1 Lloyds, “Emerging Risk Report—2015,” May 2015, www.jbs.cam.ac.uk/fileadmin/user_upload/research/centres/risk/downloads/crs-lloyds-businessblackout-scenario.pdf.
2 Ernst & Young, “Plug in: EY’s latest insights for Power & Utilities,” March 2015, www.ey.com/Publication/vwLUAssets/EYs-latest-insights-for-powerutilities/$File/EYs-latest-insights-for-power-utilities.pdf.
Ponemon Institute research, sponsored by IBM, “2018 Cost of a Data Breach Study: Global Overview,” July 2018, https://databreachcalculator.mybluemix. net/assets/2018_Global_Cost_of_a_Data_Breach_Report.pdf.

Overview

Introducing Patch Validation programs for power generators

For operators and owners of power generation systems, maintaining compliance and guarding against evolving cyber security threats represent critical, continuous imperatives. So it’s vital to quickly apply patches and fixes when vulnerabilities are identified. However, for resource-constrained operations teams, these patch validation, testing, and deployment efforts can present a number of challenges:

  • Risk. Patches can address vulnerabilities but they can also introduce performance and availability issues when they are deployed in production environments—jeopardizing critical power systems and services.
  • Complexity. Staying on top of vulnerabilities and patches available can be difficult. For internal teams, it can be hard to verify which vulnerabilities affect specific environments and how interdependent systems may be affected.
  • Administrative overhead. Applying patches can be very labor intensive. Teams need to dedicate significant time and effort to stay abreast of vulnerabilities and patches; download, install, and test patches; and deploy new code into production.

Testing and validation

As part of the program, GE will test and validate antivirus (AV) and host intrusion detection (HID) signature updates as well as operating system (OS) patches. First, we’ll verify whether these new releases apply to your environment, and based on that, we’ll establish a list of candidates for testing. GE’s staff then test applicable updates in controlled, representative lab environments that offer safeguards against intrusion and tampering. Through this testing, we determine whether updates adversely affect the functional operation of the control system, related interfaces, or system communications. Based on our findings, we can exclude any updates that may introduce performance or availability issues. If a given patch is excluded, we provide documentation to support this exclusion.

Patch packaging and delivery

Once patches have been tested and validated, we make them available to customers via a secure web portal. We provide cumulative updates so that your organization can stay completely up to date with the latest releases, even if an earlier update wasn’t applied. By delivering these complete, scripted packages, we make it easy for your team to incorporate updates into your transfer and change management processes.

Host-based and central, network-based deployment options

The Patch Validation program is available as a stand-alone offering. Through the program, we deliver scripted files that automate the deployment of patches and antivirus updates. In addition, your organization can deploy these patches using Baseline Security Center. Baseline Security Center brings centralized management to the deployment process, reducing the need to run patch deployment tools locally on each system being patched. By harnessing these combined offerings, your team can enjoy even greater speed and efficiency gains.

 Want to get more information on our Patch Validation program?

Download data sheet