Patching our Critical Infrastructure: Towards an Efficient Patch and Update Management for Industrial Control Systems

Introduction

The security of industrial control systems (ICSs) has received considerable attention over several years e.g. by Knapp (2011), Stouffer, Falco, & Scarfone (2011) and Weiss (2011). This can be traced back to an increased awareness for this topic and several technological trends for ICSs. The National Vulnerability Database (http://www.nvd.gov) currently stores ~50.000 vulnerabilities. Even though many of these vulnerabilities cannot directly be applied to ICSs, they have to be taken seriously for ICSs due to the following ICS trends:

• •

  ICSs increasingly use and consist of standard third party software like Windows operating systems and Apache web server often due to cost pressure and customer requirements.

• •

  ICSs increasingly use standard communication protocols like TCP/IP, public communication networks like the Internet, and wireless technologies often also due to cost saving and customer requirements.

These trends lead to a multiplication of the attack surface in comparison to former ICSs. Hacking know-how of such standard software and protocols is readily available and sets ICSs in the focus of attackers who have previously focussed rather on standard IT systems. Malware like Stuxnet clearly indicates that attackers are already taking advantage of the changing environment. The US Computer Emergency Response Team (CERT) reacted to the increasing threats to ICSs by creating the Control System Security Program (cf. http://www.us-cert.gov/control_systems/). Within the program 100 control system advisories and reports were published from January 1st to October 18th 2011. For the entire year 2010 only 36 advisories and reports have been published which clearly indicates the increased attention ICS vulnerabilities have been getting lately.

The following timeline of security events for ICSs illustrates the growing relevancy and importance of patch management for ICSs:

• •

  In 2003 the Slammer worm attacked a nuclear power plant in Ohio and blocked a safety monitoring system for several hours, cf. Poulsen (2003). Malware like Slammer infects unpatched systems. Patching is therefore one of the most important measures to protect an ICS against malware.

• •

  In 2006 a remotely exploitable buffer overflow in the LiveData Inter-Control Center Communications Protocol (ICCP) implementation was found and publically announced. ICCP is an example of a protocol used between ICSs and stresses the importance of patching protocol implementations, as a single malformed packet could crash the ICS’s communication servers, cf. US CERT (2006) for more information.

• •

  Krebs (2008) reports how a software update caused an emergency shutdown of a nuclear power plant in Georgia. Note that in contrast to the incident described by Poulsen (2003) here the installation of the patch caused the problems, while in Ohio the Slammer worm was able to penetrate the system because security patches were not applied.

• •

  Stuxnet has given the patch management for ICSs a major push. Even though Stuxnet used several Windows zero-day-exploits for which patches have not been available at the time of the first break out, Stuxnet nicely illustrates the necessity of patching and protecting ICSs and the timely reaction to security alters. Falliere, Murchu, & Chien (2011) provide more details on Stuxnet.

The above events clearly demonstrate the necessity to develop patch management practises suitable for ICS environments. The fundamental challenge is to find a balance between fixing exploitable security holes by applying patches on the one hand, and guaranteeing the system’s availability which is challenged by system downtimes caused by the installation of patches and malfunctioning patches on the other hand.