My last article made the case that there is only trivial risk reduction in applying security patches to Insecure By Design applications and devices. Now consider the actual risk reduction achieved by patching computers in Insecure By Design Zones.

An Insecure By Design Zone is a flat network where the end goals of an attacker is achievable using designed in features and functions, rather than exploiting a vulnerability, if the attacker has logical/network access to the zone. The picture in this post is a good analogy.

The thief is in the room with unrestricted access to his end goal of gold, bearer bonds or the PLC’s that monitor or control the process in the safe. The boxes on the left are the servers and workstations that may have a large number of unpatched Microsoft, ICS and third-party application vulnerabilities. Yes it would be tougher to read the documents in those boxes if they were protected in strong locked cabinets, but why would an attacker bother to waste time and effort looking at the documents?

The case isn’t quite as crystal clear with an ICS. There have been famous cases where HMI and Engineering Work Stations have been used to change the availability and integrity of PLC’s and other controllers. And it may be easier for an attacker to understand the system by looking at displays rather than PLC logic. However an attack team with automation and engineering skills will not be deterred if the computers are fully patched and let’s even say unexploitable.

If the attacker has unfettered network access to the Insecure By Design devices the end attack will run on then your risk reduction in patching the computers is minimal.

At some point you will want to develop a security patching program for all of your computers and devices that can be secured. For most asset owners they jump to applying Microsoft security patches too early because of their IT experience. From an efficient risk reduction standpoint it is usually well down on the list of tasks, or security controls.

The simplest example I give is asset owners that think they are achieving significant risk reduction by upgrading their display panels from XP to a supported OS when the end target PLC is literally connected in the next switch port and fully accessible.

Next: Impact Analysis