Blog
Patch Management in IT and OT Environments
The evolution of the cyber threat landscape highlights the emerging need for organizations to strengthen their ability to identify, analyze, and evaluate cyber risks before they evolve into security incidents. Although the terms “patch management” and “vulnerability management” are used as if they are interchangeable , this is not the case. Most are confused because applying patches is one of the many ways available in our arsenal to mitigate cyber risks.
What is Patch Management?
Patch management is a strategy for managing patches or upgrades for software applications and technologies and involves the acquisition, testing, and installation of multiple patches to an administered computer system in order to fix known vulnerabilities. Patch management significantly shapes the security of your business, network and data. As soon as a piece of software is released, hackers begin their attempts to find their way into that software through holes and vulnerabilities. There are times in which they are successful, hence the need for patches.
Patch Management is a Function of Vulnerability Management
The decision to either roll out, unroll, or disregard a specific patch falls within the larger context of vulnerability management. Defined as a security practice specifically designed to proactively mitigate or prevent the exploitation of IT vulnerabilities, vulnerability management is not a stand-alone scan-and-patch function. It’s a holistic function that takes a proactive view of managing the daunting task of addressing identified vulnerabilities in deployed hardware devices and software. Simply put, vulnerability management is a superset of patch management, as evidenced by the following equation:
Vulnerability Management = Policy + Awareness + Prioritization + Patch Management + Testing + Tweaking + Mitigation
Vulnerability management is more than just getting alerts whenever your infrastructure needs a patch applied. It is about making informed decisions and properly prioritizing what vulnerabilities to mitigate, and how.
Thus, patch management cannot be planned and operated in isolation of vulnerability management because you need to make sure that the patch does more good than harm. In no situation is “just patch faster” the right advice! Most organizations should “patch smarter ”, which means “prioritize what to patch.” Basically, it is a balancing act.
To Patch or Not To Patch?
Before deciding whether to install a patch or not, it is important to understand the associated benefits and risks of doing so. Is patching worth the effort?
The most obvious reason for patching is to fix security flaws in either the OS or the applications. However, this is not the only benefit you gain from patching timely and correctly. A lot of vendors release patches to improve the applications’ stability. These types of improvements provide a strong case for rolling put patches in OT environments because the stability and uptime of critical devices are of the utmost importance. Last, patches can also assist in resolving specific bugs or flaws in certain applications.
However, besides the benefits, there are equally risky reasons for not patching. This is closely related to how risk is perceived within the IT side of business as opposed to the OT side. Within the IT side of the organization, the benefits outweigh the risks, as loss of data is considered a bigger concern than the downtime of a network. On the other hand, for the OT side, reliability is a key factor and systems uptime is of great importance. A major risk could be taking down a critical network or component due to malformed or corrupt patch. In addition, patching can be considered as a very time-consuming and in some cases full-time job, if we consider that over 15 vulnerabilities are being discovered daily. How the two sides of an organization (IT/OT) view risk versus reward is vastly different.
The adage of “it isn’t if you get hacked but when” is helping to highlight the risk of doing nothing. The risk associated with “when we get hacked” should be looked at in greater detail and weighed up against the probability of an unexpected, uncontrolled system shutdown as opposed to doing a controlled, manual, segmented patching.
IT vs OT: Patching Challenges and Differences
To understand the differences in risk perceptions and prioritization between IT and OT, it would be useful to review how these two worlds perceive the CIA triad .
For the IT side, confidentiality has the highest priority. Losing something valuable such as customer or staff personal data could be catastrophic to any organization and could entail financial losses, reputational damage as well as regulatory penalties.
Integrity is the second-highest concern for IT environments. Branding and customer retention could be massively affected if an organization had to admit that they have been breached and any data or intellectual property has been stolen. An incident affecting integrity could result in financial losses, as well, and organizations could face problems such as fines or even loss of business-as-usual revenue from unhappy customers.
The last concern is availability. Organizations would always like and strive to maintain system availability and especially on systems that are customer-facing. However, should a system go down, the impact in the mean-time-to-repair (MTTR) is a lot shorter than within OT organizations. Rebuilding a system from a virtual backup is a lot simpler than having to get a physical device removed off the production and replaced with a new one, which usually involves vendor specialists increasing the cost and the downtime.
On the other hand, for OT organizations availability has the highest priority. This is completely understandable as the cost associated with a system downtime, even a short one, could result in millions of dollars or euros. Not to mention that such downtimes may have a significant impact to society. Just imagine how many households will be impacted by an electric grid downtime. Further, OT systems going out-of-production may hamper other organizations or industries since the interconnections and the interdependencies between products and services are very strong.
Integrity has the second-highest priority, as with the IT, for the same reasons – branding, loss of revenue and fines. Last in the priority list is confidentiality, although it should not be seen as a minimal concern. Indeed, the loss of sensitive or secret data due to industrial espionage can have even more dire consequences to the organization as the loss of personal data.
Merging the IT and OT Worlds
Despite all these differences, IT and OT do share a common ground, and that’s safety. But this is not the only similarity they share. IT and OT overlap in many security controls and processes such as asset discovery, vulnerability assessment, policy management, change detection, configuration assessment and log management.
In fact, the Department of Homeland Security (DHS) states that a good patch management program should include elements of the following plans: Configuration Management Plan, Patch Management Plan, Patch Testing, Backup/Archive Plan, Incident Response Plan, and Disaster Recovery Plan.
The solution for an effective patch management strategy is to have an organization’s security and operations teams work together. With organizations converging OT and IT and essentially having both entities reporting under one technical umbrella, it is easy to understand the benefits of using IT centralized tools to quickly identify potential malicious patterns of interest and alert the OT team. The OT team then would have to deal with a single event rather than having to cope with the proverbial noise, thus reducing the headcount and the associated costs.
Towards that end, security personnel need to make sure that they have the hands-on experience required to address security challenges for IT and OT. Knowledge of security operations and administration, risk identification, monitoring and analysis, and incident response and recovery can become a valuable asset to anyone wishing to boost their career as a security practitioner.
To learn more about the experience required to address security challenges, read our white paper, How You Can Become a Cybersecurity Hero .
How SSCP Certification Helps
There is no better way to showcase your technical skills and security knowledge than achieving the SSCP certification . Whether you are an experienced security professional or just starting out in the fascinating world of cybersecurity, the (ISC)²’s SSCP certification is ideal to enhance your ability to implement, monitor and administer security procedures and controls that ensure your organization’s confidentiality, integrity and availability.