q antity,

c r en y, amou t an identifier) The UN/CEFACT core comp nents were defined in a Core

Comp nents Tec nical Sp cification (CCT ) develo ed by the e XML project now organized

by UN/CEFACT an ISO tec nical commite (TC) 15

NOT Th c re c mp n nts c ntain o tio al atrib tes th t ma b use to sp cify th c nte t a d so rc of th

as o iate eleme t v lu Al atrib tes are o tio al in th VPCsc ema

The core comp nents u e several international stan ard for the re resentation of semantic

an stan ardized information:

CodeTyp is u ed to define a c aracter strin that is u ed to re resent an entry from a fixed

en meration It is derived from the typ normal zedStrin Al of the VPC en meration are

derived from CodeTyp Ta le A.1 des rib s the o tional atributes for the CodeTyp data

typ

Ta le A.1 – CodeType o tional at ributes

lstID n rmalze Strin An id ntifier sp cifyin a c d lst th t this is re istere with a

a e c

EX MPLE: U /EDIFA T d ta eleme t 3 5 c d lst

lstAg n yID n rmalze Strin An id ntifier sp cifyin th a e c th t maintains o e or more

DateTimeTyp is u ed to define a p rtic lar p int in time together with the relevant

s p lementary information to identify the time zone information It is derived from the typ

dateTime In a VPC fi e this is a sp cific in tan e of time u in the ISO 8 01 Common Era

calen ar exten ed format an a breviated version

EX MPLE y y -mm-d Th :mm:s Z for UTC as “2 0 -0 -2 T13:15:2 Z”

Ta le A.2 des rib s the o tional atributes for the DateTimeT yp data typ

Ta le A.2 – DateTimeType optional at ributes

maintain d for c mp tibi ty with Op n Ap lc tio s Gro p

Inte ratio Sp cific tio (OA IS)a d Ma ufa turin Enterprise

Solutio s As o iatio Intern tio al (ME A) use

A.2.4 IdentifierType

IdentifierTyp is u ed to define a c aracter strin to identify an distin uis u iq ely, one

in tan e of an o ject in an identification s hema from al other o jects in the same s hema It

is derived from the typ normal zedStrin Ta le A.3 des rib s the o tional atributes for the

IdentifierTyp data typ

Ta le A.3 – IdentifierType optional at ributes

sc emaID n rmalze Strin An id ntifier sp cifyin th id ntific tio sc ema

sc emaAg n yID n rmalze Strin An id ntifier sp cifyin th a e c th t maintains th sc ema

sc emaAg n yName strin Te t c ntainin th n me of th a e c th t maintains th

sc ema

sc emaVersio ID n rmalze Strin Th v rsio (as a id ntifier) of th sc ema

sc emaDataU I a yU I Th U I id ntifyin wh re sc ema d ta is lo ate

A.2.5 IndicatorType

In icatorTyp is u ed to define a l st of two mutual y ex lu ive b ole n values that expres

the only p s ible states of a pro erty It is derived from the typ strin For VPC purp ses the

defined values for in icator typ are “True” an “False” Ta le A.4 des rib s the o tional

at ributes for the In icatorTyp data typ

TextTyp is u ed to define a c aracter strin ( or example, a finite set of c aracters) generaly

in the form of word of a lan uage It is derived from the typ strin Ta le A.5 des rib s the

o tional at ributes for the TextTyp data typ

Annex B

(informativ )

IACS asset owner guidance on patching

B.1 Annex organization

An ex B provides g idan e to IACS as et owners that are esta l s in an /or o eratin an

IACS p tc management program This Tec nical Re ort is writen u in a ‘workflow’

a pro c , in whic the seq en e of activities, tasks an req irements are writ en in the

a proximate order that would b fol owed by in ivid als managin a p tc management

s stem As et owner staf , con ultants an contractors s ould fin this information

immediately actiona le an relevant to the c al en es as ociated with p tc in IACS

s stems The go l of this An ex B is to help as et owners esta ls their p tc management

programs more q ickly, in re se efectivenes , red ce v lnera i ties an in re se overal

IACS rel a i ty

This an ex foc ses on the fol owin major activities for p tc management:

• Information gathering activities – This in lu es cre tin the in entory of update ble

devices, bui din prod ct s p l er relation hips an evaluatin an as es in the existin

en ironment an its s p orta i ty req irements

• Project plannin and implementation activities – This in lu es develo in the bu ines

case, definin the roles an resp n ibi ties, esta l s in a p tc de loyment an

in tal ation infrastru ture an esta ls in a b ckup an restoration infrastru ture

• Procedures and pol cies for patc management – This in lu es monitorin for p tc es,

evaluatin p tc es, testin p tc es, in tal n p tc es an c an e management

• Operating a patc management s stem – This in lu es exec tin the p tc

management proced res an p l cies, v lnera i ty awarenes , outage s hed l n ,

in entory maintenan e, new device ad ition , re ortin , k y p rforman e in icators

