Discussion Board

in /by

Discussion Board

Need comments for each part..

atleast 1 para for each part.

PART 1

A patch can be described as a update or modification to the system’s software to patch-up a software failure or a vulnerability and improve the performance of the software. The patching and updating the ICS system should be dealt with the principles like less software requiring patches, patching impact on the system. (Radvanovsky & Brodsky, 2016) The traditional IT systems are hard to patch, the ICS systems are more difficult to patch compared to the traditional IT systems. A patch, practically can crash the entire system in the ICS/SCADA environment and it is the first critical aspect to deal with. To report the patch management procedures for the traditional IT systems and the ICS systems, a solution doesn’t exist for both. Because the IT systems need to organize the critical patches within the downtime, any unexpected downtime in the ICS systems can lead to operational disruptions. So, there is a requirement for the patching before the implementation in ICS systems. (Recommended Practice for Patch Management of Control Systems, 2008)

The patching is different between the industrial control systems and the enterprise network systems. They also could impact negatively the operations of the systems and it is necessary to patch the system before the installation. The three fundamentals for patching the industrial control system is be well versed like performing the complete backup before the installation of patches to the ICS systems. Identifying the files that are changed by the patches and the impacts of them. Removing all the files that are not needed by the ICS systems. Following the three fundamentals, the problems or the risks associated with patching can be minimized and reduces the risks and systems security is improved. (Radvanovsky & Brodsky, 2016)

The legacy systems in the ICS network are applied late or not even applied for some of them. That is typically due to their proprietary nature, service age or may be the patches are not available. (Recommended Practice for Patch Management of Control Systems, 2008) The patches apply generally deal with the stability and functionality issues and accordingly to enhance stability. The industrial control system patching need risk vs reward analysis which can address that the system is properly operating, there is risk to patch the system than reward to update the system. The other factors are to determine the risk by the operating system type, the threats involved, the ability of the personnel. (Radvanovsky & Brodsky, 2016)

References

Radvanovsky , R., & Brodsky, J. (2016). SCADA/ Control Systems Security. CRC Press.

Recommended Practice for Patch Management of Control Systems. (2008). DHS National Cyber Security Division Control Systems Security Program. Homeland Security. Retrieved from https://ics-cert.us-cert.gov/sites/default/files/r…

PART 2

ICS/SCADA Patching

A systematic update or necessary change to a software is called patching. The handbook says, the patching should ensure that the SCADA system is not negatively impacted by any means. The patching requires risk and reward analysis. By this analysis, if we found that there are no problems in the ICS operating system then it is a risk of patching (Radvanovsky & Brodsky, 2016).

The ICS systems are designed to run continuously for years but the patching requires a system restart which is critical for ICS systems. It is recommended to follow the instructions of manufacturer in patching the ICS systems. Manufacturers will provide the guidelines for patching all the major components like PLC’s, controllers, input modules, output modules, data converters and switches (Radvanovsky & Brodsky, 2016).

Performing a full back up of ICS systems before patching is necessary and rolling back patches are not always helpful in fixing the ICS systems. We must run a batch file create all the folders, files with sizes for the entire system, after the patching if any file size has changed then that file is affected by a patch. Virtual test environment before testing is recommended (Radvanovsky & Brodsky, 2016).

After all this, experts think patching data base is risky and difficult but more than that patching a utility (Power plant) or other organizations ICS systems is dangerous after the post-Stuxnet affect. The Stuxnet created a panic environment for the vendors like Siemens and pressuring them to regularly check or updating for the vulnerability issues (Higgins, 2013).

The vulnerability research is looking more closely at ICS world because of the affects created by a Stuxnet, even the small malware can shake the ICS to the core is a demonstration for the future (Higgins, 2013).

The vendors like Siemens and Rockwell systems security are sending the necessary updates and changes required on a regular basis but the organizations thinking that responding to the vendors is fixing the system which is not. Only about 10-20 % of organizations are installing the necessary patches. Experts say Utilities and ICS organizations face power shutdown if patching goes wrong which is a major risk (Higgins, 2013).

According to Andres Andreu, chief architect and vice president for engineering at Bayshore networks says, “Some plant equipment is so old that no one dares to disturb it” (Higgins, 2013). He also says, people who run the old systems or equipment will not perform the patching aggressively. So many controllers which are from 1960-1970’s will not bear the security created by the new patches. He also stated, “To actually patch that level is unrealistic, there’s legacy code written 30 years back and no one wants to touch that” (Higgins, 2013).

Eric Byres, CTO of Belden’s Tofino Security informed that, one of the PLC vendor which the Tofino Security works with said that 10 percent of his customers actually download the patches. He also stated strongly that it’s only download and installing them is imaginary (Higgins, 2013).

According to Dale Peterson the CEO of Digital Bond, most of the companies install the patches on a quarterly basis and they are mainly happen at workstations and servers. Always patching outside or exposed networks is recommended and necessary. One municipal water authority is patching monthly by the help of virtualization test prior to the patching (Higgins, 2013).

References

Higgins, J. K. (2013, January 15). The SCADA patch problem. Retrieved from https://www.darkreading.com/vulnerabilities—threats/the-scada-patch-problem/d/d-id/1138979?

Radvanovsky, R., & Brodsky, J. (2016). Obsolescene and procurement of SCADA.

