Protect
Protection Overview
Protection Summary Protection is a cyber security focus area that addresses technology, methods, and best practices for protecting generation OT networks and digital equipment against cyber-attacks (e.g., hardening, encryption, identity and access management, etc.). The objective of protection is to prevent an attacker from gaining access or minimize the chance that it occurs. This includes identity and access management, data security, platform security, and the resiliency of the architecture and assets. Protective measures like hardening may also be implemented with existing tools.
Key protection topics include:
- Security Architectures and Segmentation
- Vulnerability Management
- Hardening
- Secure Remote Access
- Transient Cyber Assets and Removable Media
- Identity and Access Management
Segmentation and Security Architectures
Vulnerability and Patch Management
Vulnerability Management is an ongoing process of identifying, assessing and addressing security vulnerabilities. It involves the systematic discovery, assessment and remediation of vulnerabilities to reduce the risk of cyber attacks and data breaches.
Challenges with vulnerability and patch management in power generation facilities include:
- Many companies utilize a manual process of identifying, prioritizing, and remediating vulnerabilities in OT systems. This process is time-consuming and error-prone.
- Companies implement automated vulnerability scanning tools and threat intelligence feeds – prioritizing vulnerabilities based on their potential impact on operations. These tools typically require manual effort to review and disposition OT impact.
- Dependencies on third parties can introduce delays in the process of vulnerability remediation. Vendors validating the patches before the release can leave systems exposed for longer durations. To overcome this, a streamlined process should be established for validating and deploying the patches promptly.
- Vulnerability advisories are not entirely accurate. In 2022 approximately 34% of vulnerabilities were found to be inaccurate. (Source: Dragos)
- Adversaries interested in attacking old and unpatched vulnerabilities – The most exploited vulnerability of 2022 (Product - FortiOS and FortiProxy) was discovered in 2018
Current vulnerability and patch management key practices include continuous monitoring, automated patch deployment, and vendor patch support and outsourcing:
- Continuous Monitoring. Deploying automated tools to assess and monitor. Proper configuration and management of data should be done to avoid a significant backlog of data and alerts.
- Automated Patch Deployment. Cautiously deploy automated tools using test environments, change management, and rollback plans to avoid accidentally disrupting operations.
- Vendor Support. Collaborate with vendors/suppliers to test and deploy patches promptly.
Relevant EPRI Resources
- Risk-Informed Vulnerability and Patch Management Guide: Generation Cyber Security
- Advanced Vulnerability Grading Tool (AVGT) v 1.1
- Distributed Control Systems, Automation Technologies, and Embedded Security: Generation Cybersecurity
- Control System Protocols and Security Scanning: Guideline on Cyber Security Scanning for Generation Plant Control Systems
- Cyber Security Technical Assessment Methodology: Risk Informed Exploit Sequence Identification and Mitigation, Revision 1
- Patch Management Guideline CBT Transfer Module, version 1.0
- Patch Management Guidelines