SmartPatch: A patch prioritization framework for SCADA chain in Smart grid & PatchRank: Ordering updates for SCADA systems
This paper is about modeling vulnerability patch prioritization in complex and interdependent systems such as the OperationalTechnology or Industrial Control Systems (ICSs). In these environments, often patching is neither automated nor cost-effective,demanding large manual administrative efforts in a timely manner with as much less system downtime as possible. The impact orrisk of a vulnerability could depend on the network characteristics, context that defines the vulnerability and circumstances thatled to it. Moreover, not all vulnerabilities are always exploited by attackers; and not all vulnerabilities can be patched due to theresource-constrained such as people, infrastructure, tools and time available to patch every vulnerability in ICSs. Also, ICSs havestrict requirements of system uptime and availability requirements of ICSs such as SCADA. These constraints place significantimportance on the patching sequence of networks and devices, which needs to be strategic and efficient.In this direction, we present SmartPatch a three-step, systematic patch prioritization method to address patch sequencing inan interdependent and complex network. It is a seamless integration of system modeling, risk management and game theory.SmartPatch utilizes prior knowledge, learnings and experiences about the system dynamics and identifies an efficient and effectivedefensive strategy. The framework’s output is a patch prioritization strategy that is cost-constrained and reduces the impact of thepossible attacks to a large extent. We propose a security metric called the “Residual Impact Score” (RIS) to analyze the impactof all discovered vulnerabilities on the system. We validate the applicability ofSmartPatch by considering the case study of an interdependent, complex SCADA chain in the smart grid system using the IEEE 5-Bus system. Our comparative analysis ofthe proposed approach with state-of-the-art approaches demonstrates thatSmartPatchreduces RIS by a faster rate i.e. after eachiteration, the RIS value forSmartPatch is least.