Fall 2024 | Edition 30
Cybersecurity Essentials: Patch Management
BY ALLEN SCHMITZ, MANAGER, IT, AND KYLE KURTH, IT CONSULTANT
DEFINITION: "Patches" are software and operating system updates intended to modify an existing software resource such as a program or a file, often to fix bugs and security vulnerabilities. A patch may also be created to improve functionality, usability, and performance.
WHAT IS PATCH MANAGEMENT AND WHY IS IT IMPORTANT TO CYBERSECURITY?
Patch management (PM) systematically catalogs and inventories all software, operating systems, and applications on devices, ensuring they are up to date with the latest patches and versions from the manufacturer. It also helps report on the system’s overall state.
Using PM to keep systems current is crucial, as it organizes the process to protect against vulnerabilities in applications and hardware that attackers could exploit. It prevents unauthorized access, system failures, disruptions, information leaks, and malicious programs, securing efficient operations.
WHAT ARE THE DIFFERENT TYPES OF PATCHES?
There are two main types of patches: functional and security. Functional patches fix non-critical issues like non-working buttons, inaccurate documentation, or add new features. Security patches address vulnerabilities that could lead to information leaks or unauthorized access, potentially allowing the execution of malicious programs.
HOW DO YOU KNOW WHEN A NEW PATCH IS AVAILABLE?
Most software and hardware vendors announce patch availability via mailing lists and press releases, with some aggregators publishing multiple vendor patch details in one place. Patches often follow a vendor's vulnerability notification. A more efficient approach is to use an automated PM tool, which automatically scans repositories for updates and imports them as they become available.
HOW DO YOU DEPLOY PATCHES ACROSS AN ORGANIZATION’S NETWORK?
This is where a PM solution is key. The tool maintains a list of endpoints (computers, tablets, servers, storage systems, networking, routing, and switching), patches applied, and patches needed, and can be customized to install patches as they become available or on a more rigid schedule. Critical patches are generally set to auto-deploy, while less urgent patches are set to certain days of the week or when it is convenient to reboot/restart the device. However, some systems may require a more nuanced approach.
ARE PATCHES TESTED INTERNALLY BEFORE DEPLOYING?
Generally, no. Before a patch is released by the vendor, it has been tested thoroughly against many scenarios. However, if the system is “fickle,” or patch documentation calls out a scenario to watch for, a test may be necessary. If a patch doesn’t work or creates system issues, most patches can be reverted, or in worst-case scenarios, systems can be restored from a backup.
WHAT ARE SOME LIMITATIONS OF PATCH MANAGEMENT?
PM never stops. Updates are released for one or more of the thousands of devices and software we use daily. Even the tools IT uses to apply the patches get patches! In addition, PM can also create interruptions in workflow for the end user by requiring a reboot of their endpoint devices or servers. However, those small inconveniences are easier to tolerate than a system that is down or compromised.
PATCH MANAGEMENT BEST PRACTICES
Update & Restart Frequently: Regularly apply patches, especially critical ones, and restart devicesto fully implement updates.
Automate Patch Deployment: Use automated tools to schedule and deploy patches, with critical ones set to auto-deploy.
Organize Your Process: Maintain a structured process for tracking patches, ensuring deployment and reducing risk.
Stay Informed on New Patches: Subscribe to vendor updates and use patch management software to stay aware of new patches.
_ _
ABOUT THE AUTHORS
"Since 2007, Allen Schmitz has been the foundation of STAR's IT team, with over 35 years of experience in the field. While new to STAR, Kyle Kurth adds more than 15 years of experience as a former System Administrator. In this article, they combine their knowledge to discuss the critical role of patch management and why your utility should prioritize it to ensure systems remain secure and up to date." –Lois Croonquist
ENGINEERING CORNER
Frequency of Engineering Studies: Quick Reference Guide
BY MCKADE KLEINKNECHT, SUPERVISORY ELECTRICAL ENGINEER
Engineering studies are necessary for maintaining a reliable and up-to-date utility, but knowing when to conduct each study can be challenging. Our quick reference guide below provides an ideal timeline for conducting major engineering studies, allowing you to plan your budget and schedule accordingly to keep your operations running smoothly.
Engineering Model (1 Year/Annually)
A key tool for engineering decisions and must be accurate for major engineering studiesConstruction Work Plan (CWP) (4 Years/May Be More or Less)
Operations and finance must coordinateArc Flash Study (5 Years)
Reviews are also required when adding a new substation or changing a substation transformerSpill Prevention, Control, and Countermeasure Plan (SPCC) (5 Years)
Reviews are also required when adding a new substation or changing a substation transformerSectionalizing Study (10 Years)
It's recommended to review 2-5 substations each year or upon a new or modified substation changeLong-Range Plan (15 Years)
It's recommended to conduct this plan the year before a Construction Work PlanContingency Study (Backfeed Plan) (As Needed)
It's beneficial to review this study/plan at the same time as a Sectionalizing Study
Message from the CEO
BY: LOIS CROONQUIST, CEO
REMEMBER TO SCHEDULE YOUR 2025 INSPECTIONS
As your utility starts planning budgets and projects for 2025, inspecting physical assets and infrastructure becomes a critical component of your annual strategy. These projects are imperative for maintaining cost-effective operations and ensuring a systematic approach to keeping the lights on. Karl Nietfeld, our Manager of Field Services, is already preparing the 2025 inspection and line design schedules. Whether it's pole or cabinet inspections, electrical or fiber staking, line patrol, line clearance analysis, or data collection, our Field Services experts are here to support you in managing your upcoming projects.