The present embodiments relate to managing patching in industrial control systems. In particular, timing and/or priority of patching software vulnerabilities in the industrial control system is provided.
Unpatched published vulnerabilities represent the most likely attack vector for software. Industrial control systems pose an unsolved problem to the security community. The manufacturing sector, for instance, takes an average of 51 days from disclosure to install a patch. There are a number of reasons why patching industrial control system components is typically not performed immediately after the patch disclosure or vulnerability disclosure. Fixes incorporated into the patches have to be exhaustively tested as a general rule, both by the vendor and by the asset owner, prior to patching to avoid the shut-down costs associated with an improper fix to control systems. In addition, some patches require a complete system reboot, which might have to be synchronized with plant maintenance schedules where a production outage is already expected. Given the desire to greatly limit downtime in industrial manufacturing, it is crucial to understand which components and vulnerabilities deserve the most attention.
Patching models may be useful for government agencies responsible for providing support during massive attack campaigns. Having information about industrial control components where the attack is more likely may guide use of limited resources and expertise.