Industrial Control Systems and Vulnerability Management Process

The evolving cyber threat landscape requires organizations to strengthen their ability to identify, analyze, and evaluate cyber risks before they evolve into security incidents. Threat actors are exploiting the known unpatched vulnerabilities in order to intrude into Industrial Control Systems (ICS) environments and disrupt critical operations.

The terms patch management and vulnerability management are used as if they are interchangeable. Most are confused because applying patches is one of the many tools available in our arsenal for mitigating cyber risks.

Patching is a fundamental security practice, but applying it in OT (Operational Technology) settings differs substantially from IT systems. In the OT world, assessing the benefits and risks of applying a patch before doing so is essential.

The most apparent reason for patching is fixing security flaws or bugs. There are other benefits gained from patching timely and correctly. Many vendors release patches to improve the applications’ stability, which is a strong advantage in the ICS environment because the stability and uptime of critical devices are of the utmost importance.

Data compromise is considered a more significant concern than network downtime within the IT domain. On the other hand, systems availability, reliability, and uptime are of greater importance for the OT side. Hence, taking down a critical network or component due to a non-compatible or corrupt patch is a significant risk in ICS environments.

The next factor to consider is the associated cost of testing the released patches. Testing the patches in IT is pretty easy while considering OT. The logistics and the associated costs behind replicating OT production systems outweigh the respective sizes of IT systems.

Patch management can be automated in IT that will vastly reduce the resources required to test all those patches. Unfortunately, this is not the case with OT. Patches must be tested on each device, and most probably, OT teams would have to rely on the vendor specialist to deliver the updates themselves. This incurs a much higher cost-to-benefit ratio than on the IT side.

Another factor is end-of-life (EOL) product cycles. Some production systems have been around in OT environments for over twenty or more years. In most cases, they have never been upgraded or patched. Asking the OT people to take the risk of patching a system that has been working flawlessly for decades to make it harder to be breached is a hard thing to do.

CIA Triad

For the IT side, confidentiality has the highest priority. Integrity is the second highest concern for IT organizations. The last concern is availability.

For the OT side, availability  has the highest priority for OT organizations. Integrity has the second highest priority for the same reasons as in the IT domain. Confidentiality is last on the priority list, although it should not be considered a minimal concern.

Despite all these differences, IT and OT share a common ground: safety. With organizations converging OT and IT, it is easy to realize that they overlap in many more areas, such as asset discovery, vulnerability assessment, policy management, change detection, configuration assessment, and log management.

It all starts by acknowledging that patch management is a subset of vulnerability management. Vulnerability management is a holistic function that proactively manages identified vulnerabilities in deployed hardware devices and software.

Vulnerability management is more than getting alerts whenever your infrastructure needs a patch. It is about making informed decisions and adequately prioritizing what vulnerabilities to mitigate and how. This is achieved by embedding internal telemetry hooks into all critical systems and external hooks for threat intelligence from all sources.

ICS organizations should do the following as a minimum if they can not patch.

1. Asset analysis or discovery to know what you have in your environment to protect it.
2. Perimeter protection to fortify your organization against cyber-physical risks.
3. Network segmentation comes with many benefits when trying both to defend against lateral movements and to contain a security incident so as not to harm the entire organization.
4. Log management is a tool to look for suspicious movement within the organization and detect potential attacks.
5. Vulnerability assessment to determine potential weak points and identify the vulnerability risk posture of each asset.
6. File Integrity Monitoring (FIM) to monitor changes within the ICS organization.

Irrespective of products used, all security products should be tightly integrated for better defense and visibility.