Patch management is a critical aspect of ensuring the security of any organization that is responsible for managing critical infrastructure.

This is particularly true for energy utilities, which are often the target of cyber threats. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard CIP-007 mandates strict patch management practices in order to adequately prepare these utilities to defend against the increasingly volatile cyber threats that they face in today's digital landscape. In summary, there are four different CIP requirements that will be discussed in this white paper: 

  • CIP-007-6 R2.1: Utilities must have a source to demonstrate patch management practices for auditors.
  • CIP-007-6 R2.2 and R2.3: Utilities must discover any patches that have come available within 35-days of availability and then install those patches within the next 35-days following discovery.
  • CIP-010-4 R1.6: Before installing, the authenticity of patches and other software must be verified.
  • CIP-010-4 R1.6: In addition, the integrity of patches and software must be evaluated to make sure no risks are introduced into the organization’s assets.