The Patch and Update Management Program will simplify the process of understanding what patches are available for energy delivery industrial control system devices for both end users and equipment vendors. The program will also help utilities more easily adhere to NERC CIP requirements around patching, ultimately leading to a safer grid.

This program will research, develop and demonstrate technology and techniques needed to identify and verify the integrity of patches and updates for energy delivery industrial control system software, hardware and firmware. The project is comprised of four elements which can each stand alone to improve security posture, but when integrated together provide a more comprehensive solution meeting the patch and update needs of the energy industry.

Program Mission:

Our mission is to create a safer grid by simplifying the process of patching and updating energy delivery industrial control system devices.

Elements Include:

Patch & Update Data Aggregator/Web Portal

   >   Provides users a with single location to find information about patches and updates
        applicable to energy delivery industrial control system devices

   >   The portal serves as a repository for Hash Authentication information, patch discovery
        evidence and device End of Support (EOS) documentation

Patch & Update Authentication

   >   Our aggregated Hash Files from vendors provide users a central location to help verify
        the integrity of downloaded patches and updates prior to deployment

   >   The Hash Authentication Tool allows customers receiving aggregated patch data via
        customized reports to authenticate that reports have not been compromised

Validation Techniques

   >   Provides users with proven methodologies to validate patches and updates before deployment

   >   Users may self-perform, set up their own validation lab, contract validation services or take a
        combined approach

Query Engine

   >   The Query Engine will support multiple device types and across various energy delivery ICS vendors

   >   Enables users to query IT and OT equipment to determine relevant baseline information such as
        Make, Model, Firmware Version and Serial Number – this information is critical for accurate
        patch discovery

   >   The Query Engine will offer an easy to use user interface supporting a Patch Gap Analysis
        Dashboard simplifying the process of determining your current patch status and gaps