You are here

Vulnerability Management – What to Do When There Is No (or will never be a) Patch

Vulnerability Management – What to Do When There Is No (or will never be a) Patch

Created: Tuesday, March 5, 2019 - 11:58
Categories:
Cybersecurity, General Security and Resilience, Security Preparedness

Patching is a fundamental process of every OT/ICS vulnerability management strategy. Determining which patches to (or not) apply is crucial to addressing known exploits. But how are you addressing vulnerabilities that do not (or will never) have a patch? Ralph Langner, arguably the world's foremost expert on Stuxnet, posits that the worst OT/ICS vulnerabilities will never be disclosed, let alone patched. Therefore, solely relying on public vulnerability disclosures will result in gaps in your protection strategy. Mr. Langner recently published a post on how to address OT/ICS products that have legitimate features that are “insecure by design.” He discusses Modbus, Ethernet/IP, Profinet, and proprietary DCS protocol features that will never have a patch, and explains how-to "hack" an eleven year old design vulnerability in a popular PLC product by erasing the main executive control loop. Mr. Langner further reminds us the Stuxnet vulnerability is still useable nine years later, since the product architecture was never changed. As part of their vulnerability management program, member utilities are encouraged to explore alternative compensating security controls in order to address insecure by design product features. One method is by reading OT product manuals and exploring legitimate features. Mr. Langner suggests that will yield more vulnerabilities than having a group of hackers use their cyber Ninja techniques to find buffer overflows in code. Langner