Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10:00 AM
Connect Directly
E-Mail vvv

The Folly of Vulnerability & Patch Management for ICS Networks

Yes, such efforts matter. But depending on them can give a false sense of security.

IT security has depended on vulnerability and patch management for decades, and conventional wisdom says these programs should be replicated to make industrial networks more secure. We only partially agree.

Vulnerability and patch management programs have only modestly improved overall security for traditional IT networks. We're not throwing the baby out with the bathwater here. There is no doubt that well-planned vulnerability/patch programs — ones that prioritize what to patch based on a clear understanding of risks and that conduct proper testing — can demonstrably reduce risk. While improvements in automation across the vulnerability/patch life cycle have reduced costs and the resources required, opportunity costs remain.

Within the industrial control system (ICS) networks that underpin everything from oil/gas and water systems to manufacturing and the electric grid, many issues combine to make traditional vulnerability and patch management approaches very difficult.

The first thing IT security teams run headlong into is that patch windows for ICS networks are not, and in fact cannot, be done as frequently or regularly as IT networks. On Wednesday, you're not testing and deploying any of the patches Microsoft (or any other vendor) released on Patch Tuesday.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Plants need to keep running, and plant executives prioritize uptime over patching something that "may cause an issue at some point." Patch windows may come about quarterly, but in some cases it can be a year or more before the plant engineering team is willing or able to patch systems — and in some instances, other priorities eclipse even these infrequent windows. We have an oil exploration customer with vessels that only come to port every three to five years for maintenance; this is when all but the most critical patching happens.

Notably, in some cases, SCADA (supervisory control and data acquisition, a control system architecture associated most commonly with critical infrastructure environments such as energy grids) and distributed control system components are shipped by vendors with outdated or end-of-life operating systems.

Another reality is that many ICS environments are outdated because of the long asset life cycles on which these plants operate — often 20 or more years between major overhauls. This is compounded by the long design/release life cycles for the ICS software that runs these plants. In many cases, these systems can't be fixed from a vulnerability perspective. We have customers that still run ICS software on Windows XP or NT — even a perfectly patched XP system is highly vulnerable since Microsoft ended support years ago. And don't forget "zero days," which are frequent for many industrial assets.

But this issue goes deeper. Most older (and even some newer) ICS environments have little or no inherent security. Security wasn't a design criterion when many of these plants were built 20 or 30 years ago. Many ICS systems have no user authentication and require no validation for code or commands downloaded to controllers that monitor and direct the operation of the physical systems — valves, actuators, pumps, robots, etc. These systems use insecure, unencrypted protocols and often operate over flat networks.

ICS vendors are making real progress, baking security into new systems, and engineering firms are beginning to prioritize cybersecurity in the design of new plants. But most plants today have what we call "M&M security" — soft on the inside and (sometimes) harder on the outside. The result? Attackers must still gain a foothold on the ICS network to inflict damage, but once they are there, they will often have nearly unfettered access to the systems that run the plant — whether patched or not.

With this in mind, a "magic wand" thought exercise is helpful. If we handed you a magic wand and you could wave it at your plant and have a perfect list of all the assets in your ICS network, and a complete list of all the known vulnerabilities, what would you do next? What steps would you take that would have the most definitive risk reduction impact on the environment?

There is definitely a need for vulnerability and patch management. Vulnerabilities, especially those as high-risk as the one that enabled the WannaCry ransomware to propagate so rapidly last month, clearly demonstrate that if patching is at all possible, then it's needed. But rather than attempting to patch everything that can be patched, we advocate a risk-adjusted approach in which you patch the most important pathways into the ICS network. Critical vulnerabilities on anything inside the enterprise network perimeter with connections back to IT networks are a high priority (for example, the VPN that provides contractors and employees remote access to the plant for maintenance purposes). Next, work on other less critical but still important vulnerabilities on the same pathways.

Instead of looping until done, we highly recommend spending time finding and fixing configuration vulnerabilities on your ICS network. In a perfect world, ICS owners/operators would implement all the recommendations of the IEC-62443 standard and cover the basics of cybersecurity hygiene. Unfortunately, the reality is that they cannot afford the downtime and all too often lack resources to do these basic steps. A practical approach is to look at overall risk posture improvements that any element can provide, and prioritize which measures and in what proportion can drive the biggest bang for the buck — considering both cost and resource constraints.

We simply don't have a decade to markedly improve the security for ICS networks. When implementing a cybersecurity program for ICS networks, you must consider opportunity costs across competing program elements. Overfocusing on an element such as vulnerability and patch management can prove to be costly in the short and longer run.

Related Content:

Galina Antova, Co-founder & Chief Business Development Officer, ClarotyGalina Antova is the co-founder and chief business development officer at Claroty. Prior to co-founding the company, she was the global head of industrial security services at Siemens, overseeing the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/23/2017 | 7:21:58 AM
Why we not patch ICS
I read many articles often negatively mention that fact that ICS are not being patched. I want to say bravely: There are justifiable reasonsd for that, as correctly mentioned by Galina.

While IT people worry about CIA, ICS experts shall worry about SRP (Safety - Reliability-Productivity). None want to be blamed for a painful outage or damage just because they patched the OS.

ICS cyber experts know very well that every change to ICS hardware or software is a severe risk to SRP. So... what is the solution? where we want to be in 5 or 10 years? You shall plan building a brand new and modern control room, build it with modern hardware and software and fit the original application to the new system.

But ! be ready that it will not work. Plan for spending 4-6 months and test it before you can commision the new control room. 

The result is funny: The new control room will be as good as the old one and not better ! But it will have strong cyber defense solutions build in and will be ready for periodic cyber security upgrades.

Yes, it worth the investment, and also there is no alternative!
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.