Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.6.1141

A Empirical Study on the Patch Impact Assessment Method for Industrial Control Network Security Compliance  

Choi, Inji (KEPCO Research Institute)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.6, 2020 , pp. 1141-1149 More about this Journal
Abstract
Most of the industrial control network is an independent closed network, which is operated for a long time after installation, and thus the OS is not updated, so security threats increase and security vulnerabilities exist. The zero-day attack defense must be applied with the latest patch, but in a large-scale industrial network, it requires a higher level of real-time and non-disruptive operation due to the direct handling of physical devices, so a step-by-step approach is required to apply it to a live system. In order to solve this problem, utility-specific patch impact assessment is required for reliable patch application. In this paper, we propose a method to test and safely install the patch using the regression analysis technique and show the proven results. As a patch impact evaluation methodology, the maximum allowance for determining the safety of a patch was derived by classifying test types based on system-specific functions, performance, and behavior before and after applying the patch. Finally, we report the results of case studies applied directly to industrial control networks, the OS patch has been updated while ensuring 99.99% availability.
Keywords
Security Compliance; Industrial Control System; Patch Impact Assessment; Patch Deployment;
Citations & Related Records
Times Cited By KSCI : 5  (Citation Analysis)
연도 인용수 순위
1 IEC Technical Report 62443-2-3 "Security for Industrial Automation and Control Systems - Part 2-3: Patch Management in the IACS Environment. Ed. 1.0", International Electrotechnical Commission, June. 2015.
2 Suyoen Lee, Jiyeon Yoo, Jongin Lim, "A Study on the Security Framework Design for Stable Operation of Critical Infrastructure Service", Journal of Information Technology Services, 15(4), pp.63-72, Dec. 2016.   DOI
3 Ieck-Chae Euom, "A Study on the Prababilistic Vulnerability Assessment of COTS O/S based I&C System", Journal of Convergence for Information Technology, 9(8), pp.35-44, Dec. 2019.   DOI
4 Kang Dong Joo, Kim Huy Kang "사이버 보안 관점에서의 전력시스템 신뢰도 기준 수립을 위한 NERC 규정 분석 및 국내 적용방안 연구", Review of The Korea Institute of Information Security & Cryptology, 25(5), pp.18-25, Oct. 2015.
5 EPRI Technical Report 3002014137, " Patch Regression Testing Tool Analysis in Practice" , Electric Power Research Institute, Jan. 2019. https://www.epri.com/research/products/000000003002014137
6 Yonghee Jeon, "Network Design and structure for industrial control system security", Review of The Korea Institute of Information Security & Cryptology, 19(5), pp.60-67, April. 2009.
7 Korea Internet & Security Agency , "Guide of vulnerability analysis and assessment for information and communication infrastructure," KISA, Naju, Korea, 2017.
8 Myeonggil Choi, "A Study on Security Evaluation Methodology for Industrial Control Systems", Journal of The Korea Institute of Information Security & Cryptology, 23(2), pp.287-298, April. 2013.   DOI
9 Chee-Wooi Ten, Manimaran Govindarasu, Chen-Ching Liu, "Cybersecurity for Electric Power Control and Automation Systems", 2007 IEEE International Conference on Systems, Mand and Cybernetics, Montreal, Que., pp. 29-34, Oct. 2007.
10 The North American Electric Reliability Corporation - Critical Infrastructure Protection-007-6, "Cyber Security - System Security Management," North American Electric Reliability Corporation, V6, Atlanta, GA, pp. 142-178, Jul. 2020.
11 J. Matt Cole, "Challenges of Implementing Substation Hardware Upgrades for NERC CIP Version 5 Compliance to Enhance Cybersecurity", 2016 IEEE/PES Transmission and Distribution Conference and Exposition (T&D), Dallas, TX, pp.1-5, 2016.