Patching our Critical Infrastructure: Towards an Efficient Patch and Update Management for Industrial Control Systems

Patching our Critical Infrastructure: Towards an Efficient Patch and Update Management for Industrial Control Systems

Konstantin Knorr (Trier University of Applied Sciences, Germany)
DOI: 10.4018/978-1-4666-2659-1.ch008
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Worm epidemics such as Stuxnet and Conficker have raised great interest in the public and media lately and stressed the question of how our critical infrastructure can be protected against such attacks. Besides reactive measures like incident response, pro-active counter measures are required. Patch management is such an essential pro-active measure for the secure operation of our critical infrastructure. It is an indispensable activity which is required in many standards. This chapter focuses on patch and update management for industrial control systems that are part of our critical infrastructure. Standards for the automation of patch management and selected operational security standards are discussed in the context of patch management. The main contribution of the chapter is the definition and description of a standard conform patch management process for industrial control systems with special focus on the interaction between operator and vendor of such systems.
Chapter Preview
Top

Introduction

The security of industrial control systems (ICSs) has received considerable attention over several years e.g. by Knapp (2011), Stouffer, Falco, & Scarfone (2011) and Weiss (2011). This can be traced back to an increased awareness for this topic and several technological trends for ICSs. The National Vulnerability Database (http://www.nvd.gov) currently stores ~50.000 vulnerabilities. Even though many of these vulnerabilities cannot directly be applied to ICSs, they have to be taken seriously for ICSs due to the following ICS trends:

  • ICSs increasingly use and consist of standard third party software like Windows operating systems and Apache web server often due to cost pressure and customer requirements.

  • ICSs increasingly use standard communication protocols like TCP/IP, public communication networks like the Internet, and wireless technologies often also due to cost saving and customer requirements.

These trends lead to a multiplication of the attack surface in comparison to former ICSs. Hacking know-how of such standard software and protocols is readily available and sets ICSs in the focus of attackers who have previously focussed rather on standard IT systems. Malware like Stuxnet clearly indicates that attackers are already taking advantage of the changing environment. The US Computer Emergency Response Team (CERT) reacted to the increasing threats to ICSs by creating the Control System Security Program (cf. http://www.us-cert.gov/control_systems/). Within the program 100 control system advisories and reports were published from January 1st to October 18th 2011. For the entire year 2010 only 36 advisories and reports have been published which clearly indicates the increased attention ICS vulnerabilities have been getting lately.

The following timeline of security events for ICSs illustrates the growing relevancy and importance of patch management for ICSs:

  • In 2003 the Slammer worm attacked a nuclear power plant in Ohio and blocked a safety monitoring system for several hours, cf. Poulsen (2003). Malware like Slammer infects unpatched systems. Patching is therefore one of the most important measures to protect an ICS against malware.

  • In 2006 a remotely exploitable buffer overflow in the LiveData Inter-Control Center Communications Protocol (ICCP) implementation was found and publically announced. ICCP is an example of a protocol used between ICSs and stresses the importance of patching protocol implementations, as a single malformed packet could crash the ICS’s communication servers, cf. US CERT (2006) for more information.

  • Krebs (2008) reports how a software update caused an emergency shutdown of a nuclear power plant in Georgia. Note that in contrast to the incident described by Poulsen (2003) here the installation of the patch caused the problems, while in Ohio the Slammer worm was able to penetrate the system because security patches were not applied.

  • Stuxnet has given the patch management for ICSs a major push. Even though Stuxnet used several Windows zero-day-exploits for which patches have not been available at the time of the first break out, Stuxnet nicely illustrates the necessity of patching and protecting ICSs and the timely reaction to security alters. Falliere, Murchu, & Chien (2011) provide more details on Stuxnet.

The above events clearly demonstrate the necessity to develop patch management practises suitable for ICS environments. The fundamental challenge is to find a balance between fixing exploitable security holes by applying patches on the one hand, and guaranteeing the system’s availability which is challenged by system downtimes caused by the installation of patches and malfunctioning patches on the other hand.

Complete Chapter List

Search this Book:
Reset