Intro to Patch Management in IACS

Question 1

IACS Patching Life Cycle

Answer 1

• Information Gathering:
  
  • Inventory
  • Supplier Relationships
  • Supportability
  • Assess the existing environment
  • Categorize and classify assets
• Monitoring & Evaluation:
  
  • Monitor & ID patches
  • Determine Applicability
  • Risk Assessment
  • Decision
• Patch Testing:
  
  • File Authenticity
  • Review Changes
  • Install Procedure
  • Qualification & Verification
  • Removal Procedure
  • Risk Mitigation
• Patch Deployment:
  
  • Notification
  • Preparation
  • Scheduling
  • Deployment
• Verification & Reporting:
  
  • Verification
  • Training
  • Documentation

Question 2

Asset Owners requirement for Patching

Answer 2

High - Patch within 1 week
Medium - Patch within 3 months
Low - Patch within 2 years or the next available outage
None - Never

Question 3

Product Supplier or Service Provider requirement for Patching

Answer 3

• Discovery of Vulnerabilities
• Developement, verification & validation

Question 4

Protection mechanism against Malicious code

Answer 4

Prevent, Detect, Report, Mitigate