A few weeks ago, an inspector visited my home as part of a refinance process. My family is good about home maintenance activities, but he did remind us to caulk and patch the exterior of our house each year. This preventative maintenance best practice protects our most valuable asset from the elements. This visit reminds me of another visit – one I recently made to a large power company. We talked at length about preventative maintenance within their fleet and how they process patches that address identified vulnerabilities. Their process had many holes in it, leaving vulnerabilities unaddressed and unmitigated within their control networks.
Their patch management process comprises four steps in total. First, a central testing group receives patch information from Microsoft and control system vendors. Second, the group captures the information in a Microsoft Excel spreadsheet and passes it along to plant personnel for evaluation. Third, plant personnel, at their own discretion, evaluate the same patch information from Microsoft and control systems vendors. Finally, they then decide to implement the patch, mitigate the risk, or potentially do nothing. The testing group has no visibility into what the plant ultimately does or when they do it. Each plant makes independent decisions that may or may not have consistent outcomes. This is clearly not an ideal, closed-loop process with auditable transparency.
Industry best practices dictate that patches are evaluated immediately matching Microsoft updates and vendor bulletins to an automatically updated cyber asset inventory. A centralized testing group validates applicability and readiness notifying plants of the need to implement the patch or to take steps to mitigate risk. Workflows automate testing, implementation, and mitigation activities providing full visibility into compliance status. Workflows also provide electronic breadcrumbs that aid in internal and regulatory audits.
Applying information technology (IT) standards to operational technology (OT) challenges is a common mistake we see in the industry. The differences between the two are stark and many times unclear to personnel in each camp. Nevertheless, OT can benefit from certain tried-and-true approaches such as workflow automation to drive good patch management practices. Doing so means the “house” is more secure with fewer vulnerabilities exposed to the elements. It just takes a little more preventative maintenance than what most houses (or plants) receive today.
Is your patch management process transparent, automated, and closed loop? If an inspector came to your “home,” what would they find?