Cybersecurity Month: Software Updates in OT

As part of Cybersecurity Awareness Month, we’re spotlighting CISA’s crucial tip to 'update software'—a key defense against security threats… but with some important considerations for approaching this in OT.

They outline three steps:

1. Watch for notifications
2. Install updates as soon as possible
3. Turn on automatic updates.
   

CISA emphasizes the importance of keeping software up to date to ensure the latest security patches and updates. While these are generally accepted security principles, as an OT security partner, we do have to add a caveat here: While vulnerability management is indeed vital to the security and continuity of industrial operations, in OT it is imperative to test and validate updates and patches before deploying them in operational environments. A bad update has the potential to cause disruptions and impact the safety and reliability of critical operations.

Automatic updates may be helpful in IT and on your personal devices, but in OT, it’s essential to understand what is involved with any updates made in the operational environment. We’ve seen major outages resulting from bad software updates even on the IT side cause global disruptions - we do not want to see that type of disruption on physical industrial processes.

It is part of OT security best practices to identify all the software running across all your OT devices and cyber assets, to understand the software versions in use (out of date or not), and to identify where vulnerabilities exist. This should be part of your daily OT asset management and cyber hardening practices.

When you find outdated software and vulnerabilities, take these considerations into account:

1. You’ve found the vulnerability, which is a great start. Now consider it in context. What device is it on? Where is it located? What role does it play in your operations? Do you classify that specific asset as critical?
2. With that context in mind, what options do you have for mitigating the vulnerability, including, but not limited to, patching?
3. Are you able to test and validate the patch and its effect on performance?
4. What does threat intelligence say? How is this vulnerability being exploited in the wild?
5. How does this vulnerability affect your compliance?

The dynamic vulnerability landscape does impact cyber and operational resilience risk. Vulnerability management is crucial for hardening OT but needs to consider uptime and safety requirements in this context. The key is having the right data and information when assessing vulnerabilities so you can understand the highest risk.

By understanding the role and importance of each asset, organizations can prioritize patches for systems that are critical to maintaining operational continuity and safety.

Industrial Defender can help you not only discover vulnerabilities in your OT environment but also enable a risk-based approach to addressing them, speeding up your time to address the most critical ones. For more information, check out our Risk-Based Vulnerability Management Solution below.