Insecure by design: What you need to know about defending critical infrastructure

Patching is useless most of the time, industrial control systems (ICS) security expert tells Senate committee.

Patching security vulnerabilities in industrial control systems (ICS) is useless in most cases and actively harmful in others, ICS security expert and former NSA analyst Robert M. Lee of Dragos told the US Senate in written testimony last Thursday. The "patch, patch, patch" mantra has become a blind tenet of faith in the IT security realm, but has little application to industrial control systems, where legacy equipment is often insecure by design.

The Senate committee hearing highlighted the gulf between information technology (IT) and operational technology (OT) security, and how few of the lessons learned in the IT security space carry over to industrial security. "Operational technology" is a newish term that has emerged to distinguish industrial networks and systems from traditional business-focused information technology.

"There are two different trains of thought," Nick Santora, CEO at Curricula and a former critical infrastructure protection (CIP) cybersecurity specialist at NERC, the North American energy grid regulator, says. "In IT security, it's business critical stuff. On the OT side, you're dealing with mission critical stuff that can't go down. You can't take an outage on a whim, 'Oh, a server went down.'"

Defending critical OT infrastructure, such as the energy grid, requires a different approach, Lee told the Senate. "Our mission is different because it takes on a physical aspect, and therefore focusing on just malware prevention or patching doesn't actually address a human adversary," Lee says. "Malware is not the threat. The human on the other side of the keyboard is the threat."

To continue reading this article register now

Microsoft's very bad year for security: A timeline