Connectivity and convergence have changed the game for operational technology (OT) cybersecurity. In a relative instant, air gaps began disappearing, and risk and exposure grew exponentially for once-isolated assets.
On the latest episode of the Nexus Podcast, Rockwell Automation Senior Network & Solution Consultant Ahmik Hindman joins to discuss patching and vulnerability management of OT. Hindman is a 28-year veteran of Rockwell Automation and has been on the front lines with customers as this rapidly evolving paradigm around patching critical systems put on a new face.
“[Convergence] is definitely happening. We see the digitization of the manufacturing, edge deployments all over the place, SaaS implementations,” Hindman said. “That combination is exacerbating… the problem that we have with unsecured assets in the OT space. Especially if someone starts to connect those and they’re not monitoring that network, they don’t have an i-DMZ segmentation, or clear policies and procedures restricting that data flow, then they’re opening themselves up to ransomware. Typically that’s what we see in terms of attacks on control systems is ransomware.”
The same scheduled, dependable patch cycles that are familiar and relevant to IT systems don’t exist around OT software and firmware vulnerability management. OT patching remains largely ad hoc, Hindman said, especially in environments where there are limited downtime windows.
“It’s a little challenging when it comes to industrial control system devices and patching; I might have a vulnerability on an Ethernet module or a processor, that’s a little harder to patch than a Windows environment,” Hindman explained, adding that interoperability is a major consideration as well when patching OT. And then there’s firmware.
“When it comes to the firmware side, that’s when it becomes a little more challenging,” he said. “You need to develop a plan, a process, and a decision tree as far as when we’re going to address this. How are you going to address out-of-band issues if there’s a (critical) patch I cannot wait for my scheduled process to patch that?
“I would say it’s really ad hoc depending on the facility. That’s when I talk about leveraging a standard like [IEC-62443],” Hindman said.
Overall vulnerability management suffers from the same ad hoc approach within most OT shops where it remains to a large degree a manual process of hunting and pecking about systems seeking out known vulnerabilities from threat intelligence sources such as CISA. Hindman advocates for automating wherever possible.
“Leverage a tool to do that initial inventory, to do that initial vulnerability classification,” Hindman said. “Those that aren’t doing that today, it’s a very ad-hoc approach. I’ve seen a plant manager say ‘Here’s a new automation vulnerability’ that gets sent to an engineering manager who gets tasked with finding the vulnerability. That’s unfortunately what I still see happening. There’s no way people are keeping on top of that.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
