Few are satisfied with their existing processes and risk levels. One problem is that many patch management reference documents are available; yet none provide specific guidance for industry needs.
Selecting external guidance documents is not as easy as it might sound, largely because many different external organizations are working on security references with various overlaps and gaps. Most existing reference documents tend to be high level, general and contain compromises. The result is that they are often weak in areas where businesses differ widely. This can show up as ambiguous recommendations or possibly too much flexibility.
The biggest challenge is making sure that the practices apply to your situation and operations IT. If possible, it is best to start with references developed with your industry and needs in mind. This not only reduces the amount of effort needed to adapt them but also reduces the risk of using inappropriate practices. For example, it is well documented that systems in automation and operations IT require different patch practices than corporate IT systems; guidance that is developed for corporate IT will not work without fundamental changes. However, fewer patch management references address the operational needs of manufacturing plants and factories, utilities, pipelines and other similar situations, than address corporate IT situations.
The U.S. Department of Homeland Security (DHS) has stimulated development of a considerable body of security references through the National Institute of Standards and Technology (NIST) and Carnegie Mellon’s US-CERT (for U.S. Computer Emergency Readiness Team). They also do considerable security work through Idaho National Laboratory (INL). In the United Kingdom, the Centre for Protection of National Infrastructure does similar work.
Initially, DHS and NIST addressed the security needs of U.S. government computing systems. This resulted in several general security reference documents that are available through the NIST (www.nist.gov) and CERT (www.cert.org) Web sites. However, DHS is also responsible for assuring the protection of U.S. industries categorized as “critical infrastructure,” including utilities, chemical, petroleum and a few others. During the last few years, DHS has increasingly focused on protecting process control systems, especially those in the utilities industries, and we expect that this trend will continue. U.S. companies should track these documents carefully because they may become requirements for some industries. Relative to patch management, two of their documents are worth studying, as are several other resource documents.
Recently, DHS released recommendations specifically for “Industrial Control Systems (ICS).” This document is valuable in that the scope is exactly what the industry needs. It explicitly considers the needs of on-site systems, and establishes the difference between corporate IT and operations IT patching. It also includes a good high-level set of patch program elements.
Unfortunately, this document also has serious shortcomings and needs considerably more work. The recommendations under each program element are weak, incomplete or not practical, making the document of little help in establishing a patch management program for on-site systems.
NIST first addressed patch management for U.S. government and corporate information systems. NIST Publication 800-40, “Creating a Patch and Vulnerability Management Program,” is an excellent source of concepts and ideas for patch management in general. However, it does not address the unique needs of operations IT and automation, and does not indicate that these systems are out of its scope. Consequently, we advise caution when adapting the details of 800-40 to on-site systems, especially automation.
ARC recommends that end-users study these documents, and where the opportunity exists, make recommendations for future improvements.
Bob Mick, [email protected], is Vice President of Enterprise Systems, ARC Advisory Group Inc., Dedham, Mass.