InfoSec Insider

How to Secure Critical Infrastructure When Patching Isn’t Possible

Mission-critical systems can’t just be switched off to apply security updates — so patching can take weeks if not years.

Cyberattacks are on the rise and threatening our digital life and our most intimate information — but also our operational realities. Attacks on critical infrastructure such as power plants, water works, airports and the like (transportation ranks among the highest-value targets for cyberattackers seeking maximal impact) are no longer theoretical — but when it comes to securing these complex systems, there are unique challenges, such as an inability to patch.

In recent decades, critical infrastructure systems have grown ever more connected. Legacy components, which were not designed for the online arena, are now networked en masse. What’s worse, security teams trained to focus on physical safety are prone to downplay (or outright miss) growing digital-age risks. Sure, connecting all of a grid’s transformers might improve efficiency and maintenance, but if officials can connect remotely to monitor the device, can’t a hacker compromise that very device in much the same way?

Securing such critical infrastructure systems introduces a frustrating paradox: On the one hand, defending safety-critical systems is key because any maliciously motivated malfunction invites potential disaster. Yet our need for these crucial systems to be “always-on” complicates standard cyber-procedures.

Case in point: Software patching.

Patching is pretty straightforward: When you find a weak spot, install some code designed to fix it. But for critical infrastructure, there’s a catch. Restarting your computer for a Windows update while you’re working is annoying, but manageable. For power grids, water systems and railway networks, it’s another story. Even when a system-wide shut-down is imperative, operators seek to schedule a deluge of fixes during that window. Needless to say, such coordinated shut-downs can’t be improvised in response to emerging threats.

This is a serious problem, because some of the most dangerous cyber-threats take advantage of known vulnerabilities. Take the globally devastating WannaCry cyberattacks in 2017. WannaCry exploited a known vulnerability in Windows, for which Microsoft had released a patch two months prior. Nevertheless, dozens of the world’s largest companies, like FedEx, Maersk, Telefonica and many more, fell victim to the attack.

While the press focused largely on the major, brand-name business targets that were hit, critical infrastructure was also a victim. Both the UK’s National Health Service and Germany’s Deutsche Bahn rail system fell prey to the attacks. The chance discovery of a “kill-switch” within the virus reduced the attacks’ impact, but the episode revealed just how vulnerable critical infrastructure systems were around the world.

Further complicating the patching issue is the fact that critical infrastructure systems are interconnected by design, making it difficult to isolate the effects of a service disruption or system update. Before installation, controllers must be sure a patch won’t lead to a cascade of negative reactions throughout the system, which is why critical system patches require extensive certification. But these certifications can take months or even years, during which time such systems remain exposed. Even after a patch is certified, complications continue. Oftentimes only the most skilled experts can actually carry out the installation, further extending security lapses.

Take the case of the Slammer worm, which attacked various infrastructure systems in January 2003. Six months prior to the attack, a patch had been released. Some victims, like an Ohio nuclear power plant, hadn’t installed the patch yet and suffered the consequences. An oil company with production platforms in the Gulf of Mexico had already begun rolling out the patch in the summer of 2002. However, issues with server restarts required certain expert staff members to be present during the patching, and as a result, most of the platforms were not yet patched when the Slammer worm attacked.>

Despite the challenges of patching vulnerabilities in our critical infrastructure, securing these safety-critical systems is not something we can afford to ignore. Prompt and timely patching is urgent when patches are available. However, there must be additional contingency measures in place to compensate for inevitable lapses and gaps between applying fixes, such as the time it takes for patches and solutions to undergo Safety Integrity Level (SIL) certification processes.

To meet this challenge, stakeholders will need to bring a combination of human and technological resources to bear. These should include enhanced cybersecurity awareness training for all team members, increased lobbying of regulators to fast-track time-consuming SIL certifications and real-time threat-hunting tools that can help operators stay one step ahead of cyberattackers.

Most importantly, critical infrastructure systems must integrate technological solutions into their patch management systems that can provide continuous threat monitoring and detection. This is vital to identifying weak spots that bad actors may seek to exploit. It is also crucial to alert operators that a system has been compromised, but alerts aren’t enough – operators must also be provided the know-how, tools and procedures necessary to react quickly in order to implement remedies before any real damage is done. When combined with a well-trained staff, passive monitoring systems can provide this intelligence and help mitigate cyber-threats.

This may not be standard cyber-procedure, but for critical infrastructure facing a mounting wave of threats, it’s becoming an essential one. The challenges in the sector when it comes to patching aren’t going away — so a more layered approach is necessary as the volume and complexity of attacks against utilities and other targets ramp up and threaten real physical damage.

Amir Levintal is CEO and Co-Founder of Cylus.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles

Discussion

  • Michael Smith on

    This is an interesting article. It may be naive of me to think this, but rather than make the next effort a patching effort, why not make the next effort to replace the system that essentially has a single point of failure with a system that has high-availability and redundancy features that allow the "A" side to be down to apply patches and perform maintenance, while the "B" side takes the workload? And possibly have a "C" side for added redundancy so no system is ever under singular control. To me the types of mission critical systems that are designed like this are flawed at the design stage. Sure, a system with multiple redundancies is more expensive, but when it comes to infrastructure - especially those that profit from use - there should be some responsibility and accountability to design the thing right in the first place.
  • tony roth on

    @Michael Smith Totally agree with you on this, we don't incur outages during patches that's so year 2000. Its true that some applications don't support the FT/HA requirements but the point is to not purchase those applications in this day and age.
  • Amir Levintal on

    Michael and Tony - in most cases, it is not practical to replace existing systems in a safety-critical environment. Let's take, for example, the rail systems. The life cycle of trains is about 30 years, and we can assume that over this period, new vulnerabilities will be founded. In these cases, the manufacturers release patches. However, it is not easy for the operators to install them immediately; it disrupts the service (time to patch. test, verify safety and security). So usually they do it once in a while if any. On the other hand, if they won't fix the patches, threat actors might leverage these vulnerabilities. This is the paradox that the article analyzes.
  • John Mano on

    Yes, it is true that redundancy would have solve this problem in most cases. Well-designed systems must be capable of downtime for maintenence of their critical parts. Patching is only one reason for that. If critical component downtime can't be tolerated, there is a big functionality problem, and patching is the last concern. Obviously, in practice, many of the existing systems are old and are probably not designed as you would expect. And I think that is Amir's point.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.