Compensating Controls in OT Security: Strengthening Defense When Patching Isn't an Option

The Misguided Notion of Bypassing Patching in OT Systems

Patching Operational Technology (OT) systems is undeniably a challenging task. In response to this, some in the OT security industry will advocate for alternative security strategies. For example, an OT security vendor may advise using alerting technologies in conjunction with a strong OT security incident response team as an alternative to patching. Essentially, a recommendation not to patch because it is hard, and instead invest your budget into detecting and responding faster.

However,  this conclusion — patching is hard, so why bother — is flawed for a couple of reasons and also glosses over a very big factor that significantly complicates any response or remediation. In addition, it overlooks a crucial aspect of OT security resilience: the strategic use of compensating controls.

Patching Is Hard But Necessary in OT Security

Ignoring Patching is Not an Option

The primary flaw in this advice is the notion that patching can be ignored. This is a dangerous misconception. Patching may be challenging, but it remains an essential line of defense. When immediate patching isn’t feasible, alternative plans need to be in place. Neglecting patching altogether can lead to severe consequences in the event of a cyber incident, reminiscent of the outdated ‘M&M defense’ strategy – tough on the outside but vulnerable inside.

The Challenge in Finding Skilled OT Security Staff

Another critical oversight is the assumption that skilled OT security personnel, crucial for either incident response or patching, are readily available. This is far from the truth. In many cases, even when patches are ready, there’s a lack of qualified experts to implement them. This gap in resources raises questions about the viability of assembling an adequate incident response team, especially when proactive patch management is already struggling.

The Complexities of OT Networks

Lastly, the complexities inherent in OT networks add another layer of difficulty to patch management. The sheer number and intricacy of assets and network architecture present a significant challenge. Identifying which assets are affected by a specific patch or vulnerability is often a daunting task for organizations. Yet, any effective incident response strategy demands this level of understanding and detailed asset profiling. Ironically, even those advocating against patching cannot escape the need for a comprehensive, contextual asset inventory, which is, in fact, a fundamental component of a sound OT cybersecurity strategy.

3 Elements of a Mature ICS Patch Management Program

Patching OT systems is indeed a challenge, but it’s not insurmountable. We need to acknowledge the difficulty but also recognize that it’s crucial to make the effort. In a well-structured OT patch management program, success hinges on three key elements:

• Real-time, Contextual Inventory
• Automation of Remediation
• Effective Use of Compensating Controls

Understanding and implementing these components can transform the complex task of patching into a more feasible and successful process. Let’s delve into each of these components and see how they contribute to a robust patch management strategy.

Real-time Contextual Inventory: The Foundation of Effective Patch Management

In OT, standard scan-based patching tools like WSUS/SCCM are common but often fall short of providing deep insights into the assets. What’s truly beneficial is an in-depth asset profile that includes operational context. This means going beyond basic details like IP addresses, models, and operating systems. The real value lies in understanding each asset’s criticality, location, and ownership. This comprehensive view is crucial for correctly assessing and managing emerging risks, as not all OT assets are equally vulnerable or critical.

As we build these detailed asset profiles, it’s vital to gather extensive information about each asset. This includes data on installed software, user accounts, network ports, services, registry settings, least privilege controls, antivirus status, whitelisting, and backup status. Such detailed information greatly enhances our capacity to accurately prioritize and strategize our response to new risks.

Automating Remediation: Streamlining the Patching Process

The task of deploying patches or compensating controls is often labor-intensive, involving the identification of target systems, configuring patch deployment, and troubleshooting failures. However, imagine a scenario where, in the face of a threat like BlueKeep, files are pre-loaded onto targeted systems in preparation. A nimble OT security team could then strategically plan the order of patch updates, guided by the detailed asset profiles. This planning could consider factors such as the asset’s location or criticality.

Envision further a patch management system that bypasses the initial scanning phase, having already identified the assets needing patches. This system could facilitate remote or in-person installations, verifying their success and updating the global dashboard in real time.

Compensating Controls: The Alternative When Patching Isn’t Feasible

For high-risk assets that cannot be patched immediately, the creation of ad-hoc compensating controls becomes a pivotal strategy. For example, in light of a critical vulnerability, disabling remote desktop services or guest accounts can drastically reduce immediate risks, buying time for patch preparation. 

This approach exemplifies the essence of compensating controls: they are not merely stop-gap measures but integral components of a well-rounded patch management strategy, especially when direct patching isn’t an option.

Compensating Controls: A Vital Layer in OT Cybersecurity

Defining and Implementing Compensating Controls in OT Security

Compensating controls are essentially a diverse set of strategies we deploy, particularly when direct solutions like patching aren’t immediately viable. Think of them as a multi-layered defense system. 

On the simpler side, we have actions such as application whitelisting and ensuring antivirus software is always updated. Moving towards more complex measures, there’s endpoint management — keeping a vigilant eye on each network-connected device for security vulnerabilities, and system hardening — which involves reinforcing the defenses of individual systems against potential threats. These compensating controls are crucial; they give us the flexibility and strength to bolster our OT security against various types of cyber risks.

Understanding Compensating Controls in OT Security

Compensating controls aren’t fallback options, but proactive measures to strengthen defenses and address vulnerabilities where traditional patching may fall short. Let’s break down their scope.

Examples of Compensating Controls in OT Security

• Endpoint Management: This involves meticulously monitoring and managing endpoint devices. The aim is to keep these devices updated and protected against known vulnerabilities, ensuring they have only the access they require. This step is critical in preventing endpoint devices from becoming the weakest link in your security.
• System Hardening: Here, we focus on making each system more resilient to attacks. This is achieved by removing unnecessary software, disabling services that aren’t in use, and applying strict access control measures. It’s about reinforcing each layer of your system’s defense.
• Network Segmentation: By dividing the network into distinct segments, we can isolate critical systems from potential breaches in less secure areas. This approach limits the damage a breach can cause and safeguards key parts of the network.
• User Account and Access Control: Regularly checking and adjusting user access rights and employing multi-factor authentication greatly reduces the risk of unauthorized access, thus tightening security.
• Regular Backups and Data Encryption: Consistently backing up data and encrypting it protects against data loss or theft, especially in cases like ransomware attacks. It’s an essential part of a comprehensive security strategy.

Proactive and Situational Use of Compensating Controls

Understanding compensating controls is one thing, but applying them effectively is another. These controls need to be deployed both before a threat arises (proactively) and in response to specific situations (reactively). For instance, routine system checks might reveal dormant admin accounts or outdated software, which are vulnerabilities that can be mitigated through compensating controls.

Real-World Example: The BlueKeep Vulnerability Response

Imagine a scenario where a cybersecurity risk similar to the BlueKeep vulnerability emerges. For those unfamiliar, BlueKeep was a significant security vulnerability discovered in Microsoft’s Remote Desktop Protocol, posing a serious risk to unpatched systems by potentially allowing unauthorized access.

Now, let’s walk through how a prepared OT security team could handle such a situation effectively, illustrating the strategic use of compensating controls and proactive patch management:

Proactive Preparation for Emergent Risks

• Pre-Loading Patch Files: Suppose a new risk akin to BlueKeep is identified. Your first step could be to pre-load the necessary patch files onto all target systems. This pre-loading doesn’t mean immediate action, but it does prepare you for swift deployment.
• Strategic Patch Deployment: Imagine your OT security team, agile and informed, assessing which industrial systems to update first. This decision is based on a range of factors from your robust asset profiles, like the location of the assets or their criticality.
• Advanced Patch Management Technology: Now, envision a scenario where your patch management technology is so advanced that it doesn’t require a preliminary scan. Instead, it has already identified which assets are in the scope of the new patch. As you deploy these patches, whether remotely for low-risk assets or in person for high-risk ones, the technology verifies each patch’s success and updates your global dashboard in real time.

Implementing Compensating Controls for High-Risk Assets

But what about those high-risk assets you can’t patch immediately? This is where compensating controls come into play.

• Ad-Hoc Measures for Immediate Risk Reduction: For a vulnerability like BlueKeep, you might disable remote desktop services or guest accounts on these high-risk assets. This simple yet effective action significantly reduces the immediate risk, buying time for a more comprehensive patching strategy.
• Fallback Actions When Patching Isn’t an Option: These compensating controls act as critical fallback actions. They’re not just stop-gap measures; they’re strategic choices that allow you to maintain security even when immediate patching isn’t feasible.

By integrating these proactive and strategic approaches, your OT security team becomes capable of not just reacting to threats, but anticipating and preparing for them, ensuring the resilience and continuity of your operations in the face of potential cybersecurity challenges.”

Compensating Controls: A Key to Robust Cybersecurity

In wrapping up, the strategy behind employing compensating controls is not merely a reactive stance to threats. It’s a proactive philosophy that complements traditional patching methods. These controls allow for an adaptable approach to securing OT systems, where understanding the network’s layout and each asset’s role informs the application of both patching and compensating controls. This method isn’t just about dealing with threats as they come; it’s about anticipating and preparing for them. The integration of these controls into your cybersecurity framework enhances resilience and safeguards critical infrastructure, ensuring operational continuity against a backdrop of evolving cyber threats.