There was only one catch and that was Catch-22, which specified that a concern for one’s own safety in the face of dangers that were real and immediate was the process of a rational mind. Orr was crazy and could be grounded. All he had to do was ask; and as soon as he did, he would not longer be crazy and would have to fly more missions. … If he flew them he was crazy and didn’t have to; but if he didn’t want to he was sane and had to.
Catch-22 by Joseph Heller
The Cyber Maintenance Catch-22: The cyber asset is so important it can never be taken down for patching or other cyber maintenance. It can never go down because it is so important. It can never be upgraded because it is so important. The cyber asset becomes increasingly fragile because it is not maintained or patched. The fear of touching it, rebooting it or restoring it increases. Every day it is more likely to go down and cause an unplanned outage because it can never go down and cause an outage.
Have you ever seen it on-site? This mysterious computer; it’s usually a computer running some old application. You want to scan it like other cyber assets, and it is a hard no. It’s too important. If it reboots we don’t know if it will come back up. It’s been around forever, and no one knows if it can be rebuilt. It hasn’t been updated for 5, 10 or more years. The vendor might even be out of business. They are nervous even if you are visually inspecting the configuration. And if it goes down, operations goes down.
In the next breath, this can never go down because it has to operate 24×7. Catch-22.
If you’re doing an assessment, this is in your highest category level finding. Not that the device is vulnerable, unpatched, using default credentials. Rather it is a fragile cyber asset, that is getting more fragile every day.
While the term cyber hygiene has caught on, I prefer the term cyber maintenance. Operations understands maintenance. They have maintenance plans for physical equipment. Few have a run to fail maintenance philosophy. Why wouldn’t cyber parts of the system need maintenance? Would you skip maintenance on a pump for 10 years because it’s so critical?
Cyber maintenance might not, likely should not, coincide with the popular definition of cyber hygiene. Most OT computers don’t need to be patched every month. It doesn’t make sense from a risk and resource standpoint. Is it wrong to do this? No, but in almost all cases I’d rather apply those resources elsewhere.
You should have a cyber maintenance plan for all cyber assets. I recommend asset owners create two to three cyber maintenance categories with different cyber maintenance intervals. Define the categories and set the maintenance intervals based on exposure, security posture, process impact and safety impact. Put all cyber assets into one of these categories and then perform and audit the cyber maintenance.