Merritt Group Blog

After Spectre and Meltdown, How Can Industrial Control Systems Learn From The Patch, Exploit, Uninstall Cycle?

There’s a saying in the software community: Patch Tuesday, Exploit Wednesday and Uninstall Thursday. Patch Tuesday refers to the second and sometimes fourth Tuesday of the month when Microsoft releases patches for its software products. Patch Tuesday is followed by Exploit Wednesday when exploitation developers, or in other cases hackers, jump in to see if the patches released the previous day really addressed the vulnerability or if exploitation is still possible. Then comes Uninstall Thursday, which results when it turns out that the patch installed on Tuesday actually broke your system or made it even more vulnerable and you have to uninstall it to get things back to working order.

This Patch Tuesday, Exploit Wednesday, Uninstall Thursday can be a vicious cycle, particularly when you consider that the purpose of the patch in the first place was to fix a problem or a vulnerability that might have left your system open to malicious actors. It can feel like there’s just no winning.

Complicating matters are patches like the ones recently released to address Meltdown and the Intel processor design flaw. This patch for example, which helps to fix the Linux kernel's virtual memory system, a major flaw that can allow your kernel’s memory to be readable by other programs and logged-in users, can actually slow down performance by almost a third. So much so in fact that Intel recently asked customers to hold off on patching the bug altogether.

So here you are again in the vicious Patch Tuesday, Exploit Wednesday, Uninstall Thursday cycle. You patched a major flaw in your system only to find out it dramatically slows down the performance of your system, but you were told you need it to protect you. So here’s the dilemma, do you uninstall it or deal with the slow down?

Currently, one of the greatest concerns of the Meltdown patches is how these patches might affect industrial control systems (ICS), which are responsible for keeping the nation’s critical infrastructures up and running. Systems like power plants, electricity grids, natural gas, water, communications and fuel distribution, in addition to manufacturing and production plants, all have the potential to be impacted by these patches.

So what are ICS operators choosing to do? Well, when it comes to critical infrastructure and ICS patches that can have major negative impacts like this, even if Intel hadn’t come out and said to hold of on applying the patch they typically won’t apply them immediately anyway. In an environment where it’s more important for the systems to be safe and available at all times, the risk of a slow down of this nature means that critical infrastructure systems will remain vulnerable until it’s clear that the patch won’t affect the system’s availability and performance. And at a time when ICS attacks appear to be on the rise, it’s imperative that vulnerabilities like this are minimized and that ICS operators are aware of where their vulnerabilities lie so that they can closely monitor them.

Patch Tuesday, Exploit Wednesday and Unistall Thursday is certainly not a perfect system, and at times these patches can cause serious issues that may make one wish they’d skipped the cycle all together. But the value of this system is that it forces those in the industry to check in on what needs to be fixed on a monthly or even bi-weekly basis. It forces system operators to be diligent about what systems need to be patched and even if they make the choice not to apply a fix, they will at least be cognizant of the issue in the first place and sometimes knowing where the vulnerabilities lie is simply half the battle.

Want to learn more about how to position your company in the cybersecurity market today? Contact Merritt Group today, and let's start a conversation!

 

 

 

Topics: Security public relations 2018