SI-2: FLAW REMEDIATION
TAILORED FOR INDUSTRIAL CONTROL SYSTEMS
The organization:
- a. Identifies, reports, and corrects information system flaws;
- b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
- c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
- d. Incorporates flaw remediation into the organizational configuration management process.
SUPPLEMENTAL GUIDANCE
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.
ICS SUPPLEMENTAL GUIDANCE
Flaw Remediation is complicated since many ICS employ operating systems and other software that is not current, is no longer being maintained by the vendors, and is not resistant to current threats. ICS operators are often dependent on product vendors to validate the operability of a patch and also sometimes to perform the installation. Often flaws cannot be remediated based on circumstances outside of the ICS operator's control (e.g., lack of a vendor patch). Sometime the organization has no choice but to accept additional risk. In these situations, compensating controls should be implemented (e.g., limit the exposure of the vulnerable system). Other compensating controls that do not decrease the residual risk but increase the ability to respond may be desirable (e.g., provide a timely response in case of an incident; devise a plan to ensure the ICS can identify the exploitation of the flaw). Testing flaw remediation in an ICS may require more resources than the organization can commit.
RELATED CONTROLS: SI-2
CONTROL ENHANCEMENTS
SI-2 (1) FLAW REMEDIATION | CENTRAL MANAGEMENT
ISC Control Baseline:
- High
The organization centrally manages the flaw remediation process.
Supplemental Guidance:
Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls.
No ICS Supplemental Guidance.
SI-2 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS
ICS Control Baselines:
- Moderate
- High
The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.
Supplemental Guidance: NONE
ICS Supplemental Guidance:
In situations where the ICS cannot support the use of automated mechanisms to conduct and report on the status of flaw remediation, the organization employs non-automated mechanisms or procedures which incorporate methods to apply, track, and verify mitigation efforts as compensating controls in accordance with the general tailoring guidance.
RELATED CONTROLS: SI-2 (2)
SI-2 (3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization:
- (a) Measures the time between flaw identification and flaw remediation; and
- (b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.
Supplemental Guidance:
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited.
SI-2 (4) FLAW REMEDIATION | AUTOMATED PATCH MANAGEMENT TOOLS
[Withdrawn: Incorporated into SI-2]. (See above.)
SI-2 (5) FLAW REMEDIATION | AUTOMATIC SOFTWARE/FIRMWARE UPDATES
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].
Supplemental Guidance:
Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Organizations must balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and with any mission or operational impacts that automatic updates might impose.
SI-2 (6) FLAW REMEDIATION | REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE / FIRMWARE
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed.
Supplemental Guidance:
Previous versions of software and/or firmware components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software and/or firmware automatically from the information system.
REFERENCES:
- NIST Special Publication 800-128
- NIST Special Publication 800-40