The Importance of Routine System Updates

The Importance of Routine System Updates

Raise your hand if you’ve ever felt a pang of guilt when your doctor reminded you to eat healthier and exercise more at your annual check-up. My hand is up. Of course, no one wants to lead an unhealthy lifestyle, but alas, life gets in the way and the ever-growing list of things to do keeps getting longer. So you tell yourself you’ll start tomorrow – and tomorrow goes on for months.

Don’t you feel that same strike of guilt when you receive an email alert to update your systems software or firmware? You know you should perform the update, but there are new initiatives to implement, processes to be optimized, and sometimes very costly downtime to consider, so you make a mental note to address it later. Besides, it took plenty of time and effort just to get everything up and running, tuned and optimized, so why mess with a good thing?

However, just as it’s not good practice to ignore our health, prolonging or ignoring a software update could expose ICS/OT and IT networks to attack and possible breaches. These system updates provide critical fixes to newly identified security vulnerabilities and exploits (unfortunately, these continue to be found by hackers) and other minor and major software bugs, as well as new features and functionality.

So important are they that the U.S. Department of Homeland Security included guidance on them in their white paper, Seven Steps to Effectively Defend Industrial Control Systems. Under proper configuration/patch management, the paper states: “Adversaries target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help keep control systems more secure.” Especially as standard (and more vulnerable) IT solutions such as Microsoft Windows are utilized on more and more ICS workstations and servers, it is even more important to make routine system updates an integral part of everyone’s cybersecurity best practices.

Despite all this, when balancing the need to protect from possible threats with the daily pressure to maintain peak operational efficiency and integrity of production processes, it is still easy to default to addressing the here and now. However, the longer the system goes without updates, the greater the number of potential threat vectors, the amount of eventual work to update to the latest software revision, and the potential for older systems to age out of support availability (when patches for older systems are no longer produced).

Sometimes there may be reasons why regular updates are just not feasible (see the recent article What If You Can’t Patch? for ways to address these situations), but for everyone else, here are some basic cybersecurity and software update best practices to follow:

  • Stay informed of the latest threats and vulnerabilities. Awareness is the first step to taking action.
  • Verify that the software updates are from your trusted solutions provider.
  • Update and patch critical system vulnerabilities at a minimum. The downtime will be more than offset by the disruption and cost to your operations if the system is corrupted.
  • Keep your systems up to date before they become obsolete and no longer supported.

With the start of the new year, it’s the perfect time to start making a habit of routinely updating your system software! The health and security of your systems and your IT department will thank you one day. Now excuse me while I go purchase a gym membership.

Dave Britton Vice President, Assured Collaboration Systems

Building the Future of Cross Domain Security

In early January, Owl Cyber Defense announced the acquisition of the Assured Collaboration Systems (ACS) product line from Trident Systems Incorporated. This acquisition brings together t...
January 12, 2021

It’s Not Personal, It’s a Cyber Attack

Security breaches happen so often, it can be difficult to find something new to say about them. That’s why we don’t go out of our way to comment on every incident that makes it into t...
December 16, 2020
Ken Walker Chief Technology Officer

Amnesia:33 and Ripple20 Highlight the Difference Between Hardware-Enforced CDS and Firewalls

For years, the NSA has been telling us that firewalls are worthless as defense against targeted nation-state attacks. Now we finally have some examples of why this is true. On December...
December 11, 2020