******************

From Donovan Trindill

Hello Bill and Bob,

In preparation for tomorrow's meeting, I have attached several documents for group review. I did not anticipate we would be walking through these documents during the meeting, the intent is to capture reader comments. These are actual Patch Management documents developed for a SCADA environment subject to NERC CIP002-009 Cyber Security compliance. They are in the process of being rolled out and used for recurring patch evaluation and test management.

1) Example Patch Identification & Evaluation Procedure - This is a guidance document on how to setup and prepare the inventory of the existing environment, vendor support info, and the evaluation process.

2) Example Vendor Patch information reference document - This is all the necessary contact and support information which need to be regularly monitored for updates.

3) Example Patch Evaluation Form

4) Example Patch Test Management Procedure - This is a guidance document on how to perform testing in relationship to the control system. Some patches are low risk and do not require extensive testing, while others are emergency and require expedited rollout. The Test management procedure considers the different deployment priorities.

5) Example Patch Test Management Form

What is the relevance of these documents?

- They are an attempt to implement a patch management program upon a real SCADA control system environment.

- Considers Microsoft patches, and other vendor patches on top of the Windows operating system.

- Written to guide Engineering and Maintenance who may be not be proficient in Windows, but are required to execute and record their testing activities.

Even with these procedure in place, there is still the challenge of collecting consistent vendor patch support information, formatting for our internal software inventory, and an easy way to correlate the information. I am still looking through Bruce and Florien's project information.