(KPIs), au itin an verification Ofen cal ed “ru an maintain,” o eratin the p tc

management s stem wi b a contin ou ly re e tin maintenan e proces

B.2 Ov rview

The purp se of this an ex is to des rib p tc management proced res an proces es, alon

with g idan e on how those proced res could b implemented by an as et owner with one or

more control s stem en ironments The o jective of these proced res an proces es is to

as ist the as et owner with the cre tion of their own program As et owners have the o tion

to re-u e, modify or a an on the g idel nes a pro riate to the size an complexity of their

en ironment On e the proced re is doc mented, it can b s ared with those resp n ible for

its exec tion, so that those in ivid als can p rform the tasks more q ickly, with hig er q al ty

an gre ter con isten y Without doc mented proced res, it is dific lt to as ig , train or

en ure that o jectives s c as efective p tc management wi oc ur

Fig re B.1 i u trates the proces es an proced res req ired to s p ort the p tc

management workflow Note that one- ime project activities are not s own in the workflow

Figure B.1 – IACS p tc management workflow

Eac phase of the IACS p tc management workflow is des rib d later in this tec nical re ort

A workflow-b sed a pro c is u ed in this Tec nical Re ort It des rib s the ste s in olved,

the activities p rformed an , where a pro riate, how they are p rformed The as et owner

s ould doc ment the proced re they inten to folow, so that it can b commu icated to

others, an implemented con istently, within their organization An o jective that in olves

multiple ste s wi b b ter implemented if the entire proced re is doc mented

This An ex B is writ en so that an as et owner wi b a le to esta ls their own p tc

management proces by u in this g idan e as the startin p int

B.3 Information gathering

B.3.1 Inventory of existing environment

For IACS p tc management, a large amou t of information is req ired a out the c r ent

en ironment, b fore analy is an plan in can oc ur This data can b very costly to gather

an very reve l n to p tential atack rs, so it s ould b sec red a pro riately

Esta ls in an IACS p tc management program b gin with an ac urate in entory

as es ment, to identify: the devices in s o e, an the sof ware an p tc version in u e If

the as et in entory information is not ac urate, neither wi b the risk-b sed decision b sed

on that information

Ad itional y, when a new v lnera i ty is dis overed, an ac urate in entory en ironment wi

ena le the owner of the en ironment to determine whic as ets or devices in their faci ties

have that v lnera i ty This wi al ow the owner of the v lnera le as ets or devices to ta e

mitigatin action to protect the v lnera le eq ipment A more detai ed dis u sion of some of

the action that can b ta en, to mitigate the risk on a new v lnera i ty can b fou d in B.6.8

The first ste is to identify the comp nents an devices that are p rt of the IACS This

in lu es al update ble device typ s, s c as: servers, workstation , switc es, routers,

firewal s, printers, serial to Ethernet con erters, programma le logic control ers (PLCs),

remote terminal u its (RTUs) an al non-update ble devices, whic could b re laced by a

p tc ed or updated device A n mb r of resources an method may b u ed to c aracterize

re ortin

• as et management information s stems that may in lu e: purc ase record , serial

n mb rs, as et tag an other identifiers of those electronic devices owned an

maintained by the as et owner;

• IACS doc mentation s c as: device l sts, arc itecture drawin s, desig doc mentation

original IACS prod ct s p l er doc mentation;

• IT doc mentation s c as: internet protocol (IP) ad res l sts, network drawin s;

• ph sical in p ction of the faci ty to identify devices an their con ectivity relative to the

doc mentation avai a le;

• inter ogation of switc es/routers for MAC an IP ad res es to identify con ected s stems;

• network atac ed device dis overy to ls, s c as: slow sp ed pin swe p an network

analy ers; an

• existin bu ines imp ct as es ment (BIA), bu ines contin ity plan in (BCP) an

disaster recovery plan in (DRP) doc mentation, if it exists

NOT If BIA a d BCP informatio is a aia le; it pro id s a ditio al insig t, as it ma c te orize th

critic lty a d imp rta c of sp cific b sin s pro es es a d systems This critic lty d ta c n b use

thro g o t th e tire IA S p tc ma a eme t pro ram in lu in : initial pla nin , p tc e alu tio a d later

p tc instalatio pla nin

The a pro c es a ove s ould al b leveraged d rin the in entory of the existin

en ironment, to develo an ac urate lst of devices to b con idered, an their critical ty

