Patching Instead of Upgrading Legacy OT Devices?
Operational technology (OT) is equipment and computer software used for analyzing utility control processes for critical infrastructure, while Industrial Control System (ICS) assets are the digital devices used in industrial processes. The connected nature of OT/ICS devices has – particularly recently – increased cybersecurity risk for the environments that utilize them.
To strengthen the security posture for companies that currently use legacy OT/ICS devices, is the best option to simply swap them out for newer models? Or is there another route?
This blog post explores vulnerability patching for OT/ICS devices, covering the threat landscape for these technologies, patch management, and how organizations can automate their vulnerability patching.
Potential Threats and Critical Vulnerabilities
The majority of OT/ICS architectures are located mostly in isolated and flat networks with exposed areas. The attack space covers the entire range of potential attacks, including all OT/ICS and now IIoT solutions. Attacks on all three platforms could originate either internally or externally.
External attacks may come from outside sources, including hackers, criminals, terrorists, and nation-states. Apart from these two categories, there are also physical attacks involving direct interference with equipment.
The OT Patch Management Process
IT and OT critical infrastructure systems are traditionally based on separate technology stacks and operate individually. Since these systems are not connected directly, their controls differ from those on a computer network and often exist in different networks to avoid overlapping cyber risk, including malware and ransomware attacks.
A vulnerability-sensitive OT asset can be a profitable, enticing fruit to bad actors. When the patch is publicly published, the vulnerabilities become identified through the National Vulnerability Database. Hackers also continuously monitor these databases themselves.
ICS-CERT’s security updates can notify you of vulnerabilities as ICS-CERT announces them. NVD released nearly 350 exposures in one weekend. There are many ways that these weaknesses can affect an OT organization.
Why are Deployment Guides not Sufficient for OT/ICS Systems?
Patch availability is a primary concern for operational networks. Many OT devices stay running in production years after the manufacturer’s end-of-life (EOL) date, after which users no longer receive security updates from the original vendor.
Functional network engineers often seek third-party software companies, like TuxCare, with extended lifecycle support programs for Linux OS kernel patches – which enable companies to continue to receive security patches for several years after an OS reaches EOL.
Prioritizing the Deployment of Patches
Figuring out which patches should be prioritized in your OT/ICS environment can be tricky. While CVSS scores have typically been an essential starting point for selecting patches, they are generated using multiple variables: access vectors, access difficulty, authentication, integrity, availability, and many others.
Moreover, relying solely on CVSS scores to prioritize vulnerability patches might not be the best approach. To further complicate things, Industrial operator network engineers can only deploy a small subset of patches in the entire OT asset simultaneously, even if the potential patches become available.
We recommend that operational environments and industrial organizations prioritize patching for an OT-specific environment with a multi-staged approach.
Patching Embedded Devices within the Change Management Process
IEC62443 requires the implementation of change management for OT/ICS environments. It is understood that deploying patches in the OT environment will be an environmental change and a very daunting task. The patch and firmware update process should be reviewed continuously to help evaluate the risk to the device and the organization.
Proprietary systems also have their patch and firmware update sequence. Some require multiple reboots of the device for the firmware to update the various components in different stages. Critical devices often need to be patched or upgraded out of concern; the machine will not return to the production environment promptly.
Patch Management Challenges
To decide whether to implement a patch, you need to weigh the benefits against the disruptions. If the benefits outweigh the troubles, then execute the patch. However, with OT/ICS devices, taking units out of production can greatly impact operational efficiencies and overall output. For this reason, there’s an incentive to delay patching for scheduled maintenance windows.
On the other hand, waiting to apply security patches until you’re ready to restart systems and devices leaves your organization vulnerable and puts your compliance posture at risk.
Automating Device Patching with TuxCare
TuxCare’s live patching solutions protect your Linux systems by rapidly eliminating vulnerabilities without waiting for maintenance windows or downtime. With TuxCare, IT teams can automate taking new patches through staging, testing, and production on all popular Linux distributions.
TuxCare features flawless interoperability with vulnerability scans, security sensors, automation, integration with vulnerability management process, reporting tools, and our ePortal patch deployment management platform. This dedicated private patch server runs inside your firewall on-premises or in the cloud. TuxCare is the only provider to live patch virtually all vulnerabilities in kernels, shared libraries, virtualization platforms, and open-source databases across all popular distributions.