If you have read my previous blogs on patching for control system security, you might think I am completely against patching. Guess what? I’m not against them!
Actually, I think applying patches is a critical part of good security. According to US-CERT, about 95% of all network intrusions could have been avoided by keeping systems up to date with appropriate patches. If you never patch, you are leaving your system open to a decade of malware.
What I am against is patching as a knee-jerk reaction to security vulnerabilities. You can’t expect your control system to operate reliably if you don’t have a controlled process for patching.
In the words of Richard Brown, at Dow Chemical:
“Patch management is about managing the risk of change”.
Patches are changes to your system. Changes to your system need to be managed. One cannot blindly deploy new patches into the process control environment without risking disruption of operations. Thus careful policy and practice is required to balance the need for system reliability with the need for system security.
A successful patching strategy balances system reliability with system security. Image credit: A Perfect World
In my last blog, I discussed the reasons why critical industrial infrastructure control systems are so vulnerable to attacks from security researchers and hackers, and explained why patching for such systems is not a workable solution.
But let’s now examine the good, the bad and the ugly details of patching as a means to secure SCADA and ICS systems. And to begin, let’s suppose patches could be installed without shutting down the process (for example, through the staged patching of redundant controllers)…
As regular readers of this blog know, after Stuxnet, security researchers and hackers on the prowl for new targets to exploit shifted their efforts to critical industrial infrastructure.
Unfortunately, the Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) applications they are now focusing on are sitting ducks.
Up until recently SCADA and ICS systems have been designed with reliability and safety in mind; security has been a minor consideration. Products that have never faced security tests are now under attack from sophisticated vulnerability discovery tools, and major control system security flaws are being continuously exposed.