Thank you to everyone who joined our webinar, Bridging Patch Management & Vulnerability Strategies for NERC CIP, with Foxguard’s Lead Solutions Architect, and Derek Harp of CS2AI. We were thrilled by the number of excellent questions you submitted about NERC CIP patch management and compilance. While we couldn’t address all of them during the live session, our experts have provided thoughtful answers to the most common and insightful ones. We’ve compiled them here for you to review and share.
REGULATIONS & COMPLIANCE
How can IT/OT teams achieve and maintain NERC CIP compliance, especially when asset inventories are incomplete or shared?
Consolidating Asset Management Process Controls and tools is essential to transparency for asset inventory. Siloed departments and business units are the primary organizational pitfalls that make IT/OT security and compliance least likely to align. Breaking down those silos and working together to consolidate controls and tooling where possible will be a huge help in aligning security and compliance.
What OT cyber security regulations apply to municipal water facilities, and what are the recommended frameworks for improving security posture?
We know that regulatory bodies like the Environmental Protection Agency (EPA) and DHS/CISA have standards in place. Specifically, the America’s Water Infrastructure Act (AWIA) requires many water systems to conduct risk and resilience assessments. I’d also recommend looking at industry-specific frameworks like the WaterISAC 15 Cybersecurity Fundamentals and the American Water Works Association (AWWA) J100 standard. We always encourage that whatever framework you look at, you’re always maturing toward some variant of NIST. CIS Critical Controls are a great way to implement a strong security baseline that aligns with the principles of NIST and addresses both operational and regulatory risks.
Is vulnerability mapping mandatory under NERC CIP, and how does it relate to other standards like IEC 62443?
Vulnerability mapping becomes far more applicable under the upcoming NERC CIP-015-1 “Internal Network Security Monitoring” but is nowhere near a regulatory mandate around mapping specifically. Well-established standards and security best practices like IEC 62443 are far more prescriptive from a vulnerability mapping perspective. From a cyber security perspective, we always recommend taking the security best practice approach and mapping that back to compliance. This way, by being secure, you’ll always be compliant and proactively ahead of NERC CIP.
How are vulnerabilities prioritized in a NERC CIP context, and what frameworks are used to address limitations in the CVE database?
From a NERC CIP perspective, vulnerability prioritization is more of a concept, leaving it up to the NERC Registered Entity to decide the basis for that prioritization. As long as you are using a consistent method—such as CVE, CVSS, CISA KEV, or EPSS—you should be compliant.
Foxguard’s Cyberwatch platform considers multiple factors for prioritization, including CVSS and EPSS scores, as well as the presence of a CVE in the CISA KEV list. To address limitations in the CVE database, we also use information from other CVE Naming Authorities (CNAs), vendor security advisories, and the European Vulnerability Database (EUVD). This approach provides a more comprehensive view than relying on a single source.
Our system also allows users to create custom criticality ratings for assets. This lets you tailor the prioritization method to align with your specific environment. For example, you can adjust the CVSS score for a vulnerability based on an asset’s environment, such as lowering the score for an asset that is physically disconnected from the network.
While the MITRE CWE framework is not used for prioritization, the associated CWEs for each CVE are available. The IVSS framework is an interesting approach, but it is not currently used.
How do you distinguish between safety and compliance requirements in an OT environment, and what is NERC’s stance on incorporating new technologies like post-quantum encryption?
Safety has always been measured at a danger to “life and limb” and is far more tangible. Compliance requirements can be broader and not have the same physical harm implications.
Regarding post-quantum encryption, there isn’t an official stance yet and based on NERC’s pace in providing consistent and current guidance on things like cloud adoption, we wouldn’t expect it to be anytime soon.
TECHNICAL & OPERATIONAL CHALLENGES
When it comes to NERC CIP patch management, OT environments face unique challenges, especially with legacy systems.
What are the recommended strategies for patch management in OT environments, particularly for legacy systems with limited vendor support?
This issue boils down to defining the proper risk register model for your organization. This would require a mature mitigation plan strategy—especially for legacy systems. A Patch Now/Patch Later/Patch Never posture would be a great place to start.
How can teams ensure reliable audit trails in an ICSS architecture, and are there publicly available statistics on how automation in patch management improves security?
It ultimately comes down to how well your internal controls are documented, implemented, and maintained. Equally important is having a robust workflow management tool in place to sustain those controls and automate key process steps, ensuring consistency and reliability over time.
Patch management automation statistics:
- 28.3% of CVEs are weaponized within a single day, demonstrating that manual approaches are obsolete. – Cyber Security News
- Organizations implementing automated solutions report reducing vulnerabilities by up to 75% while achieving 99.9% security compliance against existing and newly discovered threats. – Cyber Security News
- 70% of IT teams spend more than 6 hours per week on security patching, and only 23% of teams are satisfied with their ability to fix vulnerabilities. – Canonical
- 98% of IT and Security pros say patching disrupts their work, forcing them to reallocate resources. – Ponemon Institute’s 2024 State of Cyber Risk report
- 77% of organizations need more than a week to deploy patches. – Ponemon Institute’s 2024 State of Cyber Risk report
TEAM COLLABORATION & STRATEGY
When patching is handled by third-party OEMs, what level of involvement should asset owners maintain, and how can a centralized approach bridge the gap from asset discovery to patch deployment?
Foxguard’s Patchintel solution makes a centralized approach to patch management both feasible and manageable. In fact, centralization is one of Patchintel’s primary value propositions. It also optimizes patch team resourcing by consolidating patch sources, including those from third-party OEMs.
The multiple manual handoffs and human dependencies at each step—from asset discovery to patch validation—are where the most challenging and error-prone disconnects occur. The goal isn’t to replace human interaction in these processes, but to make it more efficient by removing manual, administrative components. Additionally, teams are often siloed, with each group addressing its responsibilities using separate tools and processes of varying maturity. Consolidating toolsets and processes fosters a more centralized and collaborative end-to-end approach.
For someone with a QA background transitioning into cyber security, which areas within OT/ICS should they focus on first?
Configuration/Change Management and Asset Management are ideal areas to start with for someone with a QA background.
THE FOXGUARD PLATFORM
How does the Foxguard platform validate successful patch deployment, and can it operate in air-gapped environments without internet access?
Foxguard’s Deploy solution performs a secondary patch scan after deployment to verify that patches were installed without errors. Our vulnerability management platform uses similar mechanisms to confirm whether an application or operating system has been updated, and it will no longer list a device as vulnerable to any CVEs addressed by that patch. Verifying that the software functions correctly after a patch is applied still requires human oversight.
Our Patchintel offering uses a Master Asset List (MAL) to generate patch reports without requiring internet connectivity. Additionally, Foxguard’s Cyberwatch and Deploy can both operate without internet connectivity in air-gapped environments.
We hope this Q&A offers useful insights for strengthening your patch management and NERC CIP patch management and compliance strategies. If you have additional questions or would like to learn how Foxguard’s solutions can help your organization address these challenges, we invite you to contact us for a demo, or explore our website where you’ll find a wealth of resources with more information.