Last week you identified the types and number of OT cyber assets in each of the three security patching categories. This week you will take this information and develop an OT Security Patching Program and Schedule.
Remember the guiding factor is efficient risk reduction. Where will we get the most risk reduction for the next dollar or hour spent. We will achieve this by placing most of our effort (~75%) on patching the small number of cyber assets in the Priority category. Lesser resources (~25%) on the Maintenance category, and no security patching resources on the Support category. The Support category is only addressed during major scheduled outages and is to maintain the cyber assets in a supportable state, not to reduce OT cyber risk.
Another common flaw in OT security patching is the program reflects an intention rather than a commitment. For example, we would like to apply security patches to everything quarterly, but we typically have patched about one-third of the OT cyber assets every six months.
This week you should select a cadence that you are committed to meeting, and auditing. It’s better to say quarterly and achieve it than to have a monthly cadence and almost never achieve it. Meeting your cyber maintenance commitments allows you to correctly identify and manage your OT cyber risk.
To complete this week’s task, you should:
- Identify the security patching interval for your Priority and Maintenance OT Security Patching categories.
- Identify the individuals or roles responsible for security patching the cyber assets in these two categories.
- Identify the tools these roles will use in the security patching process.
- Identify a security patching audit plan. This should be a plan to do, at a minimum, sample auditing of security patch status after a patch interval until the security patching program is viewed as under control. After it is under control, and as your OT security program matures, you can decide if you should adjust your patching cadence.
Priority OT Security Patching Category
Patching Interval:
Responsible Individuals or Roles:
Security Patching Tools:
Priority Security Patching Audit Plan:
Maintenance OT Security Patching Category
Patching Interval:
Responsible Individuals or Roles:
Security Patching Tools:
Maintenance Security Patching Audit Plan: