? 2021 Elsevier B.V.This paper is about modeling vulnerability patch prioritization in complex and interdependent systems such as the operational technology or Industrial Control Systems (ICSs). In these environments, often patching is neither automated nor cost-effective, demanding large manual administrative efforts in a timely manner with as much less system downtime as possible. The impact or risk of a vulnerability could depend on the network characteristics, context that defines the vulnerability and circumstances that led to it. Moreover, not all vulnerabilities are always exploited by the attackers; and not all vulnerabilities can be patched due to the resource constraints such as people, infrastructure, tools and time available to patch every vulnerability. Also, ICSs such as SCADA have strict requirements of system uptime and availability. These constraints place significant importance on the patch prioritization of networks and devices, which needs to be strategic and efficient. Addressing this challenge in the prioritization of patches in ICSs, we present SmartPatch a three-step, systematic patch prioritization method to address patch sequencing in an interdependent and complex network. SmartPatch is a seamless integration of system modeling, risk management and game theory. SmartPatch utilizes prior knowledge, learnings and experiences about the system dynamics and identifies an efficient and effective defensive strategy. The framework's output is a patch prioritization strategy that is cost-constrained and reduces the impact of the possible attacks to a large extent. We propose a security metric called the “Residual Impact Score” (RIS) to analyze the impact of all discovered vulnerabilities on the system. We validate the applicability of SmartPatch by considering the case study of an interdependent, complex SCADA chain in the smart grid system using the IEEE 5-Bus system. Our comparative analysis of the proposed approach with state-of-the-art approaches demonstrates that SmartPatch reduces RIS by a faster rate i.e. after each iteration, the RIS value for SmartPatch is the least.
NSTL
Elsevier
