To Patch or Not to Patch in OT – That Is the Real Challenge
The State of Security
The objective of an organization when implementing cybersecurity controls is to eliminate risk, but this oftentimes involves settling for managing risk at an acceptable level. Each organization defines what that acceptable level is depending on several factors including the environment, the criticality of function, the asset type, etc.
There are many methods and techniques that an organization can then use to manage this risk. One of the most commonly used methods is patching. At the heart of it, patches are an element of an overall risk management program. As such, various sources must be taken into consideration in conjunction with the risk management process.
Patching as a risk management strategy is a lot more mature on the Information Technology (IT) side of cybersecurity than it is on the Operational Technology (OT) side. These two distinct worlds are converging into a paradigm that brings converged cybersecurity to the forefront. With this transition underway, it is only natural that we evaluate the use of successful IT cybersecurity strategies such as patching in the OT world. Though these departments have historically not had any reason to understand each other’s motivations or priorities, it is possible for IT and OT practitioners to agree and collaborate on ensuring the overall cyber health of their organization. Both understand the catastrophic consequences of not doing so.