MANAGING CONFLICTS IN VULNERABILITY AND PATCH MANAGEMENT FOR IT AND OT

Abstract

All organisations need to manage vulnerabilities and a keyway to do that is to patch their assets. However, for critical infrastructure organisations that have Information Technology (IT) and Operational Technology (OT) devices and a strong focus on both safety and security ensuring those controls are implemented can be difficult. This paper will analysis the requirements of patching and vulnerability management and establish conflicts that can occur for IT and OT. A process to manage these conflicts will be created, including calculations to establish vulnerability and patch ratings. A case study will be used to show the controls being implemented.  The paper concluded that conflicts and issues can be resolved and provided methods to resolve them. Often the conflicts are related to if a control goes wrong rather than a control that is implemented correctly causing a conflict.  The process created will allow critical infrastructure organisations to implement the required controls without impacting safety and security.