SIMPLIFYING THE PATCH MANAGEMENT PROCESS

SIMPLIFYING THE PATCH MANAGEMENT PROCESS www.icsupdate.com Monta Elkins Security Architect FoxGuard Solutions melkins@foxguardsolutions.com

SIMPLIFYING THE PATCH MANAGEMENT PROCESS 2

SIMPLIFYING THE PATCH MANAGEMENT PROCESS Why Patch? Because You Need To 3

SIMPLIFYING THE PATCH MANAGEMENT PROCESS What Needs Patching? EVERYTHING (a lot more than you think) 4

SIMPLIFYING THE PATCH MANAGEMENT PROCESS How Can You Discover All Patch Releases? With Great Difficulty 5

SIMPLIFYING THE PATCH MANAGEMENT PROCESS How Hard Is It To Keep Up? Hard 6

SIMPLIFYING THE PATCH MANAGEMENT PROCESS What Does The DOE Sponsored Patch & Update Management Program (PUMP) Do? Aggregate Info And Manage Patch Gap 7

SIMPLIFYING THE PATCH MANAGEMENT PROCESS Monta Elkins Security Architect FoxGuard Solutions melkins@foxguardsolutions.com 8

SIMPLIFYING THE PATCH MANAGEMENT PROCESS How (You Might Ask)? With Great Care 9

PATCH AND UPDATE MANAGEMENT PROGRAM In 2013, the Department of Energy (DOE) selected FoxGuard Solutions Patch and Update Management Program in response to a DOE request for proposals FoxGuard Solutions was selected in part based upon our background in patch validation and automated patch deployment for GE, Toshiba, and others We have also partnered with Critical Intelligence for development, recently acquired by isight Partners 10

FOXGUARD PATCHING AROUND THE WORLD FOXGUARD S PATCHING SOLUTIONS ARE USED IN 167 ICS SITES, IN 36 STATES AND 15 COUNTRIES 11

OBLIGATORY DEFINITION SLIDE What does Patch Mean? A patch is a software update comprised code inserted (or patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package. -Techopedia 12

PATCH FUNCTIONS Patches may do any of the following: Upgrade the software features Fix a software problem Address software stability issues Address security vulnerabilities NERC CIP Requirements Hard for you to know Updates and Firmware also perform these required functions, so consider them as well whenever I say patch 13

PATCH CREATOR SOURCES Patches Come From Different Creators Patch Creator Sources Include: OS Vendor SCADA Vendor Equipment Vendor Other Software Vendor A/V IDS Vendor 14

PATCH APPROVAL SOURCES The Same Patch Can Have Various Approvals Depending On Patch Approval Source Patch Approval Sources Include OS Vendor SCADA Vendor Equipment Vendor Integrator Company 15

DESTINATION The Same Patch Can Have Various Approval Statuses And Dates Depending On Both The Source And The Destination OS VENDOR SCADA VENDOR INTEGRATION VENDOR OS PATCH OS PATCH & APPLICATION PATCH SCADA PATCH Site Approval INTEGRATION PATCH CORPORATE COMPUTER PLANT COMPUTER PLANT COMPUTER PLANT COMPUTER 16

WHAT NEEDS SECURITY PATCHING/UPDATES? Programmable Electronic Devices (In NERC CIP Speak) Virtually Everything That Plugs Into Power, Or Has Batteries (Monta Speak) Computers (HMIs, Workstations, Laptops, Thin Clients) Operating system (Windows, Linux, VxWorks) Other software (Acrobat Reader, Excel, Flash, Java) SCADA packages BIOS USB Controller Video Card Firmware Network Cards Raid Controller Printers USB Thumb drives 17

WHAT NEEDS SECURITY UPDATES/PATCHING? ICS & Other Hardware PLCs RTUs Intelligent Sensors Intelligent Actuators VOIP Phones Displays/Monitors/TV s Test Equipment Scopes Meters Network Gear They Attach To Switches Firewalls IDS (Intrusion Detection Systems) Security gateways DLP (Data Loss Prevention) 18

COMBINATIONS The same patch can have various approval statuses and dates depending on both the source and the destination 19

HOW DOES PUMP HELP? Collection And Monitoring Of Patch/Update Metadata Aggregated Patch Release Information OS Vendors, SCADA Vendors, Hardware Vendors, Integrators Patch Applicability For Individual Devices Patch Approval Per Device, Per Vendor, Per Site With Links To Patch Source, (Actual Patch Only Available From Vendor) Internal Approval Process And "Patch Gap Reporting Track Device Status: Patched, Out Of Date, Scheduled, Mitigation PUMP Can Train To Develop Approval/Validation Process Related Discussion Anonymous Information Sharing With Reputation 20

WHEN YOU ARE SERIOUS ABOUT PATCHING Patch Security Information Is This A Security Related Patch Are There Related CERT Notices, CVE s Allow Multiple Customer Accounts With Access Control To Support Large Organizations (e.g.) Compliance Manager Role Implementation Engineer Role Compliance Support Documentation e.g. CIP Requires Documenting Patch Sources For Cyber Assets And Evaluating Available Patches Every 35 Days Positive Notification Notification For Each Device On A Regular Schedule Notification Of Negative Change 21

PUMP - MORE PATCHES AND UPDATES A Single Source To Check For All / Most Vendor Patch Information Links Provided Contracts With Your Vendor To GET Patches May Be Required If You Would Like To Request Specific Devices For Priority Implementation, Contact FoxGuard Vendors If You Are A Vendor And Would Like Patch And Update Information Included About Your Products, Please Contact Us. Vendor Involvement Available, Contact Us Use BY Vendors (How Do You Keep Up With All Of Your Patch Sources?) 22

AUTHENTICITY VERIFICATION TOOLSET Patch And Update Authenticity Verification Toolset Verify File Hashes Verify Digital Signatures Tools, Training And Assistance For Vendors To Help Make Signed Hash Files Available For Their Patches / Updates Where Hashes / Signatures Aren t Available Provide Carefully Documented Community Hash Information To Identify Exceptions Provide Hash Data From Various Networks To Help Identify Man-in-the-middle Attacks 23

FIRMWARE VERSION QUERY Patch And Update Version Query Version Data Collection Engine - Per Device Gap Analysis And Reporting Dashboard Querying / Scanning Is Not Network Scanning Think modbus/telnet/ssh query to identify device and firmware Used In Combination With Patch Data Aggregator Service For Gap Analysis Also Used After Updates To Verify Firmware Installation Works In Conjunction With Your Master Asset List 24

PUMP DEMONSTRATION SITES Provide Training, And Implementation, At Two Asset Owner s Locations Training programing includes all the necessary tools and skills to setup and implement a successful patch and update management program Including creating an approval/validation program Testing a full validation cycle with patch and update deployment End-user feedback gathered to guide the program forward 25

SIMPLIFYING THE PATCH MANAGEMENT PROCESS www.icsupdate.com Monta Elkins Security Architect FoxGuard Solutions melkins@foxguardsolutions.com