Skill

implementing-patch-management-for-ot-systems

Implements structured patch management for OT/ICS systems with risk-based prioritization, vendor compatibility testing, staged deployment, maintenance windows, rollbacks, and compensating controls for unpatchable assets.

Python

security

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- 首次建立正式的OT补丁管理程序

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

implementing-patch-management-for-ot-systems

Implements structured patch management for OT/ICS environments, covering vendor testing, risk-based prioritization, staged deployments, maintenance coordination, rollbacks, and compensating controls.

asi

implementing-patch-management-for-ot-systems

5.9k

Implements patch management program for OT/ICS systems, covering risk prioritization, vendor compatibility testing, staged deployment, maintenance windows, rollback procedures, and compensating controls.

3 files

cybersecurity-skills

implementing-patch-management-workflow

Guides implementing patch management workflows to identify, test, deploy, and verify software updates using WSUS, SCCM, Ansible for IT vulnerability remediation.

7 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

为OT系统实施补丁管理

适用场景

首次建立正式的OT补丁管理程序
响应影响已部署OT系统的关键ICS-CERT公告
准备NERC CIP-007-6或IEC 62443补丁管理合规审计
在连续运营有限维护窗口期间规划补丁部署
评估无法打补丁的系统的补偿控制措施

不适用于无OT考虑因素的纯IT补丁管理、活跃网络事件期间的紧急打补丁（参见performing-ot-incident-response），或更改PLC功能的固件升级（需要单独的变更管理）。

前置条件

带所有可打补丁系统固件/OS版本的OT资产清单
供应商补丁通知订阅（Siemens ProductCERT、Rockwell、Schneider等）
镜像生产OT系统用于补丁验证的测试/预演环境
与过程关停和大修对齐的维护窗口计划
包括运营和安全代表的变更管理委员会审批流程

工作流程

步骤 1：建立OT补丁管理程序

定义适用于OT环境的补丁管理生命周期，在该环境中可用性和安全性优先于即时漏洞修复。

#!/usr/bin/env python3
"""OT补丁管理程序管理器。

跟踪OT系统补丁，管理基于风险的优先级排序，
协调测试和部署，并记录无法打补丁系统的
补偿控制措施。
"""

import json
import sys
from collections import defaultdict
from dataclasses import dataclass, field, asdict
from datetime import datetime, timedelta
from enum import Enum


class PatchStatus(str, Enum):
    IDENTIFIED = "identified"
    EVALUATING = "evaluating"
    TESTING = "testing"
    APPROVED = "approved"
    SCHEDULED = "scheduled"
    DEPLOYED = "deployed"
    DEFERRED = "deferred"
    NOT_APPLICABLE = "not_applicable"


@dataclass
class OTPatch:
    patch_id: str
    vendor: str
    product: str
    affected_versions: str
    cve_ids: list
    cvss_score: float
    ics_cert_advisory: str
    description: str
    status: str = PatchStatus.IDENTIFIED
    identified_date: str = ""
    evaluation_deadline: str = ""  # 按CIP-007要求35天
    test_date: str = ""
    deployment_date: str = ""
    affected_assets: list = field(default_factory=list)
    test_results: str = ""
    compensating_controls: str = ""
    risk_rating: str = ""
    maintenance_window: str = ""
    rollback_procedure: str = ""


class OTPatchManager:
    """管理OT补丁生命周期。"""

    def __init__(self):
        self.patches = []
        self.assets = {}
        self.vendor_feeds = {}

    def add_patch(self, patch: OTPatch):
        """注册新补丁进行跟踪。"""
        # 设置评估截止日期（按NERC CIP-007要求35个日历天）
        if not patch.evaluation_deadline:
            identified = datetime.fromisoformat(patch.identified_date)
            patch.evaluation_deadline = (identified + timedelta(days=35)).isoformat()

        self.patches.append(patch)

    def prioritize_patches(self):
        """OT补丁的基于风险的优先级排序。"""
        for patch in self.patches:
            if patch.status in (PatchStatus.DEPLOYED, PatchStatus.NOT_APPLICABLE):
                continue

