Raise your hand if you’ve ever felt a pang of guilt when your doctor reminded you to eat healthier and exercise more at your annual check-up. My hand is up. Of course, no one wants to lead an unhealthy lifestyle, but alas, life gets in the way and the ever-growing list of things to do keeps getting longer. So you tell yourself you’ll start tomorrow – and tomorrow goes on for months.
Don’t you feel that same strike of guilt when you receive an email alert to update your systems software or firmware? You know you should perform the update, but there are new initiatives to implement, processes to be optimized, and sometimes very costly downtime to consider, so you make a mental note to address it later. Besides, it took plenty of time and effort just to get everything up and running, tuned and optimized, so why mess with a good thing?
However, just as it’s not good practice to ignore our health, prolonging or ignoring a software update could expose ICS/OT and IT networks to attack and possible breaches. These system updates provide critical fixes to newly identified security vulnerabilities and exploits (unfortunately, these continue to be found by hackers) and other minor and major software bugs, as well as new features and functionality.
So important are they that the U.S. Department of Homeland Security included guidance on them in their white paper, Seven Steps to Effectively Defend Industrial Control Systems. Under proper configuration/patch management, the paper states: “Adversaries target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help keep control systems more secure.” Especially as standard (and more vulnerable) IT solutions such as Microsoft Windows are utilized on more and more ICS workstations and servers, it is even more important to make routine system updates an integral part of everyone’s cybersecurity best practices.
Despite all this, when balancing the need to protect from possible threats with the daily pressure to maintain peak operational efficiency and integrity of production processes, it is still easy to default to addressing the here and now. However, the longer the system goes without updates, the greater the number of potential threat vectors, the amount of eventual work to update to the latest software revision, and the potential for older systems to age out of support availability (when patches for older systems are no longer produced).
Sometimes there may be reasons why regular updates are just not feasible (see the recent article What If You Can’t Patch? for ways to address these situations), but for everyone else, here are some basic cybersecurity and software update best practices to follow:
- Stay informed of the latest threats and vulnerabilities. Awareness is the first step to taking action.
- Verify that the software updates are from your trusted solutions provider.
- Update and patch critical system vulnerabilities at a minimum. The downtime will be more than offset by the disruption and cost to your operations if the system is corrupted.
- Keep your systems up to date before they become obsolete and no longer supported.
With the start of the new year, it’s the perfect time to start making a habit of routinely updating your system software! The health and security of your systems and your IT department will thank you one day. Now excuse me while I go purchase a gym membership.