Security patching can be a high resource task if you try to apply security patches to all your OT cyber assets on a frequent basis, such as monthly or quarterly. The risk reduction achieved through this large effort is typically minimal given the insecure by design problem. Dragos estimated that only 3% of security patches in 2023 fell in the Patch Now category of Never, Next, or Now for OT.
The key is to identify the small number of cyber asset / patch pairs that need to be applied as soon as possible to greatly reduce risk.
This week you will separate your OT cyber assets into three categories.
- Priority (Now) – Cyber assets that are exposed to communications originating outside of OT. You identified most of these cyber assets and communications in Weeks 24 and 26. This should be a small percentage, certainly less than 10%, and likely less than 3%, of your OT cyber assets. If this is not the case, you need to work on your OT electronic security perimeter. Cyber assets in this Priority (Now) category should be patched as soon as possible and no less than monthly. Don’t forget to include the network infrastructure, such as your OT firewall and your OT remote access server, if it is exposed to IT and other non-OT networks.
- Maintenance (Next) – These are OT cyber assets that communicate with cyber assets in the Priority category. They are one pivot away from the potential attacker. There should be a regular cadence for patching this group, typically when other maintenance activities are taking place. Again, this should not be a large number of cyber assets in a wisely designed OT environment.
- Support (Never) – Everything else falls into the Support category. You are not applying security patches or other updates to this category to reduce cyber risk. However, you don’t want your systems to fall into an end of life or unsupported version state. Falling multiple versions behind may make future updates impossible. Security patches for this category should be considered with the periodic plant or system maintenance (perhaps annually). Cyber maintenance for the Support category should be added to scheduled major (multi-week) outage plans.
Create a document, spreadsheet or other record that puts each OT cyber asset into one of the three security patching categories. If you don’t have an asset inventory you can place an asset type / asset profile into a security patching category. For example, Rockwell Automation PLCs or Moxa serial-to-ethernet gateways.