With an ac urate in entory lst of devices in place, the next ste is to gather sp cific

information from e c in ivid al device The o jective of this data col ection is to identify an

information that can b u ed, or is req ired, to esta l s an o erate the IACS p tc

management program Data col ected s ould in lu e:

a) Owners ip – This identifies the as et owner or c stodian p rson el, an those resources

ca a le of s p ortin it This information wi b u ed later when as ig in resp n ibi ties

an critical decision ma in

b) Product s ppl er, ma e, model numb r – This information wi b u ed later when it is

time to contact the prod ct s p l ers

c) Version – The version as ociated with an hardware comp nents, an their as ociated

firmware, in lu in the b ot code version, firmware version an b ot image version

d) OS version – The version as ociated with the OS en ironment This in lu es the OS

name, version, service p cks, hot ixes, p tc es, service rele ses, etc De en in on the

en ironment, the OS may b p rt of a virtual zation h p r-visor solution an the sof ware

of the virtual zation host is also req ired Alternatively, the OS may b p rt of emb d ed

device firmware

e) Sof ware version – The version as ociated with sofware in tal ed on to of the OS

Examples in lu e we browsers, control s stem sof ware, data ases, remote ac es , etc

Refer to column 1 of Ta le B.3 for more ide s It is imp rtant to doc ment the prod ct

s p ler for e c sofware comp nent, as this information wi b req ired later, in ad ition

to the sofware title

f Redun anc – This defines the fai -over an fault toleran e ca a i ties of the hardware

an sofware This information wi b u ed later to s p ort evaluation, plan in an

in tal ation of p tc es For example, is a ful outage req ired, or can the p tc b a pl ed

to one device, p rt of a red n ant set, an then the other, without inter uptin IACS

o eration

g) Computer role – This defines the fu ction of in ivid al computers an is es ential in

order to evaluate the imp ct of restartin the computer (if neces ary) on e a sofware

update has b en in tal ed For example, if the computer is a server ru nin a bu ines

-critical a pl cation, it is ad isa le to s hed le sof ware update d rin p riod when they

wi have minimal imp ct on the bu ines It also may b neces ary to ma e ar an ements

for bu ines contin ity, so that u ers can contin e o eration whie the server is b in

h) Computer group – This defines the categorization an the groupin of devices p rformin

a simi ar fu ction ( or example, domain control ers, o erator workstation ) that would b

exp cted to have simiar or even the same hardware, sof ware, config ration an IACS

p tc management strateg

i) Network arc itecture and connectivity – This defines the network arc itecture an

stru ture Un erstan in the layout of the network infrastru ture, its ca a i ties, sec rity

level, l nk sp ed an lnk avai a i ty is imp rtant for ef ective p tc in This layout s ould

also in lu e remote ac es s stems s c as s p ort an management s stems Sof ware

updates can vary in size, an knowin the con traints of the network infrastru ture can

p tential y red ce an delay in distributin sofware updates It can also dictate the

man er in whic the sofware update wi b de loyed to, an in taled on, p rtic lar cl ent

computers

j) Instal ed and not instal ed sof ware updates – This identifies whic sofware updates

have or have not b en in tal ed on computers, an is es ential information

k) Support statu – This identifies the s p ort statu of e c computer s stem If sof ware

or hardware updates are not avai a le an upgradin is not practica le for a computer

s stem this ne d to b recorded, b cau e the s stem wi fal outside the p tc

management regime an wi ne d a se arate sec rity management regime, s c as a

hardened config ration or u e of multiple layers of defen e (defen e-in-de th) A known or

exp cted en of prod ct s p l er s p ort date s ould b recorded A p riodic review of

this data wi alow for control ed c an es in s p ort plan

l) Inter-de endencies – This des rib s the inter-de en en ies b twe n the diferent device

typ s, categories an groups of devices This information wi s p ort later evaluation,

plan in an in talation of p tc es to en ure risks are mitigated for inter-de en ent

devices

m) Critical ty – This des rib s an management of c an e con traints, b sed on the

critical ty of the comp nents an groups of s stems Of en the critical data p th in a

control en ironment have not b en analy ed or doc mented with the detai req ired to

identify critical interde en en ies The foc s of p tc in is on a plyin updates to

sofware ru nin on these computers The decision a out when to p tc wi start with a

thorou h u derstan in of the critical proces es an critical data flows that the computers

