Software & Firmware Tracking
UR E26 §4.1.1.2.2 & §4.1.1.3.2.2: The inventory shall identify the software/firmware name and version. Additionally, a Software Maintenance/Update Policy must be established to manage the lifecycle of these digital assets.
1. The Software Master List (SML)
Every Computer Based System (CBS) identified in your hardware inventory must have its software “DNA” documented. This is critical for Vulnerability Management; you cannot protect a system if you do not know which version of code is running its core functions.
Essential Documentation Points:
- Application Software: Specific program versions (e.g., PMS v4.2).
- Operating Systems: Windows Builds, Linux Kernels, or RTOS versions.
- Firmware: Hard-coded software in PLCs, Sensors, and Controllers.
- Patch Level: The latest security update applied (e.g., KB number).
2. How to Extract Version Data
Most Bridge/Engine HMIs have a “System Info” or “About” page. Audit Tip: Take a photo of this screen during physical surveys as evidence for the Class Surveyor.
For “headless” PLCs, use OEM software (e.g., TIA Portal) to pull the firmware build number and checksum for verification.
3. Maintenance & Patch Tracking
| Software Category | Critical Tracking Data | Update Frequency |
|---|---|---|
| Operating Systems | Build Number, Patch Level (KB#) | Monthly / Quarterly |
| PLC/Controller FW | Major/Minor Version, Build Date | Per OEM Bulletin |
| Security Software | AV Engine & Signature Version | Daily (If connected) |
Surveyor Verification: During surveys, Class may verify versions by vulnerability scanning or manually checking systems to ensure they match the “As-Approved” baseline.
Pillar A Complete?
Once you have logged hardware and software, proceed to map the communication protocols and “language” of the ship.