Given the variety of technological tools at our disposal, installing software updates is often part of the daily routine.
Whether it is a phone, laptop, or firmware – all these require updates to ensure the latest versions of software and patches are installed. While some may see this as annoying and time consuming, this procedure prevents unnecessary cyber threats exposing possible vulnerabilities. Unfortunately, hackers understand the value of targeting ICS systems and one only has to remember the impact the Stuxnet virus had.
To try to stay one or two steps ahead, security teams have the responsibility of ensuring systems are being kept up to date. “From this, you may have heard the terms ‘patch management’ and ‘vulnerability management’ being used by security professionals without knowing the definitions, but it is important to understand that they are not the same thing and both are processes that play critical but different roles in securing the ICS environment,” Dean Ferrando, systems engineer manager – EMEA at Tripwire, explains. “Vulnerability management is a process that monitors the asset (application or device) on the network and provides analysis around vulnerabilities on the system. Patch management is a subset of vulnerability management and is the process used to ensure software is continuously updated while also highlighting, classifying, and prioritising any missing patches on an asset. It is an important element and can be crucial in mitigating the risk posed by an unpatched vulnerability.”
Pros and cons of patch management
To make the right decisions, it is paramount that you weigh the risks and benefits that come with installing a patch before acting. Is installing a patch worth the effort? “There are multiple benefits associated with patching,” Ferrando adds. “The most obvious reason is to fix a security flaw in either the operating systems (OS) or applications. Additionally, patches can also address specific bugs or flaws in some applications and can improve the application’s stability. This is advantageous in the Industrial Control Systems (ICS) environment because the stability and uptime of critical devices are incredibly important.
“However, there are some risks associated with patching. Both the Information Technology (IT) and Operational Technology (OT) sides of the businesses need to assess this, but they might perceive the risks differently because they have different factors to focus on. In most cases, the IT side will find more benefits over risks when evaluating this. This is because the OT side often has more obstacles and higher stakes, because system uptime is extremely important in this realm. In the ICS environment specifically, there is a major risk of taking down a critical network or component due to a malformed or corrupt patch.”
Another important factor to consider is cost. “The OT side will often find more costs associated here, because in order to test in the OT environment, they will need to purchase hardware that mimics the production systems and devote additional hours (of an internal employee or vendor specialist) to testing patches on each individual device,” Ferrando continues. “On the other hand, IT can mimic their production systems by building a virtual environment and can use automated patch management to handle most of the patch testing for them. This is obviously much less expensive and logistically complicated.”
The final major factor to consider is end-of-life product cycles. Again, this is much less risky on the IT side. This is because of IT’s reduced concern with uptime and because of the ability to use solutions like virtual environments to test and upgrade the OS.
Ferrando believes that it because of these risks, it is hard to convince OT organizations to install patches. “Many do not think that they will get hacked. It is hard to push the mentality that ‘it isn’t if you get hacked but when you get hacked’, which is what will drive OT environments to take the steps to do controlled, manual, segmented patching to prevent a possible unexpected, uncontrolled system shutdown.”
IT versus OT
To understand the differences in how IT and OT assess risk, let us review how each of these view the confidentiality, integrity, and availability (CIA) triad. “The IT world prioritises confidentiality, integrity, and availability, in that order,” Ferrando explains. “Confidentiality is important because a breach that results in lost personal data of customers or employees could mean financial losses, regulatory penalties, and damage to the organisation’s reputation.
“Integrity is the second-highest concern because admitting publicly that they have been breached can also result in financial losses such as fines or lost business. Availability is still very important, but it is the third focus of the triad because the mean-time-to-repair (MTTR) in the event of a system going down is shorter and the process simpler for IT environments compared to OT environments.
“OT environments, on the other hand, have availability as the highest priority because even a short period of system downtime could cost millions of dollars and can impact society as a whole. For example, imagine how many households would be impacted by a compromised electric grid. Integrity is the second-highest priority, followed by confidentiality, with similar reasonings to IT.”
IT and OT do have common ground, though. Each side of the organisation values systems and solutions such as asset discovery, vulnerability assessment, policy management, change detection, configuration assessment, and log management. “By converging IT and OT, IT can use a security information and event management (SIEM) tool to analyse data for the entire organisation, as they already have the tools to do so, and can alert the proper OT teams of just the events that pertain to them.
What to do if you cannot patch
Now that we have assessed the differences in how IT and OT measure the risks and benefits of patching in an ICS environment, we can now better understand why there are some circumstances where patching is not the best option. But what are some other options?
At a minimum, this is what Dean Ferrando says ICS organizations should do if they are unable to patch:
- Asset discovery will help you identify what you have in your environment. This is important so you know what to protect but may also raise the question if there are some assets you do not need and are wasting resources securing.
- Perimeter protection, which can be anything from firewalls to access controls, will protect your organisation from both physical and digital invasions.
- Segmentation can benefit your organisation in many ways because it will prevent a breach from harming your entire organization.
- Log management looks for movement within the organisation to detect potential threats.
- Vulnerability assessment determines the vulnerable risk level of each asset. A vulnerability scan will give you a score that indicates how easy it is to exploit the vulnerability and how much access is given if exploitation is successful.
- File integrity monitoring looks at the inside of the organisation and alerts on suspicious changes there.
As the cyber threat landscape continues to evolve, it is crucial for organizations to strengthen their ability to identify, analyze, and evaluate cyber risks before they turn into more dangerous security incidents.
Read more on software – Analytics and AI software helps producers optimise operations in demanding market conditions