an emb d ed controlers provide to the s stem o eration The o eration of e c critical

proces req ires the interaction an interde en en ies of computer s stems to b

u dersto d

n) Vulnera i ty as es ment tools a pl ca i ity – This des rib s if as es ment to ls can

b ru again t the s stem either automaticaly or man aly or never The as et owner

s ould con ider v lnera i ty as es ment to ls as an ad itional method for identifyin

sec rity v lnera i ties as ociated with their IACS Vulnera i ty as es ment to ls can help

identify an prioritize risks that can b mitigated throu h config ration c an es, in tal n

p tc es or other mitigatin controls Active v lnera i ty s an in to ls can negatively

imp ct the IACS, an s ould only b u ed afer testin u der control ed con ition an at

sp cified s an in levels

o) Configuration Fi es – Note if an config ration information wi ne d to b ca tured

b fore a modification an then have to b re p l ed aferward

To s p ort information col ection a ove, con ider the g idan e in B.3.2

B.3.2 Tools for man al an automatic s an ing

At the time of this writin , some to ls are emergin u der develo ment whi e others are

c r ently avaia le to faci tate the automated data col ection, identification an

c aracterization of the control network arc itecture an those devices atac ed to the control

network The more in asive the to ls are, the gre ter the risk they mig t p se to IACS It is

cru ial that the u er of an to l b intimately aware of the imp cts imp sed by a plyin the

to l on the targeted IACS, in lu in those in u trial automation proces es containin multiple

s stems arc itectures comprised of diferent man facturer’s prod cts an networks

Ad itional y the u er of the to l s ould interact with the ful ran e of prod ct s p l ers that

man facture the s stems an devices contained in the IACS, in order to ful y u derstan the

It is also imp rtant to know that man of the automatic s an in to ls a ply new “plu -in ” on

a very freq ent b sis This me n that a s an that work d last we k may exp rien e is ues

the next we k, d e to new tests that the to l is now p rformin Eac as et owner mu t

monitor an control the config ration of the to ls u ed, an s ould con ider testin an new

“plu -in ” b fore they are ad ed to an automated s an in to l

It is imp rtant that when ru nin an to ls cau es is ues that fe db ck is provided to the to l

cre tor as wel as to the a pro riate group that cre ted the af ected eq ipment

Automated to ls may not b a le to colect the ful ran e of as et in entory data elements

des rib d a ove, s c as OS, p tc levels, owners ip, critical ty, management of c an e

con traints or v lnera i ties, so a man al data-entry comp nent typical y is also req ired

Some in entory col ection to ls are integrated into automated p tc distribution to ls

The c oice to u e automated to ls to as ist with col ection of the in entory may also b

imp cted by the imp rtant on oin ne d to maintain the as et in entory data an verify the

existin s stems config ration an arc itecture from time to time The value of havin a

hig ly ac urate as et in entory is that it is the fu damental data ne ded for the a pro riate

as es ment of risk when o eratin the IACS p tc management program For example, when

a new v lnera i ty is dis overed, an ac urate in entory en ironment wi ena le the owner of

the en ironment to determine whic as ets or devices in their faci ties have that v lnera i ty

This wi al ow the owner of the v lnera le as ets or devices to either in tal the a pro riate

p tc (es), an /or ta e mitigatin action to protect the v lnera le eq ipment A more detai ed

dis u sion of some of the action that can b ta en, to mitigate the risk on a new v lnera i ty

can b fou d in B.6.8 A more detai ed dis u sion of when to s hed le an outage for p tc

in tal ation may b fou d in B.8.4

Also note that for some automated in entory col ection to ls, an agent may ne d to b

in tal ed on the variou computers either as a cl ent, server or as a se arate monitorin

s stem, an where in the IT or IACS arc itecture A ful config ration profi e for a mac ine can

b size ble, in lu in the in entory a pl cation proces in deman Atention may b req ired

to confirm that this proces an the as ociated to ls are not detrimental to the s stems that

they are desig ed to serve Partic lar atention an exp rt knowled e is req ired when

a plyin these to ls on red n ant an deterministic control networks

Another o tion avai a le to as et owners to exp dite first time an on oin data col ection is

to con ult with their prod ct s p l ers for the s p l ers recommen ation on s p orted

method , to ls an services

B.3.3 IACS product s ppl er contact and relations ip bui ding

Afer al devices have b en identified an their sp cific version have b en col ected as p r

B.3.1, the next ste is to identify the IACS prod ct s p lers for those comp nents of the

