A practical patch management solution for the ICS environment
Patch management is an important component of an overall ICS security program. In some cases, the only mitigation for a discovered vulnerability is to install a software patch provided by the supplier. However, patch management in an ICS is challenging in that deploying patches can introduce risk – sometimes more risk than the risk of the vulnerability the patch addresses. ICS patch management policies and procedures need to balance the need for system reliability with the need for system security.
aeSolutions can assist in the development and implementation of an ICS patch management program and the deployment of patch management software to assist organizations in meeting the requirements set forth in ICS cybersecurity standards such as ISA/IEC 62443 and NERC CIP.
Why patching is important
Attackers exploit known vulnerabilities to weaponize your own software against you. Installing a patch removes these vulnerabilities, which, in turn, nullifies the exploits, effectively removing an opportunity from the attacker. Do this regularly and well, and you will reduce what’s called your ‘attack surface’. Patching is extremely effective at thwarting attackers, in fact, it’s considered one of the top four controls by the security community. aeCyberPatch provides a patch management solution tailored for the ICS environment.
What is aeCyberPatch?
With aeCyberPatch you can create a practical, affordable program to regularly deploy Microsoft security updates to ICS computers. Working within your existing WSUS/SCCM environment, the solution is based on Panacea Update Manager: A patch management system that takes care of the hard work of gathering all the appropriate Microsoft security updates which have been approved by your ICS application software providers.
This puts the right information into the hands of ICS system administrators making it much more practical and efficient to regularly deploy updates with the confidence of knowing they are applicable to your assets and approved by your ICS application software vendors.
Benefits of aeCyberPatch
Provides an automated process to obtain and apply vendor approved MS patches to ICS windows assets
Reconciles patches on the approved list that are relevant for your installation, so you apply only the patches required for each host computer
Integrates with WSUS/SCCM
Provides a scalable deployment platform
Challenges deploying a patch management solution for OT networks
Microsoft tests and approves patches for its various Windows platforms, but control system vendors must
retest and validate those patches for applicability to their systems. All vendor approved patches are not
• Some patches may not be required depending on the applications running on a host
• The same patch approved by one control system vendor may not be applicable for others
• Some patches may require a system reboot
• To make matters worse there is always a chance that one or more patches may cause a host to behave
Historically, the solution has been to deploy patches during controlled events such as a scheduled shutdown,
maintenance turnaround, etc. However, since these events are infrequent, process control computers lag
significantly behind on patch status. With the recent ransomware attacks on OT networks, there is urgency to
deploy a better solution to help stay current on vendor approved Microsoft patches.
aeCyberPatch can help
How do I know a patch is appropriate for a host computer?
Multi-vendor support (Rockwell, Siemens, GE,
Wonderware, OSIsoft, Schneider, and more) helps
identify and manage patches for different automation
How do I ensure a patch does not cause a critical host to
Transfers control to user on when and what patches to
apply, so deployment can be controlled and managed
Can I configure a deployment strategy by grouping assets?
Allows creation of groups and subgroups. Can also be
aligned with ISA 62443 security zones and conduit