Joe Weiss has written a blog post about the new ENISA report “Window of exposure … a real problem for SCADA systems? Recommendations for Europe on SCADA patching” dated December 2013. ENISA (ttp://www.enisa.europa.eu) is the European Union Agency for Network and Information Security, so this is a governmental organization speaking.
Joe says: “Is security patching important? I don’t think there would be much disagreement. However, is patching control system different than patching business IT systems? The answer is a resounding yes. Consequently, ISA established a committee on Patch Management for Industrial Control Systems – ISA 99.06 yet it isn’t even referenced. I was on the NERC Control System Cyber Security Working Group where they developed a guideline for patch management of SCADA systems that included references to ISA99.06.”
A “SCADA” patching guidelines document that doesn’t reference standards for patching of SCADA systems is probably not the most useful document, don’t you think?
Joe points out that industrial control systems, including SCADA systems, are actually systems of systems and while the ENISA recommendation that patches should be tested in the same or very similar environment that they will be used in is fine as a motherhood statement, it is actually difficult, expensive, and probably not very practical to put together a test bed for every SCADA system.
Joe concludes: “The ENISA document is correct in stating there will be a window of exposure. However, there are really two issues:
1) What can be done to make the unpatched control system “invisible or inaccessible” so patching becomes irrelevant?
2) If not, what policies, operational changes, etc should be employed during this window?
I saw nothing in the document to address these issues.”