What do you do when you can't patch?
By The CyberWire Staff
Oct 30, 2017

What do you do when you can't patch?

Applying software patches to critical infrastructure industrial control systems is easier said than done. Patching information technology is comparatively straightforward (albeit sometimes more difficult than one might assume, as unforeseen interactions and poorly understood dependencies can make applying software updates problematic). Operational technology presents a different and more intractable set of patching challenges altogether.

Scott Coleman, Director of Product Management at Owl Cyber Defense Solutions, offered Security Week's ICS Cyber Security Conference a consideration of what you can do for industrial control systems that you can't, or don't want to, patch. "Within critical infrastructure, there are often systems that cannot be patched because they are outdated, inaccessible, have no free memory, or more commonly because they work as is, and no one wants to risk an update." He was particularly concerned to describe the applications of data diodes (one of Owl's offerings) to ICS security.

Basics of critical infrastructure protection, as recommended by the US Department of Homeland Security

Coleman began by reviewing a set of three basic recommendations from the US Department of Homeland Security. DHS advises critical infrastructure operators to (1) reduce or eliminate connections into or out of the network, (2) convert two-way connections to deterministic one-way connections, and (3) restrict any remaining two-way command-and-control connections. But outside of the nuclear power industry, he noted, there will inevitably be two-way command-and-control connections.

Coleman recommended approaching the problem in the following way. Conduct an internal audit, mapping your networks to find all external connections and determine who has access to what. Then, eliminate potential threat vectors. Consolidate redundant access points, remove unneeded or unauthorized connections, and establish least-privileged access controls. (He thinks a good example is provided by the low-to-high-end filtering the US Department of Defense uses to structure data transfer across systems operating with material of different classification levels.) This of course amounts to a defense-in-depth, for which, "pooh-pooh it as you will," there's still no real substitute.

Hardware-based security: data diodes

And, finally, he recommended implementing hardware-based security. Convert as many two-way connections to one-way connections, outbound only. "Push data; don't pull it."

At this point Coleman turned to a description of data diodes, which he argued had considerable applicability in ICS security. The hardware physically enforces, he said, a network segmentation "air gap" between destination and source. "Proxies enable one-way in a two-way world." And one major advantage of hardware-based security of this kind is that it doesn't require software updates. 

Additional precautions for an environment where patching is difficult

After installing hardware-based security, operators should take the following additional precautions. Thoroughly vet incoming files and portable media. Limit and monitor two-way connections, isolating and locking down any unused ports, limiting command-and-control paths. And Coleman closed with a reminder of the human dimensions of ICS security. "But remember, no amount of technology can overcome human error or insider threats. So train your staff and reduce the chances of human error."