Wand Waving - Patch Gap Analysis for Energy Utility
- Feb 23, 2018 10:05 pm GMT
- 626 views
Source: Chris Thomas, Software Engineering Manager, FoxGuard Solutions
Arthur C Clarke once wrote that “any sufficiently advanced technology is indistinguishable from magic.” I suppose software engineering should take it as a compliment that the latest in Patch Gap technology for the energy utility is being spoken of in such terms, but it nonetheless pains me to see the technical details glossed over like that. If we’re to be doing any “wand waving,” someone should at least put on a robe and wizard hat and explain what’s going on.
Utilities are in various stages of implementing a patch management program that meets the NERC CIP-007 R2.1 standard for tracking, evaluating, and installing cyber security patches for IT and OT equipment on a 35 day schedule. Many utilities are relying on labor-intensive manually updated databases and spreadsheets to manage asset information and current patch levels. These methods can result in inconsistencies and errors.
Enter the “magic” of Patch Gap analysis which is broken down into two parts. The first, which we’ll call “Asset Identification” gathers information on tracked assets using safe, non-destructive scripts. This isn’t a broad-based scan of a network – carelessness like that can knock older, more sensitive systems off line – but a polite and intelligent identification of system state.
The results of the asset identification are encrypted and paired up with the vast catalog of patches and assets which are tracked as part of a Patch Availability Report. This listing of “Available” patches forms the basis of the analysis yet to come.
The real magic of Patch Gap is in the relationships between patches. You can think of the patches like the limbs, branches, twigs, and trunks (yes, trunks – plural) of a mangrove tree. There might be more than one path from the leaf on the top of the tree to the ground and, when the tree grows a little, the path from the new-tallest-leaf to the ground might be very similar or very different.
Storing that kind of data in traditional database or – perish the thought – a spreadsheet, is essentially impossible so the ideal is to use a graph database to model it. You’re probably more familiar with that technology than you think; it’s the same kind of database that underpins social networking sites like Facebook and LinkedIn.
And just as LinkedIn can help you find the shortest path of contacts between yourself and Edward Snowden, Patch Gap can find the shortest path of patches between the current state of a system and its secure state. The path, if you will, to the top of the mangrove tree.
There is, of course, a bit more to it than that. There’s encryption, data transmission, anonymization, asset analysis, patch mining, patch identification, the problem of bi-temporal data, and a host of others besides.
But a magician never tells the audience exactly how the trick is done.