Industrial Internet Security Framework v 1.0 | Page 112

Security Framework

11: Security Configuration and Management

To author and deliver the policy, as well as during the extraction of the events, the metadata
about the policy and about the events must be carefully guarded. Access control over these must
be strictly enforced or the best security implementations will be rendered vulnerable to
compromise. Security metadata from any data monitoring requires policies defining how it is
handled and who has ownership and access to it. There may be privacy implications to some
security data collected.
11.5.1 SECURE SOFTWARE PATCHING AND FIRMWARE UPDATE
As the amount and complexity of software increases, so does the number of defects, some of
which will be exploitable vulnerabilities. Others may cause unpredictable system failures, timing
issues, reduction in system performance, reliability or other unknown problems. Once
discovered, these defects can often be fixed by patching. If over-the-air updates are
implemented, network-related vulnerabilities that affect the integrity of the over-the-air process
should be addressed first.
IEC TR 62443-2-3:2015 ‘Patch Management in the IACS Environment’1 defines relevant
terminology, lays out patching requirements for both asset owners and product suppliers, and
defines a schema for patch information exchange. It also provides guidance for qualifying,
verifying and deploying software patches in operational systems.
Sometimes it is not possible to update an endpoint. For example, if an endpoint is too important
to continued operation to risk any modifications. Some updates may invalidate a certification or
compliance with a standard until the requisite safety assessment is rerun.
A wide range of methods provides software and firmware updates to endpoints. Some endpoints
require direct physical access to the device to update it (i.e., by attaching a serial cable or a USB
drive). Others allow users to download an update from a remote location and install it locally via
command line or agent commands. Clearly, automatic upgrades are easier for administrators,
more easily validated to ensure the integrity of the update and its provenance, more likely to be
applied and easier to verify that they were applied. As a result, they are more efficient and less
costly than update approaches requiring physical intervention at each device.
Software and firmware updates add security, safety, reliability or functionality features,
especially in brownfield scenarios. Systems with strong safety and availability requirements often
use a staging area to test updates prior to updating all the endpoints. Without confidence that
they work, software updates will be ignored, as the operational risk is too great.
Secure update of endpoints can be implemented using software or a combination of software
and hardware—with hardware features adding additional layers of protection, integrity and
trust. Using hardware containers such as an HSM, TPM or other TEE is strongly recommended.
Keys used in upgrades can be managed by a third-party certificate authority and updated as
needed. The same mechanism used to update firmware or software securely can also be used
for updating system configurations and ensuring that the software is from the expected source.
1

See [IEC-62443-23]

IIC:PUB:G4:V1.0:PB:20160926

- 112 -