Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
Follow Us on Social
Operational technology (OT) is equipment and computer software used for analyzing utility control processes for critical infrastructure, while Industrial Control System (ICS) assets are the digital devices used in industrial processes. The connected nature of OT/ICS devices has – particularly recently – increased cybersecurity risk for the environments that utilize them.
To strengthen the security posture for companies that currently use legacy OT/ICS devices, is the best option to simply swap them out for newer models? Or is there another route?
This blog post explores vulnerability patching for OT/ICS devices, covering the threat landscape for these technologies, patch management, and how organizations can automate their vulnerability patching.
The majority of OT/ICS architectures are located mostly in isolated and flat networks with exposed areas. The attack space covers the entire range of potential attacks, including all OT/ICS and now IIoT solutions. Attacks on all three platforms could originate either internally or externally.
External attacks may come from outside sources, including hackers, criminals, terrorists, and nation-states. Apart from these two categories, there are also physical attacks involving direct interference with equipment.
IT and OT critical infrastructure systems are traditionally based on separate technology stacks and operate individually. Since these systems are not connected directly, their controls differ from those on a computer network and often exist in different networks to avoid overlapping cyber risk, including malware and ransomware attacks.
A vulnerability-sensitive OT asset can be a profitable, enticing fruit to bad actors. When the patch is publicly published, the vulnerabilities become identified through the National Vulnerability Database. Hackers also continuously monitor these databases themselves.
ICS-CERT’s security updates can notify you of vulnerabilities as ICS-CERT announces them. NVD released nearly 350 exposures in one weekend. There are many ways that these weaknesses can affect an OT organization.
Patch availability is a primary concern for operational networks. Many OT devices stay running in production years after the manufacturer’s end-of-life (EOL) date, after which users no longer receive security updates from the original vendor.
Functional network engineers often seek third-party software companies, like TuxCare, with extended lifecycle support programs for Linux OS kernel patches – which enable companies to continue to receive security patches for several years after an OS reaches EOL.
Figuring out which patches should be prioritized in your OT/ICS environment can be tricky. While CVSS scores have typically been an essential starting point for selecting patches, they are generated using multiple variables: access vectors, access difficulty, authentication, integrity, availability, and many others.
Moreover, relying solely on CVSS scores to prioritize vulnerability patches might not be the best approach. To further complicate things, Industrial operator network engineers can only deploy a small subset of patches in the entire OT asset simultaneously, even if the potential patches become available.
We recommend that operational environments and industrial organizations prioritize patching for an OT-specific environment with a multi-staged approach.
IEC62443 requires the implementation of change management for OT/ICS environments. It is understood that deploying patches in the OT environment will be an environmental change and a very daunting task. The patch and firmware update process should be reviewed continuously to help evaluate the risk to the device and the organization.
Proprietary systems also have their patch and firmware update sequence. Some require multiple reboots of the device for the firmware to update the various components in different stages. Critical devices often need to be patched or upgraded out of concern; the machine will not return to the production environment promptly.
To decide whether to implement a patch, you need to weigh the benefits against the disruptions. If the benefits outweigh the troubles, then execute the patch. However, with OT/ICS devices, taking units out of production can greatly impact operational efficiencies and overall output. For this reason, there’s an incentive to delay patching for scheduled maintenance windows.
On the other hand, waiting to apply security patches until you’re ready to restart systems and devices leaves your organization vulnerable and puts your compliance posture at risk.
TuxCare’s live patching solutions protect your Linux systems by rapidly eliminating vulnerabilities without waiting for maintenance windows or downtime. With TuxCare, IT teams can automate taking new patches through staging, testing, and production on all popular Linux distributions.
TuxCare features flawless interoperability with vulnerability scans, security sensors, automation, integration with vulnerability management process, reporting tools, and our ePortal patch deployment management platform. This dedicated private patch server runs inside your firewall on-premises or in the cloud. TuxCare is the only provider to live patch virtually all vulnerabilities in kernels, shared libraries, virtualization platforms, and open-source databases across all popular distributions.
Contact a TuxCare Expert
TALK TO A CYBERSECURITY EXPERT
Stay updated with the latest news and announcements from TuxCare.com
A digital twin (DT) is a virtualized representation of an...
Continuous integration (CI) refers to testing code changes before deployment...
When it comes to the Industrial Internet of Things (IIoT),...
Keeping your systems up to date can be done in...
Gone are the days of Operational Technology (OT) being distinctly...
Breakthroughs don’t often happen in cybersecurity, but when one does,...