The objective of an organization when implementing cybersecurity controls is to eliminate risk, but this oftentimes involves settling for managing risk at an acceptable level. Each organization defines what that acceptable level is depending on several factors including the environment, the criticality of function, the asset type, etc.

There are many methods and techniques that an organization can then use to manage this risk. One of the most commonly used methods is patching. At the heart of it, patches are an element of an overall risk management program. As such, various sources must be taken into consideration in conjunction with the risk management process.

DevOps Connect:DevSecOps @ RSAC 2022

Patching as a risk management strategy is a lot more mature on the Information Technology (IT) side of cybersecurity than it is on the Operational Technology (OT) side. These two distinct worlds are converging into a paradigm that brings converged cybersecurity to the forefront. With this transition underway, it is only natural that we evaluate the use of successful IT cybersecurity strategies such as patching in the OT world. Though these departments have historically not had any reason to understand each other’s motivations or priorities, it is possible for IT and OT practitioners to agree and collaborate on ensuring the overall cyber health of their organization. Both understand the catastrophic consequences of not doing so.

A difficult balance

What do you think of when your mind goes to an OT environment? Is it all about old legacy machines and some specialized devices such as Programmable Logic Controllers (PLC), Servos, Variable Frequency Drives (VFD), RTUs and other remote IO devices? If so, you are almost right. But also remember there is a fair number of IT like assets in that environment, too. As a result, patching in the OT environment is not altogether a wrong or (Read more...)