Patching is useless most of the time, industrial control systems (ICS) security expert tells Senate committee.
Patching security vulnerabilities in industrial control systems (ICS) is useless in most cases and actively harmful in others, ICS security expert and former NSA analyst Robert M. Lee of Dragos told the US Senate in written testimony last Thursday. The “patch, patch, patch” mantra has become a blind tenet of faith in the IT security realm, but has little application to industrial control systems, where legacy equipment is often insecure by design.
The Senate committee hearing highlighted the gulf between information technology (IT) and operational technology (OT) security, and how few of the lessons learned in the IT security space carry over to industrial security. “Operational technology” is a newish term that has emerged to distinguish industrial networks and systems from traditional business-focused information technology.
“There are two different trains of thought,” Nick Santora, CEO at Curricula and a former critical infrastructure protection (CIP) cybersecurity specialist at NERC, the North American energy grid regulator, says. “In IT security, it’s business critical stuff. On the OT side, you’re dealing with mission critical stuff that can’t go down. You can’t take an outage on a whim, ‘Oh, a server went down.'”
Defending critical OT infrastructure, such as the energy grid, requires a different approach, Lee told the Senate. “Our mission is different because it takes on a physical aspect, and therefore focusing on just malware prevention or patching doesn’t actually address a human adversary,” Lee says. “Malware is not the threat. The human on the other side of the keyboard is the threat.”
Everything you thought you knew is wrong
The hard-won lessons of IT security do not apply in the OT space, and trying to manage OT security the “enterprise IT way” is actively harmful, Lee’s report shows. Sixty-four percent of all ICS-related patches issued in 2017 don’t fully address the risk because the components were designed to be insecure, Dragos concluded in a report submitted to the Senate.
Worse, major vendors have bungled security patches in recent months, the Dragos report says, resulting in outages that have cost companies money. Patching an industrial control system that makes widgets or pumps water is more complicated than rebooting an office desktop PC, and OT networks are a lot less tolerant of downtime.
Nor is patching or basic cyberhygiene sufficient to defend against the nation-state adversaries who daily probe and own critical infrastructure in the US and around the world. Keeping an OT monitoring workstation that may well be running Windows 10 patched and up-to-date will defend against most opportunistic malware, but it is hardly sufficient to prevent intrusion by advanced persistent threats (APTs).
“The industrial threat landscape is largely unknown,” Lee says. “The methods from private sector, as well as from government, to target and understand threats in core business networks don’t translate into industry.”