Operational technology (OT) supports your company’s operations where it really matters, often doing its job right at the edge, far away from information technology (IT) systems—whether that’s on the factory floor, out in the remote wilderness, or in the intimacy of a patient’s hospital room.
This edge nature of OT can make it difficult to apply security patches. OT is physically hard to reach due to its location and embedded nature, but OT is also difficult to patch because, in many instances, OT simply can’t go offline. So, what do you do when you must patch your OT to face today’s growing cybersecurity threats, but find it difficult or impossible to get the patching job done?
Patching Your OT Can Be Tough
Patching OT isn’t straightforward due to two key points—availability and criticality. Patching these devices is often delayed because companies cannot afford to take OT devices offline: The hit on availability, and therefore profitability, is just not acceptable.
Besides, in some instances, OT devices perform such critical functions that devices simply can’t go offline to get patched. Other challenges come into play too: Sometimes vendors won’t bother to release patches even for known vulnerabilities, so there’s no patch to apply.
It can also come down to OT patching being such a difficult and convoluted process that IT teams simply don’t have time to do it. However, it doesn’t really matter what the reason is behind poor patching hygiene. If you don’t patch your OT, you’re facing significant danger since OT is just as at risk of exploitation as IT.
The Threat to OT is Growing
OT used to be physically separated from the outside world, with an air gap between IT and OT. Today, OT is increasingly linked to the outside world due to the internet, growing interconnectedness, and industrial internet of things (IIoT). This means that OT is now just as vulnerable as any other element of the technology environment. Companies have been warned time and time again about the threats lurking in OT.
Here are a few examples:
- In 2020, IBM’s X-Force Red team concluded that a vulnerability in a number of internet of things (IoT) connectivity chips left billions of devices operating in medical and commercial environments at risk of exploitation, as attackers that targeted the Cinterion EHS8 communications module in these devices remotely gained complete control over the device.
- Likewise, in 2021, researchers at Microsoft discovered that many IIoT devices had a critical memory allocation vulnerability that allowed for remote code execution, or crashing a device entirely. Worse, the problem was so systemic that it sometimes occurred in several instances in the same device—from the operating system (OS) to the software development kits (SDKs) and the libraries in use.
- Finally, in 2022, Vedere Labs discovered that IIoT devices from big brands such as Honeywell, Motorola, and Siemens contain vulnerabilities that, you guessed it, opened the door to remote code execution.
Consider Live Patching as a First Alternative
Vendors will usually release a patch when security vulnerabilities appear. However, as we can see, applying these patches is a different story, and the solution depends on where exactly the hurdle lies. If the inability to patch comes down to the need to maintain continuous availability, a live patching tool could be a very sensible solution. Currently available for Linux-based OT devices, live patching continuously patches vulnerabilities in the Linux kernel without ever restarting the device to apply the patch.
It means that, with live patching, you never need to take the device offline to apply the patch. For that reason, devices that use live patching do not suffer breaks in continuity because the device continues to operate uninterrupted both during and after the patching process. As an affordable set-it-and-forget-it solution, live patching would be, in many instances, a straightforward way to secure your OT.
Catalog and Prioritize
If live patching isn’t an option, there will inevitably remain some window for risk given the limited ability to patch or replace devices. When that is the case, you need to adopt a risk-based approach with the aim of minimizing the threat as far as possible.
As a first step, build an inventory of devices and networks. After all, you can’t mitigate risk for things you don’t know about. Your industrial OT might be hidden in places that you least expect, so consider using an automated tool to help you with the job.
Any individual device may consist of numerous components that all require regular patching. For example, in medical imaging equipment, you could find that you can live patch the Linux OS that operates the physical aspects of the device, while you need to schedule downtime for the Windows OS that runs the user interface (UI).
Once you’re done cataloging, arrange the devices into groups from the most security critical to the least critical. For example, a device that controls the valves on an oil pipeline would be highly critical, whereas the Power over Ethernet (PoE) lighting switch in the refinery’s canteen would be less critical. It’s best to focus your patching and defense efforts on the most critical devices.
Ringfence and Defend
We know that some devices simply won’t get patched, and it might simply be due to the vendor that hasn’t yet released a patch. Now, your best bet is to try to protect these devices from the outside world as best you can. The Purdue model still offers a valuable theoretical base, even though, to a degree, it no longer works that well within the interconnected cybersecurity world we live in today. There are, nonetheless, lessons to be learned in how the Purdue model segregates OT from IT.
One alternative model is Gartner’s IoT reference architecture with its edge, platform, and enterprise segments. You can also consider using the European Union Agency for Cybersecurity (ENISA)’s baseline security recommendations for IoT in your network design. Either way, it comes down to minimizing the exposure of IoT devices through network structuring and ringfencing.
Application whitelisting is another tool to consider. If a vulnerability is exploited to install a rogue app, application whitelisting will block communications because the rogue application is not on the whitelist. Given the relative simplicity of OT devices, application whitelisting would be a somewhat maintenance-free option.
Monitor, Log, and Respond
Your overall IT security posture should, of course, be as strong as possible, and that includes perimeter defenses that keep intruders away from networks and devices as much as possible. However, if you can’t patch, and you’re unable to keep an intruder out, your last option is to act fast when the worst happens. Rigorous perimeter monitoring alerts you when an unwelcome guest tries to find their way in. Similarly, thorough logging and log analysis is another way to identify when there is an intruder in your network, giving you the option to respond rapidly.
Finally, you need an extensive incident response plan. Your response plan must cover you both from an OT/IT perspective as well as in a real-world practical perspective. In other words, how do you secure your OT and replace OT functionality while, at the same time, plan for a period where you don’t control your OT and need to rely on physical, manual interventions?
OT is an Odd Patching Case–But You Can and Must Act
Let’s face it, your OT devices were built to last and do their job day-in and day-out. These devices were never intended to undergo continuous changes the way that IT does. Yet, that’s what the cybersecurity threat implies: Frequently changing device software with updates that counter new risks.
For supported devices, you should apply live patching for ongoing, consistent protection against threats. For others, you need to manage the security risks through prioritization, intelligent network design, and rigorous monitoring. Simply thinking that patching is hard and ignoring the risk is not an option, nor is holding outdated views about the air gap between OT and IT. Instead, secure your OT now, whichever way you can.