ClickCease Patching Instead of Upgrading Legacy OT Devices?
Live Patching Education,

Patching Instead of Upgrading Legacy OT Devices?

November 22, 2022
Patching instead of upgrading legacy OT Devices

Operational technology (OT) is equipment and computer software used for analyzing utility control processes for critical infrastructure, while Industrial Control System (ICS) assets are the digital devices used in industrial processes. The connected nature of OT/ICS devices has – particularly recently – increased cybersecurity risk for the environments that utilize them.

To strengthen the security posture for companies that currently use legacy OT/ICS devices, is the best option to simply swap them out for newer models? Or is there another route?

This blog post explores vulnerability patching for OT/ICS devices, covering the threat landscape for these technologies, patch management, and how organizations can automate their vulnerability patching.

Potential Threats and Critical Vulnerabilities

The majority of OT/ICS architectures are located mostly in isolated and flat networks with exposed areas. The attack space covers the entire range of potential attacks, including all OT/ICS and now IIoT solutions. Attacks on all three platforms could originate either internally or externally.

External attacks may come from outside sources, including hackers, criminals, terrorists, and nation-states. Apart from these two categories, there are also physical attacks involving direct interference with equipment.

The OT Patch Management Process

IT and OT critical infrastructure systems are traditionally based on separate technology stacks and operate individually. Since these systems are not connected directly, their controls differ from those on a computer network and often exist in different networks to avoid overlapping cyber risk, including malware and ransomware attacks.

A vulnerability-sensitive OT asset can be a profitable, enticing fruit to bad actors. When the patch is publicly published, the vulnerabilities become identified through the National Vulnerability Database. Hackers also continuously monitor these databases themselves.

ICS-CERT’s security updates can notify you of vulnerabilities as ICS-CERT announces them. NVD released nearly 350 exposures in one weekend. There are many ways that these weaknesses can affect an OT organization.

Why are Deployment Guides not Sufficient for OT/ICS Systems?

Patch availability is a primary concern for operational networks. Many OT devices stay running in production years after the manufacturer’s end-of-life (EOL) date, after which users no longer receive security updates from the original vendor. 

Functional network engineers often seek third-party software companies, like TuxCare, with extended lifecycle support programs for Linux OS kernel patches – which enable companies to continue to receive security patches for several years after an OS reaches EOL. 

Prioritizing the Deployment of Patches

Figuring out which patches should be prioritized in your OT/ICS environment can be tricky. While CVSS scores have typically been an essential starting point for selecting patches, they are generated using multiple variables: access vectors, access difficulty, authentication, integrity, availability, and many others. 

Moreover, relying solely on CVSS scores to prioritize vulnerability patches might not be the best approach. To further complicate things, Industrial operator network engineers can only deploy a small subset of patches in the entire OT asset simultaneously, even if the potential patches become available. 

We recommend that operational environments and industrial organizations prioritize patching for an OT-specific environment with a multi-staged approach.

Patching Embedded Devices within the Change Management Process

IEC62443 requires the implementation of change management for OT/ICS environments. It is understood that deploying patches in the OT environment will be an environmental change and a very daunting task. The patch and firmware update process should be reviewed continuously to help evaluate the risk to the device and the organization.

Proprietary systems also have their patch and firmware update sequence. Some require multiple reboots of the device for the firmware to update the various components in different stages. Critical devices often need to be patched or upgraded out of concern; the machine will not return to the production environment promptly. 

Patch Management Challenges

To decide whether to implement a patch, you need to weigh the benefits against the disruptions. If the benefits outweigh the troubles, then execute the patch. However, with OT/ICS devices, taking units out of production can greatly impact operational efficiencies and overall output. For this reason, there’s an incentive to delay patching for scheduled maintenance windows.

On the other hand, waiting to apply security patches until you’re ready to restart systems and devices leaves your organization vulnerable and puts your compliance posture at risk.

Automating Device Patching with TuxCare 

TuxCare’s live patching solutions protect your Linux systems by rapidly eliminating vulnerabilities without waiting for maintenance windows or downtime. With TuxCare, IT teams can automate taking new patches through staging, testing, and production on all popular Linux distributions.

TuxCare features flawless interoperability with vulnerability scans, security sensors, automation, integration with vulnerability management process, reporting tools, and our ePortal patch deployment management platform. This dedicated private patch server runs inside your firewall on-premises or in the cloud. TuxCare is the only provider to live patch virtually all vulnerabilities in kernels, shared libraries, virtualization platforms, and open-source databases across all popular distributions.

Contact a TuxCare Expert

Summary
Patching Instead of Upgrading Legacy OT Devices?
Article Name
Patching Instead of Upgrading Legacy OT Devices?
Description
Explore vulnerability patching for ICS/OT devices, the threat landscape and how organizations can automate their vulnerability patching.
Author
Publisher Name
TuxCare
Publisher Logo

TuxCare can help you reduce your risk window to data exfiltration and other cyber security threats.

TALK TO A CYBERSECURITY EXPERT

Expert knowledge of Linux security tips,
live patching education, and Cybersecurity news.

Stay updated with the latest news and announcements from TuxCare.com

Related Articles

How to Reduce Risk in...

A digital twin (DT) is a virtualized representation of an...

December 8, 2022

Live Patching Integration into CI/CD...

Continuous integration (CI) refers to testing code changes before deployment...

December 5, 2022

What is the Gartner IIoT...

When it comes to the Industrial Internet of Things (IIoT),...

December 2, 2022

The Many Faces of...

Keeping your systems up to date can be done in...

November 28, 2022

Why Are Operational Technology Devices...

Gone are the days of Operational Technology (OT) being distinctly...

November 25, 2022

What is Linux Kernel Live...

Breakthroughs don’t often happen in cybersecurity, but when one does,...

November 23, 2022

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching