It is important to note the difference between ‘patching’ and ‘hardening.’ It is also important to note the importance both functions play in protecting your computer systems.
Patching a computer system (whether it is a computer or an embedded controller like a PLC) takes care of critical vulnerabilities (holes where malware might be able to get into a system or where a hacker might be able to gain access) for the most part by keeping the operating system, firmware, and applications up to date with vendor releases. Vendors fix vulnerabilities when they are made aware of them and release a patch. Sometimes a patch is rolled up into a release for convenience by a vendor.
Unfortunately, the more obscure the device, the vendor may not release patches or updates publicly. Fortunately, very public companies that provide common computers, operating systems and applications release their patches and updates publicly. You can download the patches and updates or turn on automatic download and update in many cases. This works great for computers that are running off the shelf common software. It does not work so well for computers that are running proprietary or custom applications. I those cases, you often need to download a patch and test it on a test machine to insure that it will not break the critical system. Only after it is tested and validated will it be installed and even then the system should be backed up before just in case.
Hardening includes additional steps beyond patching to limit the ways a hacker or malware could gain entry. Hardening is accomplished by turning on only the ports and services required, obfuscating system components such as SNMP, and additional steps to limit system access. This is usually done by a configuration script or manual checklist.
Hardening is required in addition to patch management to protect a system. During our vulnerability assessments, we check that devices are patched and hardened correctly and that the team understands why and what they are doing.
For more information about ICS cybersecurity services, contact Kenexis at [email protected]