IACS The input to this ste is a l st of hardware prod ct s p l ers, sof ware prod ct s p l ers

an service providers that wi b in trumental to the as et owner’s IACS p tc management

program

The fol owin information is req ired for e c IACS prod ct s p l er:

a) c r ent bu ines name an history of ac uisition that may afect s p orta i ty of legac

prod cts in the as et owner’s IACS;

b) contact information for groups within the prod ct s p l er’s organization, whic can

provide information to the as et owner; an

c) state of s p ort contracts for as et owner prod cts, or the costs to esta l s agre ments

to b entitled to notification of p tc es

Ad itional information may also b s ita le for the IACS Ta le B.1 provides an example

Ta le B.1 – Sample product s p l er profi e

Main we site: htp: w w.microsof.c m

Su p rt we site: htp: su p rt.microsof.c m

htp: u d te.microsof.c m

Th Microsof su p rt we site pro id s ln s to te h ic l su p rt for al su p rte

Microsof pro u ts a d OSs This we site alsopro id s ln s to d wnlo ds a d

u d tes for al su p rte Microsof pro u ts, a d to pro u tsp cific solutio c nters

Th Microsof Up atewe site is a c mp n nt of th Win ows Up ateframework, a d

is a a tomate servic th t, wh n a c s e b a c mp ter, wi sc n tov rify th

c mp ter is ru nin th most c re t v rsio s of th instale Microsof sofware, a d

th t it h s th latest u d tes for its Win ows OS

For Microsof u d tes, ple se refer to: htp: ofic microsof.c m/e

Th Microsof Se urity Newsleter, whic is se t o t b emai c n b su scrib d to at

th folowin we site:

htps: profie.microsof.c m/Re sysprofie e ter/su scriptio wizard.asp ?wizid 6 2 f

c 5-9fe -4 12-8 7 -c d 13 14 b

Compre e siv Emai Notific tio of Se urity Alertsc n b su scrib d to at th

folowin we site:

htps: profie.microsof.c m/Re SysProfieCe ter/su scriptio wizard.asp ?wizid 5 2

31 b-518 -4 9 -9f1a-d e 13 2 c e&lcid 10 3

Th Microsof Se urity Ad isories RS fe d c n b su scrib d to at this a dres :

htp: w w.microsof.c m/e h etse urity/a visory/Rs Fe d.asp ?se urity d isory

Ad itio al

informatio :

Th Microsof Win ows Up ate Servic s e a les system a ministrators to d plo a d

instal th latest Microsof pro u t u d tes to c mp ters ru nin a Win ows OS

Win ows Up ate Servic s alows a ministrators to ma a e th distrib tio of u d tes

th t are rele se thro g Microsof Up ates to c mp ters o th n twork Microsof

Win ows Up ate Servic s also pro id s a ma a eme t pro es for tra kin , a pro in

a dinstal n a plc ble c b r se urity sofware p tc es a d u d tes for Cy er As ets

within th Ele tro ic Se urity Perimeter(s)

Ty e of pro u t

su ple :

Se Ta le B.3 for e ample c te ories

Browser, C /DV /Ta e Ba k p, Cle t To l Do ume t Editin , Driv r, Emai

Mes a in , Multime ia, OS, Remote Ac es , Se urity To l a d Serv r Ap – Sofware

a d Hardware

Se urity p int of

c nta t

This is a c nta t th t is n me b a c mp n servic pro id r, wh re a aia le su h

se urity c nta t sh uld also b re u ste a d re ord d from v n ors

For purc ased sof ware, in lu in the OS, the prod ct s p l er can b con ulted as to the

extent to whic they p rform pre-rele se testin b th of their sofware as wel as an

u derlyin sof ware s c as OS ac es ories The en u er ne d to also con ider the ef ect

of p tc in on en u er lcen e agre ments (EULAs), war anties an s p ort agre ments

Con ider whether the ven or s p ort agre ment ad res es sp cific as to the ad ition of or

lack of p tc in , an who is resp n ible for implementin p tc es Guidan e from a prod ct

s p l er for proces critical s stems s ould b seriou ly regarded

Con ideration can also b given to the p tential of contractin third-p rties s c as the IACS

prod ct s p ler or integrator to provide maintenan e services that in lu e risk management

of p tc in In s c cases, it is sti a pro riate to con ider that the as et owner is ultimately

ac ou ta le for the p tc in proces as severe l a i ties may b in ur ed, even when

leveragin the services of others to exec te the proces

NOT An emergin tre d is to in orp rate o eral c b r se urity re uireme ts into pro ureme t sp cific tio s It

is imp rta t to n te th t th stateme t b a y v n or of p tc c mpla c to sta d rds or re ulatio s d es n t