PART 3

atching for SCADA and ICS Security: The Good, the Bad and the Ugly

The Impact of Patching for SCADA and ICS Security

In a landmark study of the patches for post-release bugs in OS software, Yin et al showed that between 14.8% and 24.4% of all fixes are incorrect and directly impact the end user. And if that’s not bad enough, 43% of these faulty ‘fixes’ resulted in crashes, hangs, data corruption or additional security problems.

What’s more, patches don’t always solve the security issues they were designed to address. According to Kevin Hemsley, a member of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), in 2011, ICS-CERT saw a 60% failure rate in patches fixing the reported vulnerability in control system products.

Even Good Security Patches Can Cause Issues

Most patches require the shutdown and restart of the manufacturing process. Some can also break or remove functionality previously relied on by the control system. For example, one of the vulnerabilities the Stuxnet worm exploited was a hardcoded password in Siemens’ WinCC SQL database.

At the time, Siemens were widely criticized for not quickly releasing a patch to remove the password. However, customers who took it upon themselves to manually change the password soon discovered that many critical control functions depended on this password to access accounts. In this case, the ‘cure’ was even worse than the disease.

Patching Often Requires the Presence of Experts

Another ugly truth about patching is that the process itself often requires staff with special skills to be present.

For example, the vulnerability exploited by the Slammer worm in January 2003 actually did have a patch (MS02-039) that was released in 2002. Unfortunately, this didn’t help an oil company with numerous production platforms in the Gulf of Mexico. The company started rolling out the patch in the summer of 2002, but issues with server restarts required Windows experts to be present during patching. Since very few of these experts were safety certified for platform access, most platforms were still not patched when Slammer hit six months later.

When There Are No Patches

Of course, you can only use patches to fix vulnerabilities if the vendor has created a patch. Unfortunately, this is the exception rather than the rule. At the SCADA Security Scientific Symposium (S4) in January 2012, Sean McBride noted that less than half of the 364 public vulnerabilities recorded at ICS-CERT had patches available at that time.

Some accuse the vendors of indifference or laziness, but there are many factors that prevent the quick release of a patch.

In 2010, a major ICS vendor told me that internal testing of a mission critical product had revealed security issues. Unfortunately, these vulnerabilities were part of an embedded OS supplied by a 3rd party. Now the OS supplier refused to address the vulnerabilities, and so the ICS vendor (and its customers) faced a situation where patching was not possible.

In a 2011 case involving another ICS vendor, vulnerable backdoors were found in a PLC by an independent security researcher, who publically exposed them. The vendor designed a patch to remove backdoors, but then learned that these backdoors were widely used by troubleshooting teams for customer support. To complicate matters, the company’s quality assurance (QA) process for product changes required four months to complete. This meant that even if customers were willing to sacrifice support for security, they were faced with a four month window of exposure while they waited for the proper testing of patches to be completed.

When it comes to patching for SCADA and ICS system security, the cure may well be worse than the disease itself. Image Credit: www.time.com

Many SCADA/ICS Users Choose Not to Patch

My last example highlights a core problem with a patch-based strategy for control system security. Many customers simply don’t want to run the risk of degrading service and increasing downtime. The vendor noted in the previous example privately told me that they have a 10% patch download rate for released patches.

My own experience with an ICS security product confirms the reality of low patch acceptance in the field.

In September 2010, we released Tofino Industrial Security System version 1.6. This upgrade addressed a number of security and performance issues and was offered to all registered users at no charge – if downloaded within 30 days. Initial acceptance was low, so we repeated the offer for an additional 30 days. After two months, only 30% of users had downloaded the free upgrade. And that doesn’t necessarily mean they all installed it!

Planned Patching is Good. Reactive Patching is Bad. Rushed Patching is Ugly

Let’s be clear – patching bugs is an important process for any control system. And patching for vulnerabilities is critical for good security. But the IT strategy of reactive, continuous patching on a monthly or weekly basis just won’t work for SCADA and ICS systems. Patching in a hurry is just plain dangerous.

SCADA/ICS vendors face multiple issues when trying to create “quick” patches – they have to consider both safety and QA requirements that often delay patch releases. In other cases, a reasonable and safe patch just isn’t possible.

SCADA/ICS customers face similar concerns. And quite frankly, who can blame them for not wanting to increase downtime or expose their critical controller or server systems to safety risks?

Patch support for legacy products is also an issue – many expect a control product to operate for 20 years, putting it well outside the typical IT support window. Finally, as noted in the Slammer worm example, patches can require significant staff resources to install safely.

So create a patching plan that works for your process environment. Make sure that it includes processes for proper tests and change management controls.

Just don’t expect patches to be a quick fix for your control system’s security problems. If you do, you may discover new problems that are worse than the bugs the patches cure.

Do you have stories to support or contradict the opinions expressed here? Let me know your thoughts.

In my next blog, I’ll share some secrets on how to successfully use patching in SCADA and control systems.

https://www.tofinosecurity.com/blog/patching-scada…

OWN WORK PLEASE

NO PLAGIARISM

"You need a similar assignment done from scratch? Our qualified writers will help you with a guaranteed AI-free & plagiarism-free A+ quality paper, Confidentiality, Timely delivery & Livechat/phone Support.


Discount Code: CIPD30



Click ORDER NOW..

order custom paper