            # OT特定风险评分
            score = patch.cvss_score

            # 对主动利用的漏洞提高优先级
            if "CISA KEV" in patch.ics_cert_advisory:
                score += 2.0

            # 对网络暴露的OT系统提高优先级
            for asset_id in patch.affected_assets:
                asset = self.assets.get(asset_id, {})
                if asset.get("network_exposed"):
                    score += 1.0
                if asset.get("purdue_level") in ("Level 0-1", "Level 2"):
                    score += 1.5

            score = min(score, 10.0)

            if score >= 9.0:
                patch.risk_rating = "critical"
            elif score >= 7.0:
                patch.risk_rating = "high"
            elif score >= 4.0:
                patch.risk_rating = "medium"
            else:
                patch.risk_rating = "low"

    def get_patches_needing_evaluation(self):
        """获取接近评估截止日期的补丁。"""
        now = datetime.now()
        approaching = []
        for patch in self.patches:
            if patch.status == PatchStatus.IDENTIFIED:
                deadline = datetime.fromisoformat(patch.evaluation_deadline)
                days_remaining = (deadline - now).days
                if days_remaining <= 7:
                    approaching.append((patch, days_remaining))
        return sorted(approaching, key=lambda x: x[1])

    def defer_patch(self, patch_id, reason, compensating_controls):
        """推迟补丁并记录补偿控制措施。"""
        for patch in self.patches:
            if patch.patch_id == patch_id:
                patch.status = PatchStatus.DEFERRED
                patch.compensating_controls = compensating_controls
                patch.test_results = f"已推迟: {reason}"
                break

    def generate_report(self):
        """生成补丁管理状态报告。"""
        self.prioritize_patches()

        report = []
        report.append("=" * 70)
        report.append("OT补丁管理状态报告")
        report.append(f"日期: {datetime.now().isoformat()}")
        report.append("=" * 70)

        # 状态摘要
        status_counts = defaultdict(int)
        for p in self.patches:
            status_counts[p.status] += 1

        report.append("\n补丁状态摘要:")
        for status, count in status_counts.items():
            report.append(f"  {status}: {count}")

        # 接近截止日期
        approaching = self.get_patches_needing_evaluation()
        if approaching:
            report.append("\n接近评估截止日期:")
            for patch, days in approaching:
                report.append(f"  [{patch.patch_id}] {patch.description} - 剩余 {days} 天")

        # 严重/高优先级补丁
        urgent = [p for p in self.patches
                  if p.risk_rating in ("critical", "high")
                  and p.status not in (PatchStatus.DEPLOYED, PatchStatus.NOT_APPLICABLE)]
        if urgent:
            report.append(f"\n紧急补丁（{len(urgent)}个）:")
            for p in urgent:
                report.append(f"  [{p.patch_id}] [{p.risk_rating.upper()}] {p.description}")
                report.append(f"    CVE: {', '.join(p.cve_ids)}")
                report.append(f"    状态: {p.status}")
                report.append(f"    受影响资产: {len(p.affected_assets)}")

        # 已推迟的补丁及补偿控制措施
        deferred = [p for p in self.patches if p.status == PatchStatus.DEFERRED]
        if deferred:
            report.append(f"\n已推迟补丁（{len(deferred)}个）:")
            for p in deferred:
                report.append(f"  [{p.patch_id}] {p.description}")
                report.append(f"    原因: {p.test_results}")
                report.append(f"    补偿控制: {p.compensating_controls}")

        return "\n".join(report)


if __name__ == "__main__":
    manager = OTPatchManager()

    # 示例补丁
    manager.add_patch(OTPatch(
        patch_id="OT-PATCH-001",
        vendor="Siemens",
        product="SIMATIC S7-1500",
        affected_versions="< V3.0.1",
        cve_ids=["CVE-2023-44374"],
        cvss_score=8.8,
        ics_cert_advisory="ICSA-23-348-01",
        description="S7-1500通过精心构造的数据包导致内存损坏",
        identified_date="2026-01-15",
        affected_assets=["PLC-01", "PLC-02", "PLC-03"],
    ))

    manager.add_patch(OTPatch(
        patch_id="OT-PATCH-002",
        vendor="Rockwell Automation",
        product="FactoryTalk View SE",
        affected_versions="< V13.0",
        cve_ids=["CVE-2024-21914"],
        cvss_score=7.5,
        ics_cert_advisory="ICSA-24-046-02",
        description="FactoryTalk View远程代码执行",
        identified_date="2026-02-01",
        affected_assets=["HMI-01", "HMI-02"],
    ))

    print(manager.generate_report())

步骤 2：在预演环境中测试补丁

切勿将补丁直接部署到生产OT系统。使用镜像生产环境的测试环境验证补丁兼容性。

# OT补丁测试程序
patch_testing:
  environment:
    description: "镜像生产OT架构的预演实验室"
    components:
      - "与生产固件匹配的虚拟PLC模拟器"
      - "带相同软件版本的测试HMI工作站"
      - "带代表性数据的测试历史服务器"
      - "与生产VLAN/防火墙匹配的网络配置"

  test_cases:
    functional:
      - "PLC程序在OS补丁后正确执行"
      - "HMI显示以正确的过程值更新"
      - "历史服务器数据采集不间断"
      - "报警和事件处理功能正常"
      - "PLC间通信保持循环时间"
      - "安全系统跳闸测试通过（如果SIS受影响）"

    performance:
      - "PLC扫描时间保持在可接受限度内（< 50ms增加）"
      - "HMI屏幕刷新率不变"
      - "历史服务器采集间隔保持不变"
      - "区域间网络延迟不变"

    compatibility:
      - "第三方应用程序正常运行"
      - "OPC UA/DA连接成功建立"
      - "自定义脚本和批处理过程执行"
      - "备份和恢复程序有效"

    rollback:
      - "系统可以恢复到补丁前状态"
      - "回滚程序已记录并经过测试"
      - "估计回滚时间: [N] 分钟"

  documentation:
    required:
      - "带通过/失败标准的测试计划"
      - "带截图的测试执行结果"
      - "前后性能测量对比"
      - "运营、工程和安全的签字确认"

核心概念

术语	定义
补偿控制（Compensating Control）	当无法部署补丁时应用的替代安全措施，例如防火墙规则、IPS签名或网络隔离
供应商兼容性（Vendor Compatibility）	OT供应商确认补丁（特别是OS补丁）与其控制系统软件兼容
维护窗口（Maintenance Window）	系统修改的计划时间段，与过程关停或低风险运营期间对齐
虚拟打补丁（Virtual Patching）	部署IDS/IPS规则检测和阻止针对已知漏洞的利用尝试，而无需修改目标系统
评估截止日期（Evaluation Deadline）	NERC CIP-007-6要求在补丁发布后35个日历天内完成评估
大修（Turnaround）	过程装置的重大计划停机维护，提供大量OT打补丁的机会

工具和系统

WSUS/SCCM：用于Windows OT系统（HMI、历史服务器、工程师工作站）的微软补丁管理
Siemens ProductCERT：工业产品的西门子安全公告服务
Claroty xDome：带补丁可用性跟踪和风险评分的OT漏洞管理
Tripwire Enterprise：检测未授权更改并跟踪补丁状态的配置监控

输出格式

OT补丁管理报告
============================
报告周期: YYYY-MM至YYYY-MM

补丁状态:
  已识别: [N]
  评估中: [N]
  测试中: [N]
  已部署: [N]
  已推迟: [N]

合规性:
  35天内评估: [N]/[N]（CIP-007-6 R2）
  已部署或已缓解: [N]/[N]
  带补偿控制措施的推迟: [N]