CIP 10 R1.6 Identity and Integrity, Electric Utility

chinekc 2021-01-26 14:23:37 UTC #1

Am from an Electric Utility and we do Micorsoft patching using BigFix.
There is a requirement to have patches come from a reliable source (certificate, and hash SHA-256)

Want to prove that BigFix checks the certificate and hash when it gets patches from Microsoft.

Would like to contact any utility that uses BigFix to see how CIP 10 R1.6 is satisfied

Thanks

cmcannady 2021-02-05 16:40:27 UTC #2

@chinekc, if you look at fixlet named “MS21-JAN: Cumulative Update for Windows 10 Version 20H2 - Windows 10 Version 20H2 - KB4598242 (x64)” in the “Patches for Windows” external site, you will see the following command:

prefetch windows10.0-kb4598242-x64_725aeed030bc68b2d07096503bd26918ac1fe488.msu sha1:725aeed030bc68b2d07096503bd26918ac1fe488 size:420792295 http://download.windowsupdate.com/c/msdownload/update/software/secu/2021/01/windows10.0-kb4598242-x64_725aeed030bc68b2d07096503bd26918ac1fe488.msu sha256:9fa6ddaee62d991ea13640e5c9f3fa3e953a708f83ff99e182a9e2a8438008b4

The prefetch command in the Action Script language automatically enforces the hash check at each landing point (i.e. on BESRelays and BESClients). If you were to create a custom copy of a MS OS update fixlet and manipulate the SHA1/SHA256 and/or SIZE values of the prefetch statement, the fixlet WILL FAIL as part of the validation process that’s intrinsic to the BigFix product.