Patching the Iron Tail is Easier Said than Done

               Challenges with Patching Industrial Control Systems Leave Significant Risk

               Everyone  knows  that  you  should  patch  your  application  servers  as  often  as  possible.  You
               should  also  brush  your  teeth,  eat  your  broccoli  and  call  you  mother.  But  all  good  intentions
               aside, we know that in practice, patching servers falls woefully behind in many organizations,
               even ones with efficient and security-minded IT. There are good reasons why patching gets put
               off – it’s often difficult, time consuming, disruptive, or even impossible.

               Given the substantial number of known and unknown vulnerabilities affecting users, applications
               and critical infrastructure, conventional wisdom is that patching vulnerabilities should be on the
               top of your security to-do list. But in reality, there is a disconnect between security strategies
               and  practical  reality.  According  the  Gartner,  “the  lofty  goal  of  ‘patch  everything,  all  the  time,
               everywhere’  is  not  only  rarely  fulfilled,  it  is  causing  friction  between  IT  security  and  IT
               operations.”


               The Hidden Costs of “Doing the Right Thing”
               The risks of falling behind on patching are highly publicized. For example, the recent WannaCry
               attacks exploited the Windows SMBv1 vulnerability, with the EternalBlue tools originally created by
               the NSA. This vulnerability affected Windows XP systems, which Microsoft would have you believe
               have all been long since retired, and no longer receive patches. Yet this attack and others like it,
               painfully  exposed the fact  that millions  of Windows XP  systems  are  still  running  legacy, mission-
               critical applications.

               This caused lots of soap-box lecturing that unpatched servers were the culprit, and organizations
               need  to  take  security  more  seriously.  But  this  kind  of  finger-pointing,  ignores  the  practical
               decision making and security tradeoffs that many businesses face. While no organization wants
               to be the victim of the next cyberattack, the abstract security fear can easily take a back seat to
               the more immediate labor and disruption costs of “doing the right thing”. Faced with this, even
               the most diligent teams find it easy to kick the can down the road, and deal with more immediate
               day-to-day priorities.

               In fact, in many cases, patching is viewed more as a liability, than a best practice. In areas like
               industrial control systems (ICS), and healthcare, the risk of unexpected results from patches,
               unpredictable downtime, or even forced system reboots can be enormous and are avoided if at
               all possible. In many industries where equipment is supposed to be “built to last” for 20+ years,
               the  use  of  out-of-date  and  un-patchable  operating  systems  (such  as  Windows  XP)  is
               widespread, and these legacy, embedded applications are difficult or impossible to upgrade.

               Frankly, it’s fair to question the premise that effective security should be dependent on constant
               patching. Despite decades of investment in security and patch management tools, the overall
               security situation seems to be getting worse – not better. Security based on best practices that
               routinely get ignored seems a best impractical, and at worst, delusional.





                    73   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.