For critical systems, “just patch it” is a paradox
SAN FRANCISCO—Security patches don’t often come wearing gold-sequined tuxedo jackets, but maybe they should. If they did, everybody from consumers to security experts might pay more attention to them, and perhaps have a better understanding of why, when a vulnerability is discovered, “just patch it” isn’t exactly the answer.
That was the message of a game show-style panel here last week at the security conference BSides led by Allan Friedman, director of cybersecurity for the U.S. Department of Commerce’s National Telecommunications and Information Administration, who says patches are important, complicated, and largely misunderstood.
“We are better at patching now than we used to be, [and] there are more organizations aware of what’s mission-critical,” he says. But relationships between organizations and the vendors that supply them with technology are complex. “We’re still trying to help vendors and stakeholders understand patching, helping organizations not introduce a new vulnerability, and helping the ones buying know what questions to ask.”
READ MORE ON VULNERABILITY DISCLOSURE
Bug bounties have bugs of their own
What’s in a bug bounty? Not extortion
How to attack security issues like Google and Microsoft just did
Bug bounties break out beyond tech
The dark side of bug bounties
When to disclose a zero-day vulnerability
Patching often appears to be a straightforward process, and for many home consumers it can be. Many apps, including popular software programs like Google’s Chrome browser, used by hundreds of millions of people, deliver their updates silently and seamlessly. But even at the consumer level, patching can easily go awry, as updates of Microsoft’s Windows, Apple’s Mac OS and iOS, and Google’s Android have demonstrated. Some have initiated function problems; others have rendered the software nonoperational.
Patching for computer-driven critical-infrastructure systems, from hospitals to local 911 dispatchers to nuclear power plants and water treatment facilities, is more complex, largely because many of their systems can’t easily be updated, nor can they suffer downtime.
A payroll system might be able to be taken down for maintenance fairly easily, but a hospital network might not. It might also be incredibly expensive to update, says Wendy Nather, principal security strategist at Duo Security, who appeared on Friedman’s game show panel.
“[I]t would be prohibitively expensive to update all ATMs, for example, regardless of whatever new vulnerabilities have been discovered.”—Wendy Nather, principal security strategist, Duo Security
The longer a “complicated ecosystem of software” has been around, she says, the more difficult it is to patch. Testing a patch to ensure that it doesn’t introduce new security vulnerabilities—and is stable enough to use without crashing—“often” requires six or more months, she says, and a lot of resources.
“Plenty of kiosks, embedded systems, and medical devices continue to run on Windows XP because it runs just fine. And it would be prohibitively expensive to update all ATMs, for example, regardless of whatever new vulnerabilities have been discovered,” Nather says. And in requiring near or fully 100 percent system uptime, service-level agreements may inadvertently delay or prevent patches.
Organizations in charge of such systems do have viable options when waiting to apply patches, says Bryan Singer, the director of industrial cybersecurity services and sales at security company IOActive. They can ensure that key network ports are closed, for example, which he says helped keep last year’s WannaCry attack from spreading throughout the United States when Europe and England were badly hit.
“The idea that I’m going to restart your pacemaker to apply a patch outside of a clinical setting is a nonstarter,” he says, but complaining that patching is too hard is “excuse-making.”
Regardless of the approach, Singer says, organizations handling critical systems need to work with their software providers to form and follow through on patching plans.
“Organizations should work with the vendor. Some charge for that service, and you just have to pay them for the support. You want them motivated to help you,” he says. “This is an evolutionary-level change. It’s going to take a really long time, and it’s going to go really slow.”
Friedman recommends that organizations running mission-critical systems ask themselves three questions: Is the device patchable? For how long will it receive patches? And what does the owner or operator have to do to apply those patches?
Whether you’re updating your iPhone with the latest security patch, or managing a complicated industrial control system that affects hundreds of thousands, or even millions, of people, the importance of fixing vulnerabilities in a timely manner can’t be understated, Nather says.
“Patching is foundational, but it’s not basic,” she says.