Patch Delivery Infrastructure in SCADA Systems

Abstract: As other technologies, the SCADA architecture, whose origin can be traced back to midtwentiethcentury, was not designed initially with security in mind. Recent cyber-attacks andsecurity incidents show that approaches like security through obscurity and air-gapping thesystems are not relevant anymore. An analysis from E-ISAC about the cyber-attack on theUkrainian power grid shows that the risk could be significantly mitigated with prioritizing andpatching the known vulnerabilities on the most critical assets in an organization. The problem ishow to assure the secure deployment of patches in a timely manner and to ensure that they areapplied to the correct targets. This is achievable with a patch delivery infrastructure.Within a heterogeneous environment with several operating system platforms, multiple use casesand stringent security requirements there is no standardized design which solves the problem.This was the case in large SCADA manufacturer who provides patch management service to itscustomers around the globe. The goal of the degree project was to study and model its currentpatch management workflow, the current patch delivery infrastructure and propose new designsand approaches based on the collected use cases, that must be covered by the company, andrequirements from academia and industry standards. Two new concrete designs were proposedwith different level requirements fulfilment and changes which must be done compared to the asisstate in the company. They are based on client-server and configuration manager approaches.A third multi-platform configuration management solution is briefly outlined and will require acomplete change in the patch delivery infrastructure.Lastly, an evaluation framework was applied on the current patch delivery infrastructure and thetwo concrete design proposals which ranks them according to the fulfilment of the collected usecases and requirements. One should note that the best solution which solves the problem mightnot be the best solution to be implemented in the company. Future work will be needed to makeprototypes, test and evaluate them with a better framework developed by the enterprise’s experts.