BSI PD IEC/TR 62443-2-3:2015
$198.66
Security for industrial automation and control systems – Patch management in the IACS environment
| Published By | Publication Date | Number of Pages |
| BSI | 2015 | 66 |
This part of This part of IEC 62443 , which is a Technical Report, describes requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program.
This Technical Report recommends a defined format for the distribution of information about security patches from asset owners to IACS product suppliers, a definition of some of the activities associated with the development of the patch information by IACS product suppliers and deployment and installation of the patches by asset owners. The exchange format and activities are defined for use in security related patches; however, it may also be applicable for non-security related patches or updates.
The Technical Report does not differentiate between patches made available for the operating systems (OSs), applications or devices. It does not differentiate between the product suppliers that supply the infrastructure components or the IACS applications; it provides guidance for all patches applicable to the IACS. Additionally, the type of patch can be for the resolution of bugs, reliability issues, operability issues or security vulnerabilities.
This Technical Report does not provide guidance on the ethics and approaches for the discovery and disclosure of security vulnerabilities affecting IACS. This is a general issue outside the scope of this report.
This Technical Report does not provide guidance on the mitigation of vulnerabilities in the period between when the vulnerability is discovered and the date that the patch resolving the vulnerability is created. For guidance on multiple countermeasures to mitigate security risks as part of an IACS security management system (IACS-SMS), refer to, Annexes B.4.5, B.4.6 and B.8.5 in this Technical Report and other documents in the IEC 62443 series.
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 4 | CONTENTS |
| 7 | FOREWORD |
| 9 | INTRODUCTION |
| 10 | 1 Scope 2 Normative references 3 Terms, definitions, abbreviated terms and acronyms 3.1 Terms and definitions |
| 11 | 3.2 Abbreviated terms and acronyms |
| 13 | 4 Industrial automation and control system patching 4.1 Patching problems faced in industrial automation and control systems 4.2 Impacts of poor patch management |
| 14 | 4.3 Obsolete IACS patch management mitigation 4.4 Patch lifecycle state Tables Table 1 – Patch lifecycle states |
| 15 | 5 Recommended requirements for asset owner Figures Figure 1 – Patch state model |
| 16 | 6 Recommended requirements for IACS product supplier 7 Exchanging patch information 7.1 General |
| 17 | 7.2 Patch information exchange format 7.3 Patch compatibility information filename convention 7.4 VPC file schema |
| 18 | Figure 2 – VPC file schema |
| 19 | 7.5 VPC file element definitions Figure 3 – VPC file schema diagram format Table 2 – VPC XSD PatchData file elements |
| 20 | Table 3 – VPC XSD PatchVendor file elements Table 4 – VPC XSD Patch file elements |
| 22 | Table 5 – VPC XSD VendorProduct file elements |
| 23 | Annex A (informative) VPC XSD file format A.1 VPC XSD file format specification |
| 25 | A.2 Core component types A.2.1 Overview A.2.2 CodeType |
| 26 | A.2.3 DateTimeType A.2.4 IdentifierType Table A.1 – CodeType optional attributes Table A.2 – DateTimeType optional attributes |
| 27 | A.2.5 IndicatorType A.2.6 TextType Table A.3 – IdentifierType optional attributes Table A.4 – IndicatorType optional attributes Table A.5 – TextType optional attributes |
| 28 | Annex B (informative) IACS asset owner guidance on patching B.1 Annex organization B.2 Overview |
| 29 | B.3 Information gathering B.3.1 Inventory of existing environment Figure B.1 – IACS patch management workflow |
| 31 | B.3.2 Tools for manual and automatic scanning |
| 32 | B.3.3 IACS product supplier contact and relationship building |
| 33 | Table B.1 – Sample product supplier profile |
| 34 | B.3.4 Supportability and product supplier product lifecycle B.3.5 Evaluation and assessment of existing environment |
| 35 | B.3.6 Classification and categorization of assets/hardware/software |
| 36 | Table B.2 – Communication capabilities |
| 37 | Table B.3 – Sample software categorization |
| 38 | B.4 Project planning and implementation B.4.1 Overview Figure B.2 – Planning an IACS patch management process |
| 39 | B.4.2 Developing the business case |
| 40 | B.4.3 Establishing and assigning roles and responsibilities |
| 41 | Table B.4 – Responsibility assignment definitions |
| 42 | B.4.4 Testing environment and infrastructure Figure B.3 – Sample responsibilities chart |
| 43 | B.4.5 Implement backup and restoration infrastructure |
| 44 | B.4.6 Establishing product supplier procurement guidelines B.5 Monitoring and evaluation B.5.1 Overview Figure B.4 – Patch monitoring and evaluation process |
| 45 | B.5.2 Monitoring and identification of security related patches B.5.3 Determining patch applicability |
| 46 | B.5.4 Impact, criticality and risk assessment |
| 47 | B.5.5 Decision for installation B.6 Patch testing B.6.1 Patch testing process Figure B.5 – A patch testing process Table B.5 – Sample severity based patch management timeframes |
| 48 | B.6.2 Asset owner qualification of security patches prior to installation B.6.3 Determining patch file authenticity B.6.4 Review functional and security changes from patches |
| 49 | B.6.5 Installation procedure |
| 50 | B.6.6 Patch qualification and validation B.6.7 Patch removal, roll back, restoration procedures |
| 51 | B.6.8 Risk mitigation alternatives |
| 52 | B.7 Patch deployment and installation B.7.1 Patch deployment and installation process B.7.2 Notification of affected parties Figure B.6 – A patch deployment and installation process |
| 53 | B.7.3 Preparation B.7.4 Phased scheduling and installation |
| 54 | B.7.5 Verification of patch installation B.7.6 Staff training and drills |
| 55 | B.8 Operating an IACS patch management program B.8.1 Overview B.8.2 Change management B.8.3 Vulnerability awareness |
| 56 | B.8.4 Outage scheduling B.8.5 Security hardening B.8.6 Inventory and data maintenance |
| 57 | B.8.7 Procuring or adding new devices B.8.8 Patch management reporting and KPIs |
| 58 | Annex C (informative) IACS product supplier / service provider guidance on patching C.1 Annex organization C.2 Discovery of vulnerabilities C.2.1 General |
| 59 | C.2.2 Vulnerability discovery and identification within the product C.2.3 Vulnerability discovery and identification within externally sourced product components |
| 60 | C.3 Development, verification and validation of security updates C.4 Distribution of cyber security updates C.5 Communication and outreach |
| 62 | Bibliography |
