18/09/2019

Patch management in OT-Systems

Missing security updates continue to provide a broad attack surface for successful cyber attacks. Companies keep reporting security incidents that involved software vulnerabilities for which patches already had been released at the time of the attack. At a first glance, the solution to this problem may seem trivial all you have to do is installing the security updates that are already available anyway on the affected systems. In practice, however, there are some open questions that need to be clarified and stumbling blocks that need to be overcome before a system can be patched with an existing security update. In the industrial environment, the topic is so extensive that the IEC-62443 series has its own technical report on the subject: IEC TR 62443-2-3 “Patch Management in the IACS Environment”.

The term “Patch Management” refers to all activities related to the identification, evaluation and deployment of these security updates in a company. From the development of standards and key figures, to testing and validating updates, to planning update times and the actual deployment of updates, patch management is a more comprehensive and complicated subject than one would expect at first glance. The following questions have to be answered in this context:

– What is the maximum time between the release of a security update and its deployment to our production systems?
– According to which criteria are systems and security updates prioritized?
– Do the updates provided even affect any software that we use?
– Do the delivered updates cause malfunctions on our test systems?
– When are suitable maintenance windows? Does the update have to be deployed manually or is automation possible?

And don’t forget to have a roll-back strategy to restore the system state as it was before patching, as the patch might interfere with operations even despite prior testing efforts.

Successful patch management starts with the selection of or cooperation with your suppliers

Start discussing your supplier’s approach to security updates in your negotiations and contracts. How often and in what way are updates provided? Are at least security relevant product updates included in the maintenance contract or are additional costs incurred? What is the planned lifetime of the purchase and are its components supplied with security updates for that amount of time?

And even with the availability of updates clarified, one is often confronted with challenges in deployment. While the golden rule “Patch Early, Patch Often” can be assumed in classic IT systems, the situation for industrial systems is much more complicated because it is seldom possible to “quickly” restart a system to install a security update. Very often it is simply not an option to roll out security updates promptly (or at all). Especially in industry, good basic “security hygiene” is therefore all the more important:

  1. Systems that cannot be provided with security updates regularly and at short intervals should not be accessible from the entire corporate network or even the Internet. Robust network segmentation [#see article] is the method of choice for preventing your systems from being exposed to attacks from the Internet or the Office LAN in the first place.
  2. Access to industrial components should always take place via so-called “jump hosts” in their own “demilitarized zones” (DMZ). Consequently, these jump hosts can be closely scrutinized in your patch management strategy. Very often, these systems are also classic IT systems that can be supplied with security updates much more easily. The same applies to network components such as routers, switches and firewalls.
  3. For both network segmentation and successful patch management, the following applies: You can only protect what you know. It is therefore important for successful and complete patch management to have a correct and complete inventory of the existing IT and OT systems with the firmware and software versions installed there. [#see article]

Limes Security recommends

When you tackle the patch management challenge, make sure you have your asset management and network segmentation in place to achieve effective security gains from patch management. Hardening systems, especially uninstalling or disabling unneeded services, lowers the need for patching, increases security, and reduces the risk of network downtime.

Limes Security supports you in your efforts to keep systems up to date: from assessing your components to creating the patch management process. Contact us today without obligation for an initial discussion.