The evolution of the cyber threat landscape highlights the need for organizations to strengthen their ability to identify, analyze, and evaluate cyber risks before they evolve into security incidents. Criminals often exploit known unpatched vulnerabilities to penetrate Industrial Control Systems (ICS) environments and disrupt critical operations. Although patch management seems like the obvious answer to this problem, it is easier said than done in ICS settings.
CIA Triad: IT vs. OT
Although patching is a fundamental security practice in both the IT and the OT (Operational Technology) worlds, applying it in OT settings differs substantially from IT systems. This difference is mostly rooted in how these two worlds view the CIA triad and prioritize risks.
IT domain: CIA
For the IT side, Confidentiality has the highest priority. Customer or staff personal data compromise could be catastrophic to any organization and entail financial losses and regulatory penalties for breaching privacy laws.
Integrity is the second highest concern for IT organizations. Branding and customer retention could be massively affected if an organization admits to being breached and any data or intellectual property has been altered without consent.
The last concern is Availability. Organizations always strive to maintain a high availability of customer-facing systems. However, should a system go down, the impact is reduced compared to OT organizations. Rebuilding a system from a virtual backup is much simpler than getting a physical device removed from the production line and replaced with a new one, which usually involves vendor specialists increasing the cost and the downtime.
OT domain: AIC
On the other hand, Availability is the highest priority for OT organizations. The cost and impact of even a short system downtime could be detrimental to the organization, local societies, and economies. OT systems going out of production may hamper other organizations or industries since the interconnections and interdependencies between products and services are very strong.
Integrity is the second highest priority for the same reasons as in the IT domain: branding, loss of revenue, and fines.
Confidentiality is last on the priority list, although it should not be considered a minimal concern because the compromise of intellectual property can have dire consequences.
Despite all these differences, IT and OT share a common ground: safety. But this is not the only similarity they share. With organizations converging OT and IT, it is easy to realize that they overlap in many more areas, such as asset discovery, vulnerability assessment, policy management, change detection, configuration assessment, and log management. Therefore, aligning cybersecurity efforts to reduce overhead and achieve cost and resource savings makes perfect sense.
Benefits and Risks of Patch Management
Based on the analysis above, assessing the benefits and risks of applying a patch in ICS systems is essential since it may affect their availability.
Benefits of patching
The most apparent reason for patching is fixing known security flaws or bugs. The IBM Security X-Force Threat Intelligence Index 2024 highlights that:
- 92% of businesses had at least one CVE with known exploits in their environment.
- More than half (67%) had at least one CVE rated as Critical, while 25% had five or more Critical CVEs in their environment.
Hence, patch management becomes vital for critical infrastructure businesses.
Besides security, patching timely and correctly allows industrial organizations to improve the systems’ stability, which is a strong advantage since the reliability and uptime of critical devices are of the utmost importance.
Patching risks in ICS environments
Besides the benefits, patching in ICS environments presents certain risks, considering that systems availability, reliability, and uptime are of greater importance for the OT domain. Hence, disrupting the operation of a critical network or component due to a non-compatible or corrupt patch is a significant risk.
Another factor to consider is the associated cost of testing the released patches. In OT environments, you have to buy hardware that emulates the real production systems, unlike in the IT world, where you could emulate the production systems using virtual environments. The logistics and the associated costs behind replicating OT production systems outweigh the respective sizes of IT systems.
Furthermore, IT could also utilize automated patch management solutions that will vastly reduce the resources required to test all those patches. Unfortunately, this is not the case with OT. Patches must be tested on each device, and OT teams would most probably have to rely on the vendor specialist to deliver the updates themselves. This would incur a much higher cost-to-benefit ratio than on the IT side.
The last thing we need to consider is vendor end-of-life (EOL) product cycles. Some production systems have been around in OT environments for over twenty or more years. In most cases, they have never been upgraded or patched. Asking the OT people to take the risk of patching a system that has been working flawlessly for decades to make it harder to be breached is a hard thing to do.
Over the past few years, critical infrastructure entities and ICS environments have been among the top ten organizations affected by data breaches. A simple look at the IBM Cost of a Data Breach report is enough to persuade OT organizations that the risks and costs associated with “when an attack happens” should be examined in greater detail. The likelihood of an unexpected, uncontrolled system shutdown should be measured against doing a controlled, manual, segmented patching.
What Can Be Done If We Can Not Patch?
Considering our analysis, the question remains. If we can’t patch, what else can be done?
If patches cannot be installed on the OT assets, then alternative controls need to be applied to reduce the risk to an acceptable level. Understanding that risk is the multiplication of impact and probability, the business impact or the criticality of the OT asset cannot be changed. However, the probability can be reduced by applying the following alternative controls.
- Asset analysis or discovery to know what you have in your environment to protect it. This process could raise one fundamental security question: do we need all these assets, or are we spending time trying to secure things that are not required?
- Perimeter protection to fortify your organization against cyber-physical risks. This could include anything from firewalls to access controls.
- Network segmentation to defend against lateral movements and contain a security incident so as not to harm the entire organization.
- Log management to look for suspicious movement within the organization and detect potential attacks.
- Vulnerability assessment to determine potential weak points and identify the vulnerability risk posture of each asset. Once the vulnerability scan is complete, a score is attached to each vulnerability based on the skills required to exploit it and the privileges gained upon successful exploitation. The easier the vulnerability is to exploit, and the higher the privilege gained, the higher the risk score will be.
- File Integrity Monitoring (FIM) to monitor changes within the ICS organization. While the previous steps predominantly cover external threats, FIM looks inside the organization to correlate movement with changes and reduce the noise further before raising the alarm.
How Tripwire Helps
Fortra’s Tripwire portfolio includes solutions that can work together or be stand-alone, offering ICS businesses maximum flexibility and efficiency.
Tripwire’s File Integrity Manager identifies and alerts on all changes within an organization's network, providing detailed information to stop security incidents in their tracks.
Tripwire IP360 is a vulnerability solution that discovers assets on the network and scans them against a known vulnerability database of over 130 thousand unique tests. IP360 prioritizes the highest-scoring vulnerabilities to facilitate an effective patch management strategy.
Tripwire LogCenter is an intelligent historian that provides complete, secure, reliable log collection and highlights events of interest from a sea of data.
The above solutions integrate seamlessly with Fortra’s Vulnerability Management solution that assesses and prioritizes system weaknesses and creates easily understood reporting for efficient and effective remediation.
Still, wondering how to best perform patch management in your environment? Contact us to schedule a demo and see our solutions in action.
