PatchRank: Ordering updates for SCADA systems

Securing SCADA is a challenging task for the research community as well as the industry. SCADA networks form the basis of industrial productivity. Industry 4.0 is likely to see more expansive use of SCADA & IIoT for enhanced productivity. These complex systems consist of numerous vulnerable subsystems. It is challenging for the timely application of patches to all the vulnerabilities, due to resource constraints and the high cost of the patch process. Usually, the more severe (attack probable) weaknesses are patched first to secure the system. Often organizations ignore the vulnerabilities in the "critical" node in favor of securing a vulnerability in an isolated subsystem. Therefore, the sequence in which patches are applied needs to be prioritized. State of the art indicates that patch prioritization is primarily an art rather than any significant methodology being followed. This paper proposes PatchRank - a patch prioritization method for the SCADA systems based on Viable System Model, Common Vulnerability Scoring System, and Game theory. PatchRank provides a ranking of vulnerable nodes/ subsystems as well as a ranking of subsystem vulnerabilities, thereby allowing well-formed strategies for patch management. This paper also proposes a "Usable Secure State" to define a security assurance level. A comparative analysis of PatchRank with other benchmark algorithms, i.e., SecureRank, CVSS, and density based prioritization shows that PatchRank converges to a usable secure state faster.