The EU’s cybersecurity agency ENISA has issued recommendations for patching of SCADA systems, warning that better protection of SCADA systems is needed in Europe and member states could proactively deploy patch management to enhance their security.
Much of Europe’s critical infrastructure resides in sectors such as energy, transportation, water supply, and are largely managed and controlled by SCADA (Supervisory Control and Data Acquisition) systems. In the last decade SCADA technology has gone from being isolated systems into open architectures and standard technologies that are highly interconnected with other corporate networks and the internet.
A consequence of this transformation is the increased vulnerability to outside attacks. One way to enhance the security of SCADA is through the application of patches. Currently, two of the key issues with patching are the failure rate of patches (60%), and the lack of patches with less than half of the 364 public vulnerabilities having patches available for SCADA.
In a new report on SCADA patching, ENISA identifies best practices and recommendations regarding patching aimed to improve the security posture of SCADA environments. Among these are:
- Compensating controls, including increasing in-depth defense through network segmentation to create trusted zones that communicate using access controls, hardening SCADA systems by removing unnecessary features, and usage of techniques such as Application White Listing and Deep Packet Inspection
- Patch management program development and service contracting to define the roles and responsibilities of the parties (asset owners, vendors, etc.)
- Patch testing before deployment
- Patch distribution via a dedicated patch management system.
In a separate publication ENISA has set out good practice guidelines for emergency response on industrial control systems. Among the key conclusions is that while for traditional ICT systems the main priority is integrity, for industrial control systems availability is the highest priority, because they are indispensable for the seamless operation of critical infrastructure.
The main industrial control systems actors sometimes do not have sufficient cybersecurity expertise. Likewise, the established computer emergency response teams do not necessarily understand sector-specific technical aspects of industrial control systems. Given the potential significant damage, the hiring process for response teams requires staff to be vetted thoroughly. The importance of cooperation at both the domestic and international level must also be recognized.
Access the report, Window of exposure… a real problem for SCADA systems, HERE.
Access the report, Good practice guide for CERTs in the area of Industrial Control Systems, HERE.