Patching security vulnerabilities in industrial control systems (ICS) is useless in most cases and actively harmful in others, ICS security expert and former NSA analyst Robert M. Lee of Dragos told the US Senate in written testimony last Thursday. The IT security “patch, patch, patch” mantra has little application to industrial control systems, where legacy equipment is often insecure by design.
The Senate committee hearing highlighted the gulf between information technology (IT) and operational technology (OT) security, and how few of the lessons learned in the IT security space carry over to industrial security. “OT” is a newish term that has emerged to distinguish industrial networks and systems from traditional business-focused information technology.
Defending critical OT infrastructure requires a different approach than defending IT infrastructure, Lee told the Senate. “Our mission is different because it takes on a physical aspect, and therefore focusing on just malware prevention or patching doesn’t actually address a human adversary,” Lee says. “Malware is not the threat. The human on the other side of the keyboard is the threat.”
Read more about why Robert M. Lee’s argued that patching for ICS vulnerabilities is useless most of the time on CSO.