17 Jan 2022

Multi-staged patch-management approach streamlines update process

Patch management in an operational technology (OT)/industrial control system (ICS) setting is full of challenges.

From proprietary hardware and software to a lack of staff, inadequate or non-existent testing equipment, and regulatory reporting and system maintenance, many organisations struggle to determine what is in scope. This results in unmanaged patches.

To combat the challenges with vulnerability and patch management, Verve Industrial Protection has developed a multi-staged approach to streamline the patch management process. Combining our world class software with cost effective, scalable services, this blog outlines the various stages of a patching process and highlights how we help.

What is OT/ICS Patch Management?

Software patching is often thought of as a basic cyber security process. On the surface, it appears to be a straightforward practice: simply apply updates to your OT systems.

The software updates are provided by the vendors that are intended to close any security or functional holes in your systems. This is so basic on paper that it is often overlooked or neglected by many security teams and system operators.

Patch management is defined as a comprehensive cycle of ensuring baseline data, identifying available patches and known vulnerabilities, reviewing patches for applicability and OEM-vendor approval, designing deployment or mitigation strategies, executing patch deployment and confirmation, and finally re-establishing baselines.

But as it turns out, patching is not so straightforward after all. In fact, it is likely the single most time-consuming task that the North American power industry faces in adhering to regulatory expectations.

This is due to a combination of factors, most notably:

  • Lack of automatic inventory/monitoring of end systems
  • Difficulty in monitoring patch releases for all systems/applications
  • Time and expertise to review, approve, or mitigate patches in a workflow
  • Testing and individually assigning patches to groups of endpoints
  • Time to deploy on each device and confirm update working as appropriate
  • Time to document changes and update baselines

Because of these patch management challenges, Verve has created a six-step, end-to-end patching process. Using a combination of Verve Security Center (VSC) software and Engineering Services (both off site and on premise), the company can significantly reduce the time and complexity and improve the quality and compliance-readiness by integrating each of the critical steps in a single-flow process.

Six steps to effective OT/ICS patch management

Company info: Verve Industrial