Modern software, firmware, and operating systems are applications written with many millions of lines of code. It is easy to make mistakes and introduce bugs. New bugs for all kinds of applications are found daily and need to be addressed and fixed with updates and patches. Keeping regular IT systems and applications up to date with the latest firmware, software, and patch levels is already a daunting task, but things get even more complicated on an ICS network, especially down in the industrial zone.
Uptime requirements for critical ICS computer systems often don't allow them to reboot after updates—if updates are allowed to be installed at all. For those critical systems that are not allowed to be altered, a different approach to protecting them might be better. Systems such as these are prime candidates to have an application whitelisting solution deployed on them. We saw one example of a whitelisting solution, Microsoft's AppLocker, in the previous section and in an upcoming section we will discuss and implement a more well-rounded solution, Symantec Critical System Protection.
For systems and devices that can be updated and patched, such as many systems in the level 3 - site operations zone, a readily-available, up-to-date and convenient patching solution should be provided. Microsoft offers two varieties of update services: Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM). WSUS comes bundled with a Windows Server operating system, such as the Windows Server 2016 Standard edition. WSUS is mostly aimed at operating system patching and updating. SCCM is a Microsoft systems management product that comes at an additional cost, and allows you to manage large groups of computers running Windows, Linux/Unix, Macintosh, and a variety of mobile OSes. It can, among many other things, provide patches and updates for operating systems and applications. The additional cost for an SCCM license is well worth the many features it brings to the table.
In the following exercise we will look at how to set up a WSUS server to provide updates through the IDMZ. The WSUS service will be hosted on a Windows Server in the IDMZ, staging updates pulled from Microsoft's updates servers. Updates can also be pulled from an existing enterprise WSUS or SCCM system that optionally has patch validation procedures assigned to it. Patch validation procedures involve the testing of newly released patches and updates in a development or test environment, before deploying them